No amount of money and preparation will prevent personal data held by the state becoming public, government information officials said at a legislative briefing Tuesday.

But the University of Hawaii System, which recently suffered breaches affecting tens of thousands of students, said it is committed to launching a $1.9 million initiative for better security at all 10 of its campuses.

And the state is examining options to improve its own security. A question raised Tuesday was whether each agency should find its own solution or the state should develop a unified approach to the problem.

The Hawaii Senate Committee on Economic Development and Technology and the Committee on Education held the informational briefing in response to the recent security breaches at UH.

Cost of Security at UH

It will cost the university at least $1.9 million just to launch a new information security system for all of its campuses, and another $764,000 per year to maintain it, said David Lassner, chief information officer and vice president for Information Technology at UH. The system currently spends about $20 million per year on information technology.

He emphasized that although the price sounds steep and financial times are tough, the university system is committed to improving the way it handles personal information of students and faculty. He said it must be a collaborative effort among all 10 campuses. Together they handle information on more than 600 web servers.

“We need to be able to use this information, but we need to protect it in a way that is commensurate with its sensitivity,” Lassner told the senators.

But he cautioned legislators that no amount of money and preparation will guarantee 100 percent information security. Some breaches are internal mistakes — as with the one recently discovered, in which a researcher accidentally publicly posted information he had received through the proper protocols more than a decade ago. The researcher thought he was posting to a private server, Lassner said.

Statewide Solutions Discussed

The joint panel also heard from Hawaii government officials who said the issue of protecting private information held by state agencies needs to be addressed at the statewide level.

“Safeguarding personal information handled by government agencies is absolutely necessary,” said Debra Gagne, head of the Information and Communication Services Division of the Department of Accounting and General Services.

Statistically, the majority of security breaches in 2010 were from unintentional disclosure or the physical loss of hardware like laptop computers and phones, she said — human errors that will never be completely eliminated. Gordon Bruce, director of the City and County of Honolulu‘s Department of Information Technology, reaffirmed Gagne’s assertion.

The county has already spent more than $8 million on software security and on physically securing buildings in which residents’ personal information is stored, he said, and it has another $10 million to go before reaching the “90 percentile of comfort level.”

Security involves three types of infrastructure, he said: physical, cyber and human.

“The complexity of this issue is huge. It’s the thing that keeps me up late at night, and the biggest challenge is the people.”

Every day the county government receives 190,000 attacks on its system, he said — and most of them are from the inside.

“These attacks come in the form of e-mails, malware, trackware and adware,” he said. “It’s not intentional; employees are just bringing them in on their thumb drives and CDs. Policies and procedures are in place, but we always come back to the fact that it’s a people issue.”

Despite the challenge of eliminating human error, all those who gave testimony agreed that the state needs to act now on securing its residents’ private information in the information-driven technology era. There was some discussion at the briefing about whether to assign or create a department specifically for that purpose or to use third-party experts.

“Ultimately, I think it needs to be a partnership,” said state comptroller Bruce Coppa.

About the Author