Bradley in DC
10-18-2007, 07:29 AM
http://www.washingtonpost.com/wp-dyn/content/article/2007/10/16/AR2007101601818.html?wpisrc=newsletter
Laptops on the Lam, Again
Did the Transportation Security Administration miss the memo on safeguarding sensitive private data?
Wednesday, October 17, 2007; Page A16
THE TRANSPORTATION Security Administration isn't terribly secure when it comes to safeguarding personal information. An external computer hard drive with data on 100,000 staffers was reported missing from a secure area at the agency on May 3. Now, two laptops that belonged to a TSA contractor, Integrated Biometric Technology, and that contained details on 3,930 people have disappeared. It's yet another example of the federal government unwittingly aiding and abetting potential identity thieves.
Safeguarding personal information has been the law of the land since passage of the Privacy Act of 1974 and the Federal Information Security Management Act of 2004. But you wouldn't know it by the many stories about federal agencies accidentally letting Social Security numbers and other private, sensitive information slip away. An April report by the Internal Revenue Service's inspector general estimated that 500 laptops were stolen or lost at the IRS over a 3 1/2 -year period. At the Commerce Department, 1,000 laptops disappeared last year. One laptop was stolen from the Department of Veterans Affairs -- with 26.5 million records on it.
In May, an exasperated Office of Management and Budget issued a 22-page memo to all federal departments that can be summed up thusly: Shape up. Put locks on the doors. Limit access to sensitive information. And keep to a minimum the number of people who have access. The directive gave departments and agencies 120 days to come up with breach notification plans and ways to limit the use of Social Security numbers for identification purposes. This would include "reducing the volume of collected and retained information to the minimum necessary; limiting access to only those individuals who must have such access; and using encryption, strong authentication procedures, and other security controls to make information unusable by unauthorized individuals."
Seems as though the encryption advice didn't get to Integrated Biometric Technology, which was advised by the TSA to encrypt data on its hard drives after it was discovered that previously deleted information on the missing laptops could be recovered. Names, addresses, birthdays, commercial driver's license numbers, in addition to Social Security numbers, for some, were gathered because drivers hauling hazardous materials need security clearances. Until agencies such as the TSA come up with better ways to keep such sensitive data from getting into the wrong hands, those breach notification plans will be dog-eared from overuse.
Laptops on the Lam, Again
Did the Transportation Security Administration miss the memo on safeguarding sensitive private data?
Wednesday, October 17, 2007; Page A16
THE TRANSPORTATION Security Administration isn't terribly secure when it comes to safeguarding personal information. An external computer hard drive with data on 100,000 staffers was reported missing from a secure area at the agency on May 3. Now, two laptops that belonged to a TSA contractor, Integrated Biometric Technology, and that contained details on 3,930 people have disappeared. It's yet another example of the federal government unwittingly aiding and abetting potential identity thieves.
Safeguarding personal information has been the law of the land since passage of the Privacy Act of 1974 and the Federal Information Security Management Act of 2004. But you wouldn't know it by the many stories about federal agencies accidentally letting Social Security numbers and other private, sensitive information slip away. An April report by the Internal Revenue Service's inspector general estimated that 500 laptops were stolen or lost at the IRS over a 3 1/2 -year period. At the Commerce Department, 1,000 laptops disappeared last year. One laptop was stolen from the Department of Veterans Affairs -- with 26.5 million records on it.
In May, an exasperated Office of Management and Budget issued a 22-page memo to all federal departments that can be summed up thusly: Shape up. Put locks on the doors. Limit access to sensitive information. And keep to a minimum the number of people who have access. The directive gave departments and agencies 120 days to come up with breach notification plans and ways to limit the use of Social Security numbers for identification purposes. This would include "reducing the volume of collected and retained information to the minimum necessary; limiting access to only those individuals who must have such access; and using encryption, strong authentication procedures, and other security controls to make information unusable by unauthorized individuals."
Seems as though the encryption advice didn't get to Integrated Biometric Technology, which was advised by the TSA to encrypt data on its hard drives after it was discovered that previously deleted information on the missing laptops could be recovered. Names, addresses, birthdays, commercial driver's license numbers, in addition to Social Security numbers, for some, were gathered because drivers hauling hazardous materials need security clearances. Until agencies such as the TSA come up with better ways to keep such sensitive data from getting into the wrong hands, those breach notification plans will be dog-eared from overuse.