The U.S.Government doesn’tknow what’sbecome of sensitiveinformation on itslaptop computers.
Agency Reports Loss Of More Than 1,100 Laptops Over 5 YearsBy Cliff MontgomeryA Commerce Department review has discovered that over the last five years more than a thousand laptops have ended up missing or stolen, with hundreds containing the personal information of American citizens.In response to both a congressional request and public inquiries, Commerce found that a whopping 1,137 laptops have been lost or stolen from among its 30,000-plus laptop computers, spread across the department’s 15 organizations.Of these, 249 contained personally identifiable information, with varying levels of security ranging from simple passwords to full encryption.A separate Commerce report stated that since 2003, 297 electronic devices containing sensitive personal information have been lost. This includes 217 laptops, 15 hand-held devices and 46 thumb drives.Commerce Secretary Carlos Gutierrez claims that even though the number of missing computers is high, the chance of data misuse is low.”While we know of no instances of personal information being improperly used, we regret each instance of lost material and believe the volume of lost equipment is unacceptable,” Gutierrez said.In rhetoric, Gutierrez’s argument is known as an “Argument from Ignorance” fallacy. It incorrectly assumes that something must be either known to be true (“we know of no instances of personal information being improperly used”), or known to be false–in short, that a lack of proof of some idea is itself proof of the opposite or opposing position. In truth we may not know if personal info has been improperly used, but that certainly doesn’t mean it hasn’t. It simply means we don’t know.But Gutierrez did add, “This review process has clearly pointed out the flaws in the department’s inventory and accountability efforts going back many years.”The Commerce announcement came partly in response to a request from House Government Reform Committee Chairman Tom Davis (R-VA) that agencies report all data breaches. The committee has received responses from all agencies except the Defense, Health and Human Services and Treasury departments. The land Security and State departments have each given only partial responses.David Marin, the committee’s staff director, said the panel is still reviewing the responses from other agencies.”Perhaps the most shocking thing here is that the public might not have ever known of these breaches and their scope if we hadn’t specifically asked for the information,” Davis said in a statement. “Why aren’t these inventories taken automatically, instinctively?”That’s a good question. Davis has proposed legislation that would require the Office of Management and Budget (OMB) to establish agency policies in the event of a known data breach.Citing reports of lost, stolen or mishandled personal information that have come out of more than a dozen federal agencies in just the last six months, Senate Minority Leader Harry Reid (D-NV) put on his best election-year voice and blasted the Bush administration for disregarding the protection of personal information.”They talk tough about identify theft, but then show a complete disregard for the security and personal information of the American people,” said Reid.Of the various agencies within the Commerce Department, the Census Bureau had the highest share of missing equipment and data, due to the high amount of field work performed by temporary hourly-paid employees–who themselves may pose something of a threat, since they almost surely lack the same degree of training, pay and benefits as their full-time counterparts.The Census Department reported a loss of 672 laptops over the last five years, of which 246 contained some degree of personal data. The good news is that full encryption was in place on 107 of these laptops; but 139 were either partially encrypted or lacked any encryption.Nearly half of all unaccounted-for laptops were stolen from employees’ vehicles; the other half were simply not returned, often when the temporary employees left the agency.All 46 missing thumb drives–a small device that can contain significant amounts of data–were encrypted.Gutierrez said the department is working to encrypt all laptops and will require two factors of authentication for remote electronic devices, as required in a June 23 OMB memorandum.
