By Christopher Lee
Washington Post Staff Writer
February 26, 2008
Despite a steady stream of embarrassing computer security breaches, many
major federal agencies still are doing too little to safeguard the
sensitive personal information in their possession, according to
Only two of 24 agencies studied by the Government Accountability Office
in a report released last week had implemented all five security
measures recommended by the Office of Management and Budget to protect
The top performers included the Treasury Department and the Department
of Transportation. The worst were the Small Business Administration and
the National Science Foundation, neither of which had adopted any of the
measures, according to Sen. Norm Coleman (R-Minn.), one of two senators
who requested the study. But officials at both agencies said yesterday
that they had completed most or all of the recommended measures since
GAO investigators last visited them in October.
"Since that report, we've followed OMB directives, and we are now up to
speed," said Christine Mangi, an SBA spokeswoman.
Coleman and Sen. Susan Collins (R-Maine) asked the GAO to look into how
agencies were handling security in 2006 after the disclosure that a
Department of Veterans Affairs external hard drive containing Social
Security numbers and other personal information on millions of veterans
had been stolen from the home of a VA employee. The drive eventually was
recovered by police.
"The findings released in this report are very troubling -- indicating
that agency after agency has failed to make securing citizens' personal
information a high priority," Coleman said in a statement. "We need to
know when the agencies are going to have the protections in place to
stop the numerous data breaches we have seen over the past few years."
The loss or theft of personal data can inconvenience or embarrass the
people whose information is compromised, but the biggest concern is the
potential for identity theft and other fraud. In 2006, identity theft of
all varieties -- not merely cases associated with federal data breaches
-- accounted for $49.3 billion in losses to people and organizations
nationwide, according to the GAO report.
At least 19 federal agencies have experienced at least one data breach
that could expose employees or members of the public to identity theft,
according to the GAO. In March 2006, for instance, a portable data
storage device with personal information on more than 207,000 Marines
was lost. In July of that year, a laptop was stolen from the car of an
employee of the DOT inspector general's office, putting the personal
information of 133,000 Florida pilots and other residents at risk.
Agencies are supposed to take steps such as encrypting all data on
laptop computers and mobile devices; limiting remote access to
authorized users with two methods of authenticating their identity; and
documenting when sensitive information is downloaded and by whom.
Most of the 24 agencies examined by the GAO had adopted two or three of
the security measures, but few had implemented them all.
George Strawn, chief information officer for the National Science
Foundation, said that, contrary to the GAO report, his agency has
implemented all or part of all five measures.
"We have been working on this diligently for two or three years and are
in pretty good shape," he said. "There will always be more to do and the
crooks will always try to get ahead of you, but we have been paying a
lot of attention to it and we don't intend to lower our vigilance."
Subscribe to InfoSec News