In December of 2016, the city of Detroit launched a program called Detroit ID, meant to provide those without a form of government identification with an option they could use to access critical resources and services. This program is now suspended, as there are concerns about data security and a data leak after its relaunch by a new vendor after a pandemic-induced pause.
Let’s consider the situation, and how the city has responded to it.
Detroit ID’s Vendor is Blamed with Leaking 8oo Residents’ Information (and Counting)
A bit of background may be helpful here. Back in December 2016, D-ID was launched to give those who might have some challenges obtaining a traditional form of identification—including homeless residents and undocumented immigrants—so that they could access some of the services and resources that they may need, including banking services, public education, and other services that the city offers. The program continued successfully up until the COVID pandemic, when it had to be put on pause.
Fast-forward to May of this year, and the program was relaunched with a new vendor, Mobility Capital Finance—AKA MoCaFi. However, this may have potentially been a mistake.
MoCaFi is now under investigation for allegedly sharing and selling personal information through the same clearinghouse that U.S. Immigration Customs and Enforcement utilizes. As a result, all of the aforementioned users of D-ID now have their information potentially exposed to third parties and are at serious risk of targeted enforcement. As for MoCaFi, it denies that it has sold any of this information to third parties, including government agencies and ICE.
Naturally, as the investigation continues, Detroit ID has been once again suspended, in the interests of providing a means of identification that is both useful and private.
Despite the Bad Press It Could Generate, this Suspension is the Right Call
Data sharing is a hot topic right now, as companies and organizations have been put under increased scrutiny… and rightly so. In this modern day and age, data is one of the most valuable resources that one can possess. Regardless of any bad press that putting this program on pause may generate, taking the steps to protect users and their data will be worthwhile.
It is also important that this process remains transparent going forward.
What If Your Business Suffers a Breach?
According to Michigan law, any significant access and/or acquisition of data requires a notification to be sent out to those whose data was breached—and if the breach is significant enough, to notify consumer reporting agencies—promptly, or “without unreasonable delay.” This doesn’t apply to businesses covered under other stringent laws, like entities covered under the Health Insurance Portability and Accountability Act—but those laws’ requirements are more or less the same.
Your first step should be to identify and cut off the access the breach took advantage of, closely followed by notifying all those who may have been affected by the breach. Will this be a fun process? Absolutely not… but it is one you will need to carry out.
We Can Help You Keep Your Business’ Data Safe, So You Don’t Need to Make this Kind of Notification
Reach out to us to learn more about our cybersecurity services, and how they can help prevent the circumstances that would make these steps necessary. Give us a call at 248.545.0800 to learn more.