When personal data gets out of the box...

A new Federal Computer Week survey finds that the theft of a Veterans Affairs Department laptop PC pushed data security to the forefront at many agencies

The theft of a Veterans Affairs Department laptop PC last year alarmed many agency officials and prompted them to take steps to improve data security, according to Federal Computer Week readers.

FCW recently surveyed readers to learn what effects the theft of the government laptop PC from the home of a VA employee in May 2006 had on their agencies. More than 50 percent of the 183 readers who responded to the e-mail survey said their agencies had implemented new security policies, procedures and technologies in the past year. Nearly the same number had invested in information security training in response to the VA incident, and about a third had allocated or requested new resources for securing government-held information, especially personal data that others could use to steal someone’s identity.

Survey responses also indicate that agencies face a daunting challenge in trying to secure thousands of mobile devices. Some military agencies say they have more than 25,000 such devices to protect from theft and data breaches. Most agencies are trying to secure laptop, personal digital assistant and mobile data storage devices. However, 74 respondents said  they also are trying to safeguard personal data stored on mobile phones.

One reader’s agency responded to the incident by encrypting all the hard drives on all laptop PCs. Another said everyone received a refresher course in information security procedures.

Most readers who participated in the survey said their agencies have followed at least some of the instructions that the Office of Management and Budget issued in a July 2006 memorandum concerning data security incidents. However, 23 percent said their agencies made no progress toward complying with the memo’s instructions.

That memo from Karen Evans, OMB administrator for e-government and information technology, instructed agencies, among other things, to report suspected or verified security breaches that involved personal data to the Homeland Security Department’s U.S. Computer Emergency Readiness Team within an hour of discovering a breach.

The one-hour policy is DHS’ way of saying, “If you know something, call us, and don’t sit around wondering if you’re going to lose your job because you didn’t do something you were supposed to,” said Paul Proctor, vice president of Gartner’s security and risk practice.

Describing their agencies’ responses to the policy memo, 106 readers said their agencies had determined who would respond to a data breach and notify those who might be affected, as the memo instructed. Also, 101 readers said their agencies had formed response groups that can be quickly convened after a data breach. And 79 readers said their agencies had trained a response group in risk analysis to determine whether an incident exposed its victims to identity theft.

An incident in which an agency inadvertently exposes Social Security numbers to unauthorized users is not the most serious data breach. However, a Social Security number linked to a valid name and address could be enough to enable someone to start gathering financial information about that person and, eventually, steal that person’s identity, said John Pescatore, vice president of Gartner’s Internet security practice.

Readers who responded to the survey said their biggest concern about insecure mobile devices was that the devices might infect agency systems and networks with malicious software code. National security concerns ranked second, ahead of concerns about identity theft. The costs agencies incur in responding to security incidents, especially the expense of providing free credit monitoring to the victims of data breaches, ranked lowest among readers’ concerns.

Security experts say the loss or theft of laptop PCs or external drives containing personal data typically poses a lesser threat of identity theft than online break-ins.

In online cases, thieves go after account information intending to steal identities. Nevertheless, it was the theft of the VA laptop PC containing personal data on 26.5 million veterans and active-duty military employees that caused many officials to realize that a similar incident could happen at their agencies.

Government agencies should minimize the amount of personal data, including Social Security numbers, that they collect and store, Pescatore said. But in those cases in which it is necessary, his advice is to do it right. “You definitely should be using technology like encryption or strong access controls to make sure the numbers are protected and that all accesses are audited,” he said.

The Social Security Administration has shown how it can be done right, Pescatore said. “SSA has never had one of these embarrassing breaches,” he said. “It’s a matter of other agencies learning the best practices from people like SSA.”

Pescatore said the biggest concern agencies should have about data breaches is people’s loss of trust in the government’s ability to protect their personal data. The loss of trust, he said, could make people unwilling to file their tax returns online and might end other e-government initiatives.

Proctor agreed with his colleague. “I can always choose not to shop at a certain store that’s untrustworthy,” he said. But people have no choice about giving their data to the government, he added. “That’s what puts a premium on the government’s ability to provide security for us, because we don’t have a choice.”

Lunn is research director at the 1105 Government Information Group.

Click here to see a PDF with all the charts.

chart



chart

chart

chart

Experts say policies are not the answerSome observers say the government’s reactions to data-security breaches are similar to corporations’ responses to such incidents: Offer free credit monitoring to those whose personal data might have been compromised and, in the case of the government, issue a new policy.

“The dripping out of policies about how to do things in reaction to something bad that has happened” is not the way to handle data-security risks, said Howard Schmidt, chief executive officer of R&H Security Consulting and former chief security strategist for the Homeland Security Department’s U.S. Computer Emergency Readiness Team Partners Program. Schmidt said the government has a tendency to say, “Let’s do this this month, then wait till something bad happens and do something else.”

Incidents involving lost or stolen data on thumb drives, for example, will continue unless the government makes a commitment to securing data at its source, Schmidt said. “The security professionals know how to do it — with real-time monitoring, encryption, vulnerability assessments and automatic patching.

“We’ve got a lot of people who know how to do this stuff,” he added, “but they’re not given either the authority to do it or the time to do it. And that’s an issue that’s got to be dealt with. This is not a lower-down-on-the-list priority. This is something that needs to be dealt with today. There has to be an executive priority to do this.”

Even the most knowledgeable security analysts say there is no such thing as zero risk, but federal agencies are taking too many risks by not fixing security flaws in their systems, they say.

“There’s always going to be the risk of a breach happening from time to time, and that’s what the breach-notification laws are about,” said Paul Proctor, vice president of Gartner’s security and risk practice. “However, the problem is that most agencies are accepting way too much risk.”

What’s lacking, Proctor said, is training, enforcement and implementation. “The training makes them able to do it, enforcement gives them motivation to do it, and the implementation is doing it,” he said.

— Florence Olsen

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above