By Mary Mosquera
Federal agencies have been losing laptop computers, including those with
personal data, without public notification and sometimes undetected by
Agencies are finding out now, and disclosing the information, because
House Government Reform Committee chairman Tom Davis (R-Va.) requested
summaries of data breaches over the last several years.
As a result, the situation requires a strong governmentwide policy on
public notification, including strengthening legislation he has
introduced, Davis said.
The most flagrant violator among agency responses so far is the Commerce
Department, which reported that 1,137 laptops had been lost, stolen or
misplaced since 2001. It also is missing 46 flash or "thumb" drives and
16 handheld computers. Of these, 672 of the missing laptops were from
the Census Bureau, and 246 of those contained personally identifiable
"Perhaps the most shocking thing here is that the public might not have
ever known of these breaches and their scope if we hadn't specifically
asked for the information," Davis said in a statement.
"I'm surprised agencies don't have this information at hand. That shows
we still have a long way to go on agency data security," he said.
The federal government spends tens of billions of dollars a year on IT,
yet the reality is that the government is incapable of storing, moving
and accessing information, he said.
Davis plans to pursue whatever legislative fixes are necessary to reduce
the losses and, when they happen, to make sure that appropriate
officials know and act on the information, and notify those potentially
The Federal Information Security Management Act guides agencies in
protecting federal information, operations and assets. In Davis' annual
FISMA scorecard, the federal government averages D+. Among FISMA
provisions, agencies are required to report data breaches to the U.S.
Computer Emergency Readiness Team (US-CERT) within the Homeland Security
Department. The Office of Management and Budget recently expanded the
rule to cover all incidents that include personally identifiable
"We may need to update the law regarding notification of Congress, and
the Government Reform Committee in particular," he said.
Davis in July introduced H.R. 5838, the Federal Agency Data Breach
Notification Act, to strengthen laws regarding disclosing incidents to
the public. There is no standard policy or procedure for notifying
citizens when their personal information held by the government is
compromised, he said.
In the last several months, agencies have reported data breaches weeks
and months after they occurred, including at the Veterans Affairs
"In light of the VA breach and the subsequent delay in public
notification, as well as a number of other incidents involving federal
agencies, a strong governmentwide policy is required," Davis said.
His bill would require the Office of Management and Budget to establish
policies, procedures and standards for agencies to follow in the event
of a data breach.
"Given these recent disclosures, I intend to revisit that bill and
augment it as necessary," he said.
In July, Davis and Rep. Henry Waxman (D-Calif.) asked all cabinet-level
agencies, the Office of Personnel Management and the Social Security
Administration to report any "loss or compromise of sensitive personal
information held by the federal government since Jan.1, 2003.' Agencies
were to deliver a summary of each incident by July 24.
To date, 13 agencies have responded, including the Social Security
Administration and the Energy and Veterans Affairs departments. The
Homeland Security Department has partially responded. Three agencies
have not yet responded - the Treasury, Defense and Health and Human
Services departments - a committee spokesman said.
Commerce said the high volume of lost equipment was unacceptable and
regretted the loss of data but was optimistic that the vulnerability for
data misuse was low.
"All of the equipment that was lost or stolen contained protections to
prevent a breach of personal information, and we are moving to institute
better management, accountability, inventory controls, 100 percent
encryption and improved training," said Commerce secretary Carlos
Gutierrez in a statement.
Visit the InfoSec News store!