Davis highlights problems of data leakers
Commerce’s 1,137 missing laptop PCs are symptomatic of lax policy enforcement
Federal Agency Data Breach Notification Act of 2006
The Commerce Department disclosed last month that it has lost more than 1,100 laptop PCs in the past five years, including 672 from the Census Bureau. Of the missing Census laptops, 246 contained personally identifiable information. Those lost laptops raise concerns about how well prepared the bureau will be to safeguard personal information on handheld computers during the 2010 census.
Census officials did not comment about the recently reported equipment and data losses beyond what Commerce officials said when Rep. Tom Davis (R-Va.) announced the losses in September. But lawmakers and Census officials clearly recognize the risks of using handheld computers for the upcoming decennial census.
Census officials are taking precautions against personal data loss by designing a data-collection system that minimizes the time that handheld wireless PCs store data, said Warren Suss, president of Suss Consulting. Census has made strides to ensure that personal data leakage won’t happen during the 2010 census.
The bureau plans to keep most personal data off the devices by automatically transmitting encrypted information via a secure private network to a central database immediately after census takers collect it.
“That will minimize the risk in terms of requiring extensive data to be maintained on laptops in the field,” Suss said. “We should be in better shape for the next census than we are now.”
Commerce officials downplayed the potentially harmful consequences of the recent equipment losses that Davis cited by saying that factors such as password protection and, in some cases, encryption technology would limit any potential misuse of data that was on the missing equipment.
“All of the equipment that was lost or stolen contained protections to prevent a breach of personal information, and we are moving to institute better management, accountability, inventory controls, 100 percent encryption and improved training,” said Commerce Secretary Carlos Gutierrez, in a recent public statement.
However, Gutierrez’s comments offered little reassurance to security experts such as Ted Julian, vice president of business strategy at Application Security. “If the beginning and the end of your strategy is securing laptops, you’re doing a great job at reacting to the news at hand, but you’re arguably missing a huge swath of the data security problem,” he said.
Julian said agencies should only store sensitive personal data in a secure central location where people cannot remotely access it. The more decentralized the data, the more problems agencies will have with security, he said.
Davis expressed his lack of confidence that the government could keep sensitive personal information safe. “The American people deserve better from their government,” he said.
Suss, however, said information security problems will diminish as the government adopts more network-centric policies for managing data. “The long-term solution is going to have to rely on maintaining more information in the network rather than on individual devices,” Suss said. “It’s an important direction for the government to take, but it’s going to take time.”