[ISN] Feds Often Clueless After Data Losses

From: InfoSec News (alerts@private)
Date: Thu Oct 19 2006 - 03:18:50 PDT


http://www.informationweek.com/news/showArticle.jhtml?articleID=193400392

By Gregg Keizer
TechWeb News
Oct 18, 2006

Federal agencies not only regularly lose personal identity data, but 
don't even always know what they've lost or how many Americans are 
affected, a recently-released House report claimed.

According to the report issued by the House Government Reform Committee, 
which is chaired by Tom Davis (R-Va.), all 19 federal departments and 
agencies from which data was requested had lost or compromised personal 
information in the three-and-a-half years since January 2003. Some of 
the breaches were losses, others were the result of theft.

In August 2006, for example, a Department of Defense laptop that 
contained personal information on 30,000 Navy applicants and prospects 
fell of a motorcycle driven by a recruiter. "The recruiter returned to 
the scene and was told by a road side worker that a car had stopped and 
picked up the bag," the report said.

Davis's report was prompted by the May theft of a Veterans Affairs 
laptop and external hard drive that had the personal information of some 
26.5 million veterans and active duty military personnel. The hardware 
was recovered about two months later; an FBI analysis concluded that 
none of the confidential information had been accessed on the notebook 
and drive.

"I commend Davis for asking agencies to come forward with this 
information," said Paul Kurtz, executive director of the Cyber Security 
Industry Alliance (CSIA), an industry advocacy group that counts Citrix, 
McAfee, RSA, and Symantec as members. "It was a necessary step and a 
positive move."

The Davis report concluded that data loss is a government-wide problem. 
"This is not restricted to the Department of Veteran Affairs or any 
other single agency," the report stated. More troublesome, however, was 
the fact that in many cases, agencies "do not know what information has 
been lost or how many individuals could be impacted."

"That's not surprising," said Kurtz. "But it does underscore the gravity 
of the situation. Government is simply not giving this the attention it 
needs."

Although Congress pondered several data breach bills in the 
just-concluded session, none were passed. Kurtz, who in the past has 
been critical of the low priority the issue was given, continued to 
hammer at legislators.

"People's sensitive information must be secured across federal agencies. 
Users are confused. They hear from the private sector, such as brokerage 
houses, that their information is secure, but then find out it's not 
secure in other places, like the government. There needs to be a set of 
common standards."

Still, Kurtz hasn't given up on the idea of national data breach and 
notification bill passing. "If I was a betting man, I'll take the bet 
[that Congress will pass something next session]. But that's because 
it's two years we're talking about."

In fact, Congress came close to putting something on the President's 
desk in the 190th Congress. "This was in the top 10, but not in the top 
5," Kurtz said. "There is a recognition and concern that this is a real 
problem. But it will take a lot of work."

That shouldn't bowl over anyone who has followed the federal 
government's abysmal record in IT security. In the most recent security 
report card issued by Congress, the government as a whole pulled a 
dismal "D+". Eight of the 24 departments and agencies graded were given 
an "F".

"There's definitely a connection between the grades and data losses," 
said Kurtz.

The House report can be downloaded from here as a 15-page PDF file. 
http://reform.house.gov/UploadedFiles/Agency%20Breach%20Summary%20Final%20(3).pdf


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Thu Oct 19 2006 - 03:36:08 PDT