Interior catches flak for breach disclosure

Losing the encrypted CD wasn't the main problem

Interior Department officials took the cautious route — some say too cautious — earlier this month when they disclosed that they could not locate a CD containing personally identifiable information for about 7,500 federal employees, even though it is unlikely anyone could read the CD’s contents because the information is encrypted and password-protected.

The incident occurred on or about May 26, when a procurement specialist at Interior’s National Business Center in Denver reported that the CD, which was sent there by a third-party service provider, could not be located. It was presumed to be lost in the center’s secure, restricted-access area, reported Alice Lipowicz on FCW.com.

Some observers questioned the necessity and wisdom of the announcement and notification to employees whose information was involved.

“It was encrypted and password-protected. So why the notifications?” wrote Sang Lee on the company blog of AlertBoot, a disk encryption vendor. “There is something to the idea of ‘data breach overexposure,’ where people don't pay as much notice once they're acclimated to something.”

A reader of FCW’s story posted an anonymous comment that posed a similar question: “Why, if this CD was properly encrypted with a FIPS 140-2-validated product, is this a news story?” 

A spokeswoman for the National Business Center said the agency followed its breach notification procedures in contacting the federal employees involved, who work for a number of federal agencies. Officials also established an incident call center to provide information and answer questions. Federal privacy regulations require agencies to report breaches of personally identifiable information.

Forty-four states have breach notification laws, wrote AlertBoot’s Lee in another blog post, but they don’t require notification if the lost or stolen data was protected with some kind of security measure such as encryption.

However, some notification laws do not treat all types of data breaches equally. In Ohio, for example, government agencies must notify affected parties of electronic data breaches but are not obligated to report possible breaches involving paper documents, reported Josh Sweigart in the Oxford Press.

That legal omission has been blamed for multiple instances of agencies in Ohio not notifying people whose personal information was potentially compromised because of improper disposal of paper records.

Such examples illustrate why notification laws are necessary when data is not secured and breaches occur, Lee wrote, adding, “Look at what happens when the law doesn't require it: People literally hide this stuff.”

About the Author

John Zyskowski is a senior editor of Federal Computer Week. Follow him on Twitter: @ZyskowskiWriter.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.

Featured

  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above