Interior catches flak for breach disclosure

Losing the encrypted CD wasn't the main problem

Interior Department officials took the cautious route — some say too cautious — earlier this month when they disclosed that they could not locate a CD containing personally identifiable information for about 7,500 federal employees, even though it is unlikely anyone could read the CD’s contents because the information is encrypted and password-protected.

The incident occurred on or about May 26, when a procurement specialist at Interior’s National Business Center in Denver reported that the CD, which was sent there by a third-party service provider, could not be located. It was presumed to be lost in the center’s secure, restricted-access area, reported Alice Lipowicz on FCW.com.

Some observers questioned the necessity and wisdom of the announcement and notification to employees whose information was involved.

“It was encrypted and password-protected. So why the notifications?” wrote Sang Lee on the company blog of AlertBoot, a disk encryption vendor. “There is something to the idea of ‘data breach overexposure,’ where people don't pay as much notice once they're acclimated to something.”

A reader of FCW’s story posted an anonymous comment that posed a similar question: “Why, if this CD was properly encrypted with a FIPS 140-2-validated product, is this a news story?” 

A spokeswoman for the National Business Center said the agency followed its breach notification procedures in contacting the federal employees involved, who work for a number of federal agencies. Officials also established an incident call center to provide information and answer questions. Federal privacy regulations require agencies to report breaches of personally identifiable information.

Forty-four states have breach notification laws, wrote AlertBoot’s Lee in another blog post, but they don’t require notification if the lost or stolen data was protected with some kind of security measure such as encryption.

However, some notification laws do not treat all types of data breaches equally. In Ohio, for example, government agencies must notify affected parties of electronic data breaches but are not obligated to report possible breaches involving paper documents, reported Josh Sweigart in the Oxford Press.

That legal omission has been blamed for multiple instances of agencies in Ohio not notifying people whose personal information was potentially compromised because of improper disposal of paper records.

Such examples illustrate why notification laws are necessary when data is not secured and breaches occur, Lee wrote, adding, “Look at what happens when the law doesn't require it: People literally hide this stuff.”

About the Author

John Zyskowski is a senior editor of Federal Computer Week. Follow him on Twitter: @ZyskowskiWriter.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group