Feds' personal data goes missing
- By Jason Miller
- Mar 03, 2005
Lawmakers quiz GSA after Bank of America loses tapes containing credit card records
Sen. Susan Collins
The Bank of America Corp.'s loss of data tapes containing personal information on 1.2 million federal charge card holders has triggered congressional wrath on both the bank and the General Services Administration.
Following the bank's acknowledgement late last month that it could not locate magnetic tapes used for federal credit card accounts, lawmakers are questioning GSA's oversight of the SmartPay program and whether the agency requires sufficient security to protect personal data.
'I am disturbed that we still do not know whether the tapes were accidentally lost or deliberately stolen,' said Sen. Susan Collins (R-Maine) in letters last week to GSA and the bank.
The tapes'which contain records with such details as employees' names, addresses and Social Security numbers'first went missing in December.
There is speculation that the tapes disappeared while in transit from one Bank of America facility to another and that the Transportation Security Administration did not adequately secure the tapes, according to a congressional staff member.
GSA and TSA should be held accountable for the loss of the tapes, the staff member said.
'Bank of America did everything it was required to do here,' he said. 'If tighter security should have been the norm, where was GSA in requiring that as a part of the contract? What about TSA, whose employees apparently failed to properly re-secure the luggage containing the tapes?'
Bank of America informed the employees this month that their personal information could be at risk.Congressional consternation
'I am perplexed why federal employees were not notified that their identifying information had been compromised until two months after the fact,' Collins noted in her letters to GSA administrator Stephen A. Perry and Bank of America CEO Kenneth D. Lewis.
Alexandra Trower, a Bank of America spokeswoman, said the lost tapes include records on employees from 30 federal agencies and the Senate.
'There has been no evidence that the tapes or the content has been accessed or misused, and we are presuming the tapes to be lost at this point,' she said.
GSA has been working with Bank of America and will look at whether anything can be done to improve data security in the SmartPay program, agency spokeswoman Mary Alice Johnson said.
David Marin, a spokesman for the House Government Reform Committee, said chairman Tom Davis (R-Va.) wants the committee to review how to protect personal data better.
The mishap follows several other recent incidents in which companies including ChoicePoint Inc. of Alpharetta, Ga., and Science Applications International Corp. of San Diego lost personal data or had it stolen.
And now lawmakers are promising hearings on identity theft, privacy and security.
Sen. Patrick Leahy (D-Vt.), ranking minority member of the Senate Judiciary Committee, has requested that chairman Arlen Specter (R-Pa.) investigate information brokering, government access to commercial data, government data mining and the impact of new technologies on privacy.
'I hope this latest incident will bring the issue closer to home so Congress will pay better attention to the rapid erosion of privacy rights that ordinary Americans are facing, as more and more of their personal information is collected and sold on databases that too often have too few privacy protections,' Leahy said.
Although Bank of America's information was not sold, privacy and industry experts suggested there are better ways to protect data.
Bank of America uses tapes to archive account information and stores the tapes in an undisclosed location, said Barbara Desoer, head of global technology service and fulfillment for the company.
Trower said data on the tapes could not be easily accessed because hackers would need specific equipment, expertise and software to retrieve and piece together the data.
'This is security 101,' said Robert Gellman, a privacy expert and GCN columnist. 'How hard is it to encrypt a tape with all that information? Why anyone is passing around personal information, including names and Social Security numbers, by tape or CD-ROM or through the Internet without encrypting it is hard to understand.'
Trower refused to detail security used to protect data on the tapes or to say whether any of the data was encrypted.