Today's Article
Why can't the Feds
protect their own
sensitive
information?
protect their own
sensitive
information?
The American Spark
 |
 |
 |
 |
 |
Loss of Personal Information Widespread in Government
By Cliff Montgomery
A new report from the House Government Reform Committee shows that the loss of personal data is a common
occurrence across government, largely because of poor physical security and the portability of both laptop computers
and disks.
Worse still, the report said that agencies often do not know precisely what information has been lost, or how many people
could be affected by a particular data breach.
Many of the reported breaches were the responsibility of government contractors, according to the House report.
The review was a direct response to the now infamous May 2006 Veterans Affairs Department data breach, in which a
computer containing the personal information of about 26.5 million veterans and active duty military members was
stolen from an agency employee's home. It eventually was recovered.
More than a dozen other agencies acknowledged security breaches after the Veterans Affairs incident.
The political fallout was even enough to get Congress moving on the issue--no small feat these days. On July 10th, the
House committee asked agencies to provide details about every incident since 2003 involving the loss or compromise of
any sensitive personal information held by either they or their contractors.
The results of the new report are sobering. The House study details nearly 50 incidents since Jan. 1, 2003, each with a
brief summary. Each stated incident includes the date, the circumstances of the breach, the information that was lost or
compromised and the number of people affected. In total, agencies reported more than 700 incidents.
Agencies described a wide range of situations, including data loss or theft, security incidents and privacy breaches.
But what may have been even more sobering was that the responses to data losses were also varied. Some notified all
potentially affected individuals; but others clearly failed to tell those who may be affected by the breach.
Perhaps worst of all, some of these security breaches may be occurring at the Department of Homeland Security (DHS),
the federal agency which is supposed to protect all of us, according to an earlier August report recently released.
A heavily redacted Aug. 8th report from Frank Deffer, assistant inspector general for information technology at DHS, was
released on Oct 2nd. Deffer's conclusions are that the DHS inspector general's office (IG) has not taken the necessary
steps to properly secure laptop computers holding sensitive and classified information, and that considerable risks
remain.
It's hard to precisely tell what's been going wrong, though; most examples of poor security practices were redacted.
The report said that stolen or missing laptops were not always properly reported through the chain of command to DHS'
Computer Security Incident Response Center. This included a stolen IG laptop in 2005.
"Senior DHS officials may not be aware of the extent or scope of laptops security issues at the department," the report
stated.
Auditors reviewed an inventory of office laptops and tested 94 dubbed "sensitive but unclassified," and eight designated as
classified. The inventory contained numerous discrepancies, according to the report.
Fifty of the office's 395 laptops lacked proper labels, and another 46 were missing identification numbers.
But this may not be telling everything: six of the 94 "sensitive but unclassified" laptops and two of the eight classified
laptops were not included in the inventory.
"Without an accurate and current inventory, [the IG] may be unaware of additional laptops that are missing," the report said.
In a response to the findings, Edward Cincinnati, assistant inspector general for administration at DHS, agreed with the
auditors' recommendations and said his office is in the process of making changes.
All well and good, but what if the changes are not properly implemented? The Deffer report pointed out that the IG office
even failed to fully implement its standard computer security package, which includes configuration settings and security
software.
Under legislation proposed by House Government Reform Committee Chairman Tom Davis (R-VA), agencies would be
required to notify the public if sensitive personal information was compromised. The bill is awaiting Senate action; but that
will only occur after the November elections.
By Cliff Montgomery
A new report from the House Government Reform Committee shows that the loss of personal data is a common
occurrence across government, largely because of poor physical security and the portability of both laptop computers
and disks.
Worse still, the report said that agencies often do not know precisely what information has been lost, or how many people
could be affected by a particular data breach.
Many of the reported breaches were the responsibility of government contractors, according to the House report.
The review was a direct response to the now infamous May 2006 Veterans Affairs Department data breach, in which a
computer containing the personal information of about 26.5 million veterans and active duty military members was
stolen from an agency employee's home. It eventually was recovered.
More than a dozen other agencies acknowledged security breaches after the Veterans Affairs incident.
The political fallout was even enough to get Congress moving on the issue--no small feat these days. On July 10th, the
House committee asked agencies to provide details about every incident since 2003 involving the loss or compromise of
any sensitive personal information held by either they or their contractors.
The results of the new report are sobering. The House study details nearly 50 incidents since Jan. 1, 2003, each with a
brief summary. Each stated incident includes the date, the circumstances of the breach, the information that was lost or
compromised and the number of people affected. In total, agencies reported more than 700 incidents.
Agencies described a wide range of situations, including data loss or theft, security incidents and privacy breaches.
But what may have been even more sobering was that the responses to data losses were also varied. Some notified all
potentially affected individuals; but others clearly failed to tell those who may be affected by the breach.
Perhaps worst of all, some of these security breaches may be occurring at the Department of Homeland Security (DHS),
the federal agency which is supposed to protect all of us, according to an earlier August report recently released.
A heavily redacted Aug. 8th report from Frank Deffer, assistant inspector general for information technology at DHS, was
released on Oct 2nd. Deffer's conclusions are that the DHS inspector general's office (IG) has not taken the necessary
steps to properly secure laptop computers holding sensitive and classified information, and that considerable risks
remain.
It's hard to precisely tell what's been going wrong, though; most examples of poor security practices were redacted.
The report said that stolen or missing laptops were not always properly reported through the chain of command to DHS'
Computer Security Incident Response Center. This included a stolen IG laptop in 2005.
"Senior DHS officials may not be aware of the extent or scope of laptops security issues at the department," the report
stated.
Auditors reviewed an inventory of office laptops and tested 94 dubbed "sensitive but unclassified," and eight designated as
classified. The inventory contained numerous discrepancies, according to the report.
Fifty of the office's 395 laptops lacked proper labels, and another 46 were missing identification numbers.
But this may not be telling everything: six of the 94 "sensitive but unclassified" laptops and two of the eight classified
laptops were not included in the inventory.
"Without an accurate and current inventory, [the IG] may be unaware of additional laptops that are missing," the report said.
In a response to the findings, Edward Cincinnati, assistant inspector general for administration at DHS, agreed with the
auditors' recommendations and said his office is in the process of making changes.
All well and good, but what if the changes are not properly implemented? The Deffer report pointed out that the IG office
even failed to fully implement its standard computer security package, which includes configuration settings and security
software.
Under legislation proposed by House Government Reform Committee Chairman Tom Davis (R-VA), agencies would be
required to notify the public if sensitive personal information was compromised. The bill is awaiting Senate action; but that
will only occur after the November elections.