Davis questions TreasuryDirect security

The chairman of the House Government Reform Committee has concerns about the Treasury Department's ability to protect personal information.

In a letter sent today to the Treasury Department's commissioner of the public debt, Rep. Tom Davis (R-Va.) asked about the security of personal information collected on the TreasuryDirect.gov Web site, which sells government bonds online. The letter comes the day after the committee, which Davis heads, released its annual federal security score card. Treasury scored a D-plus.

Rather than going with masked credit card numbers, TreasuryDirect collects a bevy of personal data, including Social Security, driver's license, bank routing and account numbers; home addresses; birthdates; and e-mail addresses. Treasury's Bureau of the Public Debt's Web site includes a notice that reads:

"If you choose to send us personal information electronically or request that we send you personal information electronically, we cannot guarantee its confidentiality as it travels across the Internet. Although not likely, it is possible for others to eavesdrop."

Davis' letter to Van Zeck, commissioner of the public debt, describes the caution as troubling.

In May 2003, Treasury officials said credit card purchases of savings bonds would be phased out by the end of the year because of the additional cost to the department for offering that option. Treasury started TreasuryDirect, which now offers I Bonds and Series EE bonds in electronic form, to potentially save the government millions of dollars. Officials have estimated that paper savings bonds can cost more than $150 million annually.

Bureau spokesman Peter Hollenbach said officials look forward to responding directly to Davis. "We place the highest importance on the security and confidentiality of the information our customers provide to us," he said.

The committee, while commending Treasury on attempting to modernize the Web site, would like to work with the department on securing confidentiality during online transactions. "We're not mandating that they go to credit card numbers," said Drew Crockett, a committee spokesman, adding they may have a good reason for requesting personal information instead of credit card numbers. "Part of expanding e-government is making the citizens confident that the information they provide to the government will be safe. If that confidence is lost, we're going to have a hard time bringing the federal government into the 21st century.

The Federal Information Security Management Act of 2002 requires an annual independent evaluation of agency information security practices, usually performed by the inspector general. Agency and inspector general reports are submitted to Congress and the Office of Management and Budget and used to compile the annual score cards, which help Congress assess the government's security progress.