Davis highlights problems of data leakers

Commerce’s 1,137 missing laptop PCs are symptomatic of lax policy enforcement

Federal Agency Data Breach Notification Act of 2006

The Commerce Department disclosed last month that it has lost more than 1,100 laptop PCs in the past five years, including 672 from the Census Bureau. Of the missing Census laptops, 246 contained personally identifiable information. Those lost laptops raise concerns about how well prepared the bureau will be to safeguard personal information on handheld computers during the 2010 census.

Census officials did not comment about the recently reported equipment and data losses beyond what Commerce officials said when Rep. Tom Davis (R-Va.) announced the losses in September. But lawmakers and Census officials clearly recognize the risks of using handheld computers for the upcoming decennial census.

Census officials are taking precautions against personal data loss by designing a data-collection system that minimizes the time that handheld wireless PCs store data, said Warren Suss, president of Suss Consulting. Census has made strides to ensure that personal data leakage won’t happen during the 2010 census.

The bureau plans to keep most personal data off the devices by automatically transmitting encrypted information via a secure private network to a central database immediately after census takers collect it.

“That will minimize the risk in terms of requiring extensive data to be maintained on laptops in the field,” Suss said. “We should be in better shape for the next census than we are now.”

Commerce officials downplayed the potentially harmful consequences of the recent equipment losses that Davis cited by saying that factors such as password protection and, in some cases, encryption technology would limit any potential misuse of data that was on the missing equipment.

“All of the equipment that was lost or stolen contained protections to prevent a breach of personal information, and we are moving to institute better management, accountability, inventory controls, 100 percent encryption and improved training,” said Commerce Secretary Carlos Gutierrez, in a recent public statement.

However, Gutierrez’s comments offered little reassurance to security experts such as Ted Julian, vice president of business strategy at Application Security. “If the beginning and the end of your strategy is securing laptops, you’re doing a great job at reacting to the news at hand, but you’re arguably missing a huge swath of the data security problem,” he said.

Julian said agencies should only store sensitive personal data in a secure central location where people cannot remotely access it. The more decentralized the data, the more problems agencies will have with security, he said.

Davis expressed his lack of confidence that the government could keep sensitive personal information safe. “The American people deserve better from their government,” he said.

Suss, however, said information security problems will diminish as the government adopts more network-centric policies for managing data. “The long-term solution is going to have to rely on maintaining more information in the network rather than on individual devices,” Suss said. “It’s an important direction for the government to take, but it’s going to take time.”

Davis wins House support for data breach notification

Rep. Tom Davis (R-Va.) drafted the Federal Agency Data Breach Notification Act in July to require agencies to quickly notify individuals when a data loss might have compromised their sensitive personal information. The measure authorizes federal chief information officers to enforce the law.

After learning about the Commerce Department’s loss of 1,137 laptop PCs, Davis inserted his breach notification bill into the Veterans Identity and Credit Security Act of 2006. The breach notification bill would amend the Federal Information Security Management Act of 2002.

“If we’re going to ask and — sometimes demand — information from the public, we owe them a better way of knowing when that information goes missing,” Davis said in a recent speech on the House floor.

The bill Davis sponsored passed the House last month and moved to the Senate.

Who's Fed 100-worthy?

Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

Featured

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above