Labor tightening data security

The Labor Department has begun emphasizing tighter management and security of its vast trove of electronic records. The agency wants to prevent unauthorized access to data that could endanger department employees, said the director of the agency's information technology center.

As Internet access to Labor Department databases increases, it could become easier for snoopers to piece together sensitive personal data about department employees, said Laura Callahan, who is also the agency's deputy chief information officer.

That is worrisome because "we have people whose lives are threatened when they do their jobs," she said Dec. 20 in an address to the Association for Federal Information Resources Management.

Callahan said that mine inspectors are one category of agency employees who may be endangered by decisions they make in the course of their work. Deciding to shut down an unsafe mine, for example, could mean major financial losses for mine owners and could lead to possible retaliation against the inspectors.

Labor employees enforce more than 180 federal laws that govern workplace safety, wages, child labor and a wide array of other working conditions.

Disclosure of personal information about people who enforce the laws, such as their names, addresses and phone numbers, could put them in jeopardy, Callahan said. Internet access to department documents may make disclosure more likely. When records were maintained on paper or in stand-alone databases, access to personal data was limited, she said.

But increasingly, records are kept in electronic form -- as required by law. And databases are interconnected via the Internet so that data can be easily shared with other agencies. Thus, many more people have access to data, and technology makes it easier than ever to put together small bits of information collected from numerous sources to compile a complete dossier, and that could be dangerous, she said.

Labor conducts "penetration testing" to see where unauthorized users can break into its databases and what information they can collect, Callahan said. Penetration testing helps plug holes in security, but more needs to be done to improve electronic records management, which she said has been "grossly overlooked."

The department also has begun stressing that information privacy and security is part of everyone's responsibility, Callahan said. In the past, for most employees, protecting privacy "wasn't in their job description. Now it's in everyone's, and we need to teach them that," she said.