[ISN] Davis seeks standard IT breach notification policy

From: InfoSec News (alerts@private)
Date: Sun Sep 24 2006 - 22:44:57 PDT


http://www.gcn.com/online/vol1_no1/42081-1.html

By Mary Mosquera
GCN Staff
09/22/06

Federal agencies have been losing laptop computers, including those with 
personal data, without public notification and sometimes undetected by 
the government.

Agencies are finding out now, and disclosing the information, because 
House Government Reform Committee chairman Tom Davis (R-Va.) requested 
summaries of data breaches over the last several years.

As a result, the situation requires a strong governmentwide policy on 
public notification, including strengthening legislation he has 
introduced, Davis said.

The most flagrant violator among agency responses so far is the Commerce 
Department, which reported that 1,137 laptops had been lost, stolen or 
misplaced since 2001. It also is missing 46 flash or "thumb"  drives and 
16 handheld computers. Of these, 672 of the missing laptops were from 
the Census Bureau, and 246 of those contained personally identifiable 
information.

"Perhaps the most shocking thing here is that the public might not have 
ever known of these breaches and their scope if we hadn't specifically 
asked for the information," Davis said in a statement.

"I'm surprised agencies don't have this information at hand. That shows 
we still have a long way to go on agency data security," he said.

The federal government spends tens of billions of dollars a year on IT, 
yet the reality is that the government is incapable of storing, moving 
and accessing information, he said.

Davis plans to pursue whatever legislative fixes are necessary to reduce 
the losses and, when they happen, to make sure that appropriate 
officials know and act on the information, and notify those potentially 
at risk.

The Federal Information Security Management Act guides agencies in 
protecting federal information, operations and assets. In Davis' annual 
FISMA scorecard, the federal government averages D+. Among FISMA 
provisions, agencies are required to report data breaches to the U.S. 
Computer Emergency Readiness Team (US-CERT) within the Homeland Security 
Department. The Office of Management and Budget recently expanded the 
rule to cover all incidents that include personally identifiable 
information.

"We may need to update the law regarding notification of Congress, and 
the Government Reform Committee in particular," he said.

Davis in July introduced H.R. 5838, the Federal Agency Data Breach 
Notification Act, to strengthen laws regarding disclosing incidents to 
the public. There is no standard policy or procedure for notifying 
citizens when their personal information held by the government is 
compromised, he said.

In the last several months, agencies have reported data breaches weeks 
and months after they occurred, including at the Veterans Affairs 
Department.

"In light of the VA breach and the subsequent delay in public 
notification, as well as a number of other incidents involving federal 
agencies, a strong governmentwide policy is required," Davis said.

His bill would require the Office of Management and Budget to establish 
policies, procedures and standards for agencies to follow in the event 
of a data breach.

"Given these recent disclosures, I intend to revisit that bill and 
augment it as necessary," he said.

In July, Davis and Rep. Henry Waxman (D-Calif.) asked all cabinet-level 
agencies, the Office of Personnel Management and the Social Security 
Administration to report any "loss or compromise of sensitive personal 
information held by the federal government since Jan.1, 2003.' Agencies 
were to deliver a summary of each incident by July 24.

To date, 13 agencies have responded, including the Social Security 
Administration and the Energy and Veterans Affairs departments. The 
Homeland Security Department has partially responded. Three agencies 
have not yet responded - the Treasury, Defense and Health and Human 
Services departments - a committee spokesman said.

Commerce said the high volume of lost equipment was unacceptable and 
regretted the loss of data but was optimistic that the vulnerability for 
data misuse was low.

"All of the equipment that was lost or stolen contained protections to 
prevent a breach of personal information, and we are moving to institute 
better management, accountability, inventory controls, 100 percent 
encryption and improved training," said Commerce secretary Carlos 
Gutierrez in a statement.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Sun Sep 24 2006 - 22:54:00 PDT