Feds' personal data goes missing

What Sen. Susan Collins wants to know

FROM GSA:

Why did it take two months to notify the affected federal employees?

What has the agency asked Bank of America to do to alleviate possible harm to employees because of this incident, and has the bank complied?

What will GSA do to make sure employees' personal data is safe?


FROM BANK OF AMERICA:

What is the bank's policy for transporting personal data?

What has the bank done to mitigate probable damage caused by the release of government employees' information?

What will the bank do to ensure such personal information is protected in the future?

Sen. Susan Collins

Lawmakers quiz GSA after Bank of America loses tapes containing credit card records

The Bank of America Corp.'s loss of data tapes containing personal information on 1.2 million federal charge card holders has triggered congressional wrath on both the bank and the General Services Administration.

Following the bank's acknowledgement late last month that it could not locate magnetic tapes used for federal credit card accounts, lawmakers are questioning GSA's oversight of the SmartPay program and whether the agency requires sufficient security to protect personal data.

'I am disturbed that we still do not know whether the tapes were accidentally lost or deliberately stolen,' said Sen. Susan Collins (R-Maine) in letters last week to GSA and the bank.

The tapes'which contain records with such details as employees' names, addresses and Social Security numbers'first went missing in December.

There is speculation that the tapes disappeared while in transit from one Bank of America facility to another and that the Transportation Security Administration did not adequately secure the tapes, according to a congressional staff member.

GSA and TSA should be held accountable for the loss of the tapes, the staff member said.
'Bank of America did everything it was required to do here,' he said. 'If tighter security should have been the norm, where was GSA in requiring that as a part of the contract? What about TSA, whose employees apparently failed to properly re-secure the luggage containing the tapes?'

Bank of America informed the employees this month that their personal information could be at risk.

Congressional consternation

'I am perplexed why federal employees were not notified that their identifying information had been compromised until two months after the fact,' Collins noted in her letters to GSA administrator Stephen A. Perry and Bank of America CEO Kenneth D. Lewis.

Alexandra Trower, a Bank of America spokeswoman, said the lost tapes include records on employees from 30 federal agencies and the Senate.

'There has been no evidence that the tapes or the content has been accessed or misused, and we are presuming the tapes to be lost at this point,' she said.

GSA has been working with Bank of America and will look at whether anything can be done to improve data security in the SmartPay program, agency spokeswoman Mary Alice Johnson said.
David Marin, a spokesman for the House Government Reform Committee, said chairman Tom Davis (R-Va.) wants the committee to review how to protect personal data better.

The mishap follows several other recent incidents in which companies including ChoicePoint Inc. of Alpharetta, Ga., and Science Applications International Corp. of San Diego lost personal data or had it stolen.

And now lawmakers are promising hearings on identity theft, privacy and security.

Sen. Patrick Leahy (D-Vt.), ranking minority member of the Senate Judiciary Committee, has requested that chairman Arlen Specter (R-Pa.) investigate information brokering, government access to commercial data, government data mining and the impact of new technologies on privacy.

'I hope this latest incident will bring the issue closer to home so Congress will pay better attention to the rapid erosion of privacy rights that ordinary Americans are facing, as more and more of their personal information is collected and sold on databases that too often have too few privacy protections,' Leahy said.

Although Bank of America's information was not sold, privacy and industry experts suggested there are better ways to protect data.

Bank of America uses tapes to archive account information and stores the tapes in an undisclosed location, said Barbara Desoer, head of global technology service and fulfillment for the company.

Trower said data on the tapes could not be easily accessed because hackers would need specific equipment, expertise and software to retrieve and piece together the data.

'This is security 101,' said Robert Gellman, a privacy expert and GCN columnist. 'How hard is it to encrypt a tape with all that information? Why anyone is passing around personal information, including names and Social Security numbers, by tape or CD-ROM or through the Internet without encrypting it is hard to understand.'

Trower refused to detail security used to protect data on the tapes or to say whether any of the data was encrypted.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above