Why can’t the Fedsprotect their ownsensitiveinformation?
Loss of Personal Information Widespread in GovernmentBy Cliff MontgomeryA new report from the House Government Reform Committee shows that the loss of personal data is a common occurrence across government, largely because of poor physical security and the portability of both laptop computers and disks.Worse still, the report said that agencies often do not know precisely what information has been lost, or how many people could be affected by a particular data breach.Many of the reported breaches were the responsibility of government contractors, according to the House report.The review was a direct response to the now infamous May 2006 Veterans Affairs Department data breach, in which a computer containing the personal information of about 26.5 million veterans and active duty military members was stolen from an agency employee’s home. It eventually was recovered.More than a dozen other agencies acknowledged security breaches after the Veterans Affairs incident.The political fallout was even enough to get Congress moving on the issue–no small feat these days. On July 10th, the House committee asked agencies to provide details about every incident since 2003 involving the loss or compromise of any sensitive personal information held by either they or their contractors.The results of the new report are sobering. The House study details nearly 50 incidents since Jan. 1, 2003, each with a brief summary. Each stated incident includes the date, the circumstances of the breach, the information that was lost or compromised and the number of people affected. In total, agencies reported more than 700 incidents.Agencies described a wide range of situations, including data loss or theft, security incidents and privacy breaches.But what may have been even more sobering was that the responses to data losses were also varied. Some notified all potentially affected individuals; but others clearly failed to tell those who may be affected by the breach.Perhaps worst of all, some of these security breaches may be occurring at the Department of land Security (DHS), the federal agency which is supposed to protect all of us, according to an earlier August report recently released.A heavily redacted Aug. 8th report from Frank Deffer, assistant inspector general for information technology at DHS, was released on Oct 2nd. Deffer’s conclusions are that the DHS inspector general’s office (IG) has not taken the necessary steps to properly secure laptop computers holding sensitive and classified information, and that considerable risks remain.It’s hard to precisely tell what’s been going wrong, though; most examples of poor security practices were redacted.The report said that stolen or missing laptops were not always properly reported through the chain of command to DHS’ Computer Security Incident Response Center. This included a stolen IG laptop in 2005.”Senior DHS officials may not be aware of the extent or scope of laptops security issues at the department,” the report stated.Auditors reviewed an inventory of office laptops and tested 94 dubbed “sensitive but unclassified,” and eight designated as classified. The inventory contained numerous discrepancies, according to the report.Fifty of the office’s 395 laptops lacked proper labels, and another 46 were missing identification numbers.But this may not be telling everything: six of the 94 “sensitive but unclassified” laptops and two of the eight classified laptops were not included in the inventory.”Without an accurate and current inventory, [the IG] may be unaware of additional laptops that are missing,” the report said.In a response to the findings, Edward Cincinnati, assistant inspector general for administration at DHS, agreed with the auditors’ recommendations and said his office is in the process of making changes.All well and good, but what if the changes are not properly implemented? The Deffer report pointed out that the IG office even failed to fully implement its standard computer security package, which includes configuration settings and security software.Under legislation proposed by House Government Reform Committee Chairman Tom Davis (R-VA), agencies would be required to notify the public if sensitive personal information was compromised. The bill is awaiting Senate action; but that will only occur after the November elections.
