Davis highlights problems of data leakers

Commerce’s 1,137 missing laptop PCs are symptomatic of lax policy enforcement

Federal Agency Data Breach Notification Act of 2006

The Commerce Department disclosed last month that it has lost more than 1,100 laptop PCs in the past five years, including 672 from the Census Bureau. Of the missing Census laptops, 246 contained personally identifiable information. Those lost laptops raise concerns about how well prepared the bureau will be to safeguard personal information on handheld computers during the 2010 census.

Census officials did not comment about the recently reported equipment and data losses beyond what Commerce officials said when Rep. Tom Davis (R-Va.) announced the losses in September. But lawmakers and Census officials clearly recognize the risks of using handheld computers for the upcoming decennial census.

Census officials are taking precautions against personal data loss by designing a data-collection system that minimizes the time that handheld wireless PCs store data, said Warren Suss, president of Suss Consulting. Census has made strides to ensure that personal data leakage won’t happen during the 2010 census.

The bureau plans to keep most personal data off the devices by automatically transmitting encrypted information via a secure private network to a central database immediately after census takers collect it.

“That will minimize the risk in terms of requiring extensive data to be maintained on laptops in the field,” Suss said. “We should be in better shape for the next census than we are now.”

Commerce officials downplayed the potentially harmful consequences of the recent equipment losses that Davis cited by saying that factors such as password protection and, in some cases, encryption technology would limit any potential misuse of data that was on the missing equipment.

“All of the equipment that was lost or stolen contained protections to prevent a breach of personal information, and we are moving to institute better management, accountability, inventory controls, 100 percent encryption and improved training,” said Commerce Secretary Carlos Gutierrez, in a recent public statement.

However, Gutierrez’s comments offered little reassurance to security experts such as Ted Julian, vice president of business strategy at Application Security. “If the beginning and the end of your strategy is securing laptops, you’re doing a great job at reacting to the news at hand, but you’re arguably missing a huge swath of the data security problem,” he said.

Julian said agencies should only store sensitive personal data in a secure central location where people cannot remotely access it. The more decentralized the data, the more problems agencies will have with security, he said.

Davis expressed his lack of confidence that the government could keep sensitive personal information safe. “The American people deserve better from their government,” he said.

Suss, however, said information security problems will diminish as the government adopts more network-centric policies for managing data. “The long-term solution is going to have to rely on maintaining more information in the network rather than on individual devices,” Suss said. “It’s an important direction for the government to take, but it’s going to take time.”

Davis wins House support for data breach notification

Rep. Tom Davis (R-Va.) drafted the Federal Agency Data Breach Notification Act in July to require agencies to quickly notify individuals when a data loss might have compromised their sensitive personal information. The measure authorizes federal chief information officers to enforce the law.

After learning about the Commerce Department’s loss of 1,137 laptop PCs, Davis inserted his breach notification bill into the Veterans Identity and Credit Security Act of 2006. The breach notification bill would amend the Federal Information Security Management Act of 2002.

“If we’re going to ask and — sometimes demand — information from the public, we owe them a better way of knowing when that information goes missing,” Davis said in a recent speech on the House floor.

The bill Davis sponsored passed the House last month and moved to the Senate.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.