Theft causes most data losses, report finds
- By Matthew Weigelt
- Oct 16, 2006
House Government Reform Committee
Because equipment theft causes most data losses, agencies should use physical security to protect sensitive information, according to a new House Government Reform Committee report.
“The vast majority of data losses arose from physical thefts of portable computers, drives and disks, or unauthorized use of data by employees,” the Oct. 13 report states. Computer system hackers caused few breaches.
For example, the Internal Revenue Service told the committee that a revenue officer reported Feb. 27 that his IRS computer and 14 taxpayer cases were stolen from his vehicle, according to the report.
Federal contractors are another main source of problems. Agencies rely heavily on private-sector contractors for information technology management services, the report sates. “Thus, many of the reported data breaches were the responsibility of contractors,” it states.
The loss of sensitive data is a governmentwide problem, and agencies usually do not know what has been lost, the committee report states. The government holds sensitive, personal information on every citizen, including health records and tax returns.
The committee requested details from departments and agencies on their information breaches since January 2003. Those details revealed that all 19 departments and agencies reported at least one loss of personally identifiable information since then.
Agencies do not track every possible loss of information, which makes their reports to the committee incomplete, the report states.
For example, the Justice Department said that before the Department of Veterans Affairs data breach in May, DOJ “did not track the content of lost, stolen or otherwise compromised devices,” according to the report.
The VA announced that a computer with personal information on about 26.5 million veterans and active-duty military personnel was stolen from a VA employee’s home. Since then, other agencies have had breaches.
Agency responses to the committee varied, the report states. Some told potentially affected individuals of the breaches and others did not. Agencies are not required to tell the public about breaches.
“Data held by federal agencies remains at risk,” the committee report states. “In many cases, agencies do not know what information they have, who has access to the information and what devices containing information have been lost, stolen or misplaced.”