Today's Article
The U.S.
Government doesn't
know what's
become of sensitive
information on its
laptop computers.
Government doesn't
know what's
become of sensitive
information on its
laptop computers.
The American Spark
 |
 |
 |
 |
 |
Agency Reports Loss Of More Than 1,100 Laptops Over 5 Years
By Cliff Montgomery
A Commerce Department review has discovered that over the last five years more than a thousand laptops have ended
up missing or stolen, with hundreds containing the personal information of American citizens.
In response to both a congressional request and public inquiries, Commerce found that a whopping 1,137 laptops have
been lost or stolen from among its 30,000-plus laptop computers, spread across the department's 15 organizations.
Of these, 249 contained personally identifiable information, with varying levels of security ranging from simple passwords
to full encryption.
A separate Commerce report stated that since 2003, 297 electronic devices containing sensitive personal information
have been lost. This includes 217 laptops, 15 hand-held devices and 46 thumb drives.
Commerce Secretary Carlos Gutierrez claims that even though the number of missing computers is high, the chance of
data misuse is low.
"While we know of no instances of personal information being improperly used, we regret each instance of lost material and
believe the volume of lost equipment is unacceptable," Gutierrez said.
In rhetoric, Gutierrez's argument is known as an "Argument from Ignorance" fallacy. It incorrectly assumes that something
must be either known to be true ("we know of no instances of personal information being improperly used"), or known to be
false--in short, that a lack of proof of some idea is itself proof of the opposite or opposing position.
In truth we may not know if personal info has been improperly used, but that certainly doesn't mean it hasn't. It simply
means we don't know.
But Gutierrez did add, "This review process has clearly pointed out the flaws in the department's inventory and
accountability efforts going back many years."
The Commerce announcement came partly in response to a request from House Government Reform Committee
Chairman Tom Davis (R-VA) that agencies report all data breaches. The committee has received responses from all
agencies except the Defense, Health and Human Services and Treasury departments. The Homeland Security and
State departments have each given only partial responses.
David Marin, the committee's staff director, said the panel is still reviewing the responses from other agencies.
"Perhaps the most shocking thing here is that the public might not have ever known of these breaches and their scope if
we hadn't specifically asked for the information," Davis said in a statement. "Why aren't these inventories taken
automatically, instinctively?"
That's a good question. Davis has proposed legislation that would require the Office of Management and Budget (OMB) to
establish agency policies in the event of a known data breach.
Citing reports of lost, stolen or mishandled personal information that have come out of more than a dozen federal
agencies in just the last six months, Senate Minority Leader Harry Reid (D-NV) put on his best election-year voice and
blasted the Bush administration for disregarding the protection of personal information.
"They talk tough about identify theft, but then show a complete disregard for the security and personal information of the
American people," said Reid.
Of the various agencies within the Commerce Department, the Census Bureau had the highest share of missing
equipment and data, due to the high amount of field work performed by temporary hourly-paid employees--who themselves
may pose something of a threat, since they almost surely lack the same degree of training, pay and benefits as their
full-time counterparts.
The Census Department reported a loss of 672 laptops over the last five years, of which 246 contained some degree of
personal data. The good news is that full encryption was in place on 107 of these laptops; but 139 were either partially
encrypted or lacked any encryption.
Nearly half of all unaccounted-for laptops were stolen from employees' vehicles; the other half were simply not returned,
often when the temporary employees left the agency.
All 46 missing thumb drives--a small device that can contain significant amounts of data--were encrypted.
Gutierrez said the department is working to encrypt all laptops and will require two factors of authentication for remote
electronic devices, as required in a June 23 OMB memorandum.
By Cliff Montgomery
A Commerce Department review has discovered that over the last five years more than a thousand laptops have ended
up missing or stolen, with hundreds containing the personal information of American citizens.
In response to both a congressional request and public inquiries, Commerce found that a whopping 1,137 laptops have
been lost or stolen from among its 30,000-plus laptop computers, spread across the department's 15 organizations.
Of these, 249 contained personally identifiable information, with varying levels of security ranging from simple passwords
to full encryption.
A separate Commerce report stated that since 2003, 297 electronic devices containing sensitive personal information
have been lost. This includes 217 laptops, 15 hand-held devices and 46 thumb drives.
Commerce Secretary Carlos Gutierrez claims that even though the number of missing computers is high, the chance of
data misuse is low.
"While we know of no instances of personal information being improperly used, we regret each instance of lost material and
believe the volume of lost equipment is unacceptable," Gutierrez said.
In rhetoric, Gutierrez's argument is known as an "Argument from Ignorance" fallacy. It incorrectly assumes that something
must be either known to be true ("we know of no instances of personal information being improperly used"), or known to be
false--in short, that a lack of proof of some idea is itself proof of the opposite or opposing position.
In truth we may not know if personal info has been improperly used, but that certainly doesn't mean it hasn't. It simply
means we don't know.
But Gutierrez did add, "This review process has clearly pointed out the flaws in the department's inventory and
accountability efforts going back many years."
The Commerce announcement came partly in response to a request from House Government Reform Committee
Chairman Tom Davis (R-VA) that agencies report all data breaches. The committee has received responses from all
agencies except the Defense, Health and Human Services and Treasury departments. The Homeland Security and
State departments have each given only partial responses.
David Marin, the committee's staff director, said the panel is still reviewing the responses from other agencies.
"Perhaps the most shocking thing here is that the public might not have ever known of these breaches and their scope if
we hadn't specifically asked for the information," Davis said in a statement. "Why aren't these inventories taken
automatically, instinctively?"
That's a good question. Davis has proposed legislation that would require the Office of Management and Budget (OMB) to
establish agency policies in the event of a known data breach.
Citing reports of lost, stolen or mishandled personal information that have come out of more than a dozen federal
agencies in just the last six months, Senate Minority Leader Harry Reid (D-NV) put on his best election-year voice and
blasted the Bush administration for disregarding the protection of personal information.
"They talk tough about identify theft, but then show a complete disregard for the security and personal information of the
American people," said Reid.
Of the various agencies within the Commerce Department, the Census Bureau had the highest share of missing
equipment and data, due to the high amount of field work performed by temporary hourly-paid employees--who themselves
may pose something of a threat, since they almost surely lack the same degree of training, pay and benefits as their
full-time counterparts.
The Census Department reported a loss of 672 laptops over the last five years, of which 246 contained some degree of
personal data. The good news is that full encryption was in place on 107 of these laptops; but 139 were either partially
encrypted or lacked any encryption.
Nearly half of all unaccounted-for laptops were stolen from employees' vehicles; the other half were simply not returned,
often when the temporary employees left the agency.
All 46 missing thumb drives--a small device that can contain significant amounts of data--were encrypted.
Gutierrez said the department is working to encrypt all laptops and will require two factors of authentication for remote
electronic devices, as required in a June 23 OMB memorandum.