Bearer of Bad News

When you lose citizens' personal information, there's a right way and a wrong way to manage it.

In May 2006, a laptop computer containing the Social Security numbers of 26.5 million U.S. veterans was stolen from the home of a Veterans Affairs Department official. The following month, two Federal Trade Commission laptops filled with sensitive data were swiped. The incidents were jarring wake-up calls for the federal government.

For nearly two years, agencies have worked to demonstrate they have made improvements in how they protect Americans' data. VA now requires its employees to complete information security awareness training, and it developed a more centralized departmentwide IT security program, according to the VA Office of the Inspector General.

But that's not enough for Virginia Rep. Tom Davis, the top Republican on the House Oversight and Government Reform Committee. He introduced a bill last year that would require agencies to give timely notice to individuals whose personal information might have been jeopardized by a theft or a hacker who infiltrated a system. His measure, which is still awaiting committee action, also calls for the executive branch to establish agency practices in case sensitive personal information is lost or stolen and there is a reasonable risk to individuals.

The bill, H.R. 2124, describes the types of sensitive data that agencies must protect and gives chief information officers the power to ensure that employees comply with security statutes already on the books. An identical bill cleared the House in the 109th Congress but stalled in the Senate. "Agencies need to be proactive," says Davis, who announced on Jan. 30 that he would not seek reelection in 2008 after 14 years in office. "They need to plan, practice and establish policies to address these issues beforehand." He said the VA case "will go down in history as what not to do." Agencies must "think on their feet, not just prepare for the exam."

VA Chief Information Officer Bob Howard says his department has done just that in the nearly two years since the laptop was stolen. The agency has established a multipronged, multilayered incident response network that he believes is unparalleled across government. VA created local, regional and national teams whose job it is to guard against future security breakdowns. One top-level team meets every week to assess any security incident - no matter how minor - and recommends actions.

On the high-tech front, IT administrators now can monitor when someone at VA uses an unauthorized thumb drive or other device. The agency has embraced encryption and is working on a complex rights management infrastructure that will provide several means of encrypting data, Howard says.

If a breach does occur, Howard has learned that it is crucial to "scope out the population that's been affected as rapidly as possible. "The last thing you want to do is tell [the media] that 10,000 people were affected and a day later it's 100,000," he says. A detailed communication strategy "should be at your fingertips."

Marc Groman, chief privacy officer at FTC, agrees that media relations are paramount in crisis management. "A big breach can be a lesson in crisis management and you must control the message," he says. "A bad situation can get worse without the right communications expert." After the breach at his agency, Groman whipped up a detailed response plan. His 12-page handbook includes sample warning letters, press releases and other guidance documents. He also recruited a team that would respond to any problem. The response posse includes Groman, the chief information security officer, a senior manager and an attorney with privacy experience.

To help navigate your way through a security breach, Government Executive turned to some experts for advice. Here's what they had to say.

After the Breach

Tim Sparapani, senior legislative counsel for the American Civil Liberties Union, has a five-point plan:

* Be honest with the public.

* Don't go into a defensive crouch. Get the word out. Take your lumps, but limit the damage.

* Solve the immediate problem. Find the security hole. Plug it. Find the lost laptop, backup tape, etc.

* Immediately pay for credit freezes and identity theft assistance.

* Pay for lost wages and injury. Don't fight it, just do it.

If you haven't taken measures to eliminate the potential consequences, a swift response and identifying exposed data will do little good, says Kevin Bocek, marketing director for PGP Corp., a global security software firm headquartered in Palo Alto, Calif. "That's why agencies have to understand their data - where it is and how it is used - and then implement enterprise data protection solutions such as encryption to protect the data not just in one place, but across the organization and beyond."

Don't Ignore Prevention

Agencies still must take preemptive steps, Sparapani says: "That involves identifying the ID breach crisis manager who runs the show." Someone has to be responsible and make decisions quickly. Bureaucratic time lags give ID thieves time to cause more mischief.

Sparapani also recommends keeping a media list handy of reporters who talk to your audience. The best way to prevent damage, or to limit it, is to get the word out immediately to those who might be affected so they can get on the phone and block access to accounts. Reporters can get the word out fast. Also, audit your systems regularly, encrypt any mobile device that stores or transmits data, and mandate password protection.

Keep the Public Trust

Government agencies have the same responsibilities as companies when it comes to protecting personal information, says Larry Ponemon, who publishes an annual study on the topic. They must take necessary steps to safeguard the information that the public entrusts to them - data that in many cases the government requires them to share. Federal managers must "recognize the importance of establishing and maintaining the public trust," he says.

Prior to thieves stealing the VA laptop, the department had earned high marks for its privacy standards for several years. After the incident, the agency was the next to lowest ranked in Ponemon's 2007 privacy poll. "That's a terrific illustration of how a data breach within a government agency can undermine public trust," he says.

Andrew Noyes is a reporter for CongressDaily.