Davis highlights problems of data leakers

Commerce’s 1,137 missing laptop PCs are symptomatic of lax policy enforcement

Federal Agency Data Breach Notification Act of 2006

The Commerce Department disclosed last month that it has lost more than 1,100 laptop PCs in the past five years, including 672 from the Census Bureau. Of the missing Census laptops, 246 contained personally identifiable information. Those lost laptops raise concerns about how well prepared the bureau will be to safeguard personal information on handheld computers during the 2010 census.

Census officials did not comment about the recently reported equipment and data losses beyond what Commerce officials said when Rep. Tom Davis (R-Va.) announced the losses in September. But lawmakers and Census officials clearly recognize the risks of using handheld computers for the upcoming decennial census.

Census officials are taking precautions against personal data loss by designing a data-collection system that minimizes the time that handheld wireless PCs store data, said Warren Suss, president of Suss Consulting. Census has made strides to ensure that personal data leakage won’t happen during the 2010 census.

The bureau plans to keep most personal data off the devices by automatically transmitting encrypted information via a secure private network to a central database immediately after census takers collect it.

“That will minimize the risk in terms of requiring extensive data to be maintained on laptops in the field,” Suss said. “We should be in better shape for the next census than we are now.”

Commerce officials downplayed the potentially harmful consequences of the recent equipment losses that Davis cited by saying that factors such as password protection and, in some cases, encryption technology would limit any potential misuse of data that was on the missing equipment.

“All of the equipment that was lost or stolen contained protections to prevent a breach of personal information, and we are moving to institute better management, accountability, inventory controls, 100 percent encryption and improved training,” said Commerce Secretary Carlos Gutierrez, in a recent public statement.

However, Gutierrez’s comments offered little reassurance to security experts such as Ted Julian, vice president of business strategy at Application Security. “If the beginning and the end of your strategy is securing laptops, you’re doing a great job at reacting to the news at hand, but you’re arguably missing a huge swath of the data security problem,” he said.

Julian said agencies should only store sensitive personal data in a secure central location where people cannot remotely access it. The more decentralized the data, the more problems agencies will have with security, he said.

Davis expressed his lack of confidence that the government could keep sensitive personal information safe. “The American people deserve better from their government,” he said.

Suss, however, said information security problems will diminish as the government adopts more network-centric policies for managing data. “The long-term solution is going to have to rely on maintaining more information in the network rather than on individual devices,” Suss said. “It’s an important direction for the government to take, but it’s going to take time.”

Davis wins House support for data breach notification

Rep. Tom Davis (R-Va.) drafted the Federal Agency Data Breach Notification Act in July to require agencies to quickly notify individuals when a data loss might have compromised their sensitive personal information. The measure authorizes federal chief information officers to enforce the law.

After learning about the Commerce Department’s loss of 1,137 laptop PCs, Davis inserted his breach notification bill into the Veterans Identity and Credit Security Act of 2006. The breach notification bill would amend the Federal Information Security Management Act of 2002.

“If we’re going to ask and — sometimes demand — information from the public, we owe them a better way of knowing when that information goes missing,” Davis said in a recent speech on the House floor.

The bill Davis sponsored passed the House last month and moved to the Senate.


  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.