When personal data gets out of the box...

The theft of a Veterans Affairs Department laptop PC last year alarmed many agency officials and prompted them to take steps to improve data security, according to Federal Computer Week readers.

FCW recently surveyed readers to learn what effects the theft of the government laptop PC from the home of a VA employee in May 2006 had on their agencies. More than 50 percent of the 183 readers who responded to the e-mail survey said their agencies had implemented new security policies, procedures and technologies in the past year. Nearly the same number had invested in information security training in response to the VA incident, and about a third had allocated or requested new resources for securing government-held information, especially personal data that others could use to steal someone’s identity.

Survey responses also indicate that agencies face a daunting challenge in trying to secure thousands of mobile devices. Some military agencies say they have more than 25,000 such devices to protect from theft and data breaches. Most agencies are trying to secure laptop, personal digital assistant and mobile data storage devices. However, 74 respondents said  they also are trying to safeguard personal data stored on mobile phones.

One reader’s agency responded to the incident by encrypting all the hard drives on all laptop PCs. Another said everyone received a refresher course in information security procedures.

Most readers who participated in the survey said their agencies have followed at least some of the instructions that the Office of Management and Budget issued in a July 2006 memorandum concerning data security incidents. However, 23 percent said their agencies made no progress toward complying with the memo’s instructions.

That memo from Karen Evans, OMB administrator for e-government and information technology, instructed agencies, among other things, to report suspected or verified security breaches that involved personal data to the Homeland Security Department’s U.S. Computer Emergency Readiness Team within an hour of discovering a breach.

The one-hour policy is DHS’ way of saying, “If you know something, call us, and don’t sit around wondering if you’re going to lose your job because you didn’t do something you were supposed to,” said Paul Proctor, vice president of Gartner’s security and risk practice.

Describing their agencies’ responses to the policy memo, 106 readers said their agencies had determined who would respond to a data breach and notify those who might be affected, as the memo instructed. Also, 101 readers said their agencies had formed response groups that can be quickly convened after a data breach. And 79 readers said their agencies had trained a response group in risk analysis to determine whether an incident exposed its victims to identity theft.

An incident in which an agency inadvertently exposes Social Security numbers to unauthorized users is not the most serious data breach. However, a Social Security number linked to a valid name and address could be enough to enable someone to start gathering financial information about that person and, eventually, steal that person’s identity, said John Pescatore, vice president of Gartner’s Internet security practice.

Readers who responded to the survey said their biggest concern about insecure mobile devices was that the devices might infect agency systems and networks with malicious software code. National security concerns ranked second, ahead of concerns about identity theft. The costs agencies incur in responding to security incidents, especially the expense of providing free credit monitoring to the victims of data breaches, ranked lowest among readers’ concerns.

Security experts say the loss or theft of laptop PCs or external drives containing personal data typically poses a lesser threat of identity theft than online break-ins.

In online cases, thieves go after account information intending to steal identities. Nevertheless, it was the theft of the VA laptop PC containing personal data on 26.5 million veterans and active-duty military employees that caused many officials to realize that a similar incident could happen at their agencies.

Government agencies should minimize the amount of personal data, including Social Security numbers, that they collect and store, Pescatore said. But in those cases in which it is necessary, his advice is to do it right. “You definitely should be using technology like encryption or strong access controls to make sure the numbers are protected and that all accesses are audited,” he said.

The Social Security Administration has shown how it can be done right, Pescatore said. “SSA has never had one of these embarrassing breaches,” he said. “It’s a matter of other agencies learning the best practices from people like SSA.”

Pescatore said the biggest concern agencies should have about data breaches is people’s loss of trust in the government’s ability to protect their personal data. The loss of trust, he said, could make people unwilling to file their tax returns online and might end other e-government initiatives.

Proctor agreed with his colleague. “I can always choose not to shop at a certain store that’s untrustworthy,” he said. But people have no choice about giving their data to the government, he added. “That’s what puts a premium on the government’s ability to provide security for us, because we don’t have a choice.”

Lunn is research director at the 1105 Government Information Group.

Click here to see a PDF with all the charts.