Cybereye | Another week, another leak
- By William Jackson
- May 14, 2007
This time it is the Transportation Security Administration, which earlier this month noticed that an external hard drive containing the personnel records of 100,000 current and former employees from 2002 to 2005 had gone missing. As of this writing, nobody knows what happened to it and the disappearance is being treated as a criminal investigation.
One of the first things that struck me about this story was that the TSA, which has about 50,000 employees, had managed to accumulate personnel records on at least 100,000 people. That indicates a 100 percent turnover in its workforce in a little more than three years. Apparently, the agency is not likely to end up on anyone's list of best places to work any time soon. Or maybe they offer a really great early severance package.
But more to the point, the incident reinforces the need for agencies to protect IT systems and the data they contain. It has been said before, but apparently it needs saying again. Since the beginning of this year, agencies have reported 11 incidents (including the most recent loss) of the theft, loss or exposure of personal data for at least 660,000 people, according to a chronology maintained by the Privacy Rights Clearinghouse. The data was kept on tapes, hard drives and up to 100 missing laptops; posted on Web sites and printed on envelopes.
We know of these incidents because it has become standard practice for agencies to alert the persons who might be affected by such losses, resulting in effect in public disclosure. As far as this goes, it is a good thing.
'You don't want to punish them for the disclosure,' said Pam Johnston, a former federal prosecutor who managed prosecution of computer intrusion cases as an Assistant U.S. Attorney. She now is in private practice with Foley and Lardner LLP in Los Angeles. 'What concerns me more is that data was being kept on an external drive.'
The problem with hard drives is that they often have fewer security features than laptops that so often go missing.
'Laptops are more secure,' she said. 'You may lose the machine, but getting access to it won't normally be easy.'
That is, if the machine has been properly secure. Not all laptops are, of course. But the security is even more unusual on external drives.
What is the solution to this rash of data breaches? There is no single solution. It will require policies, budgets and appropriate security on networks, endpoint devices and servers. Rep. Tom Davis of Virginia has introduced a bill that could help with some of this. The Federal Agency Data Breach Protection Act, HR 2124, was introduced May 3. It requires agencies to develop policies for responding to the breach or disclosure of personal data, including the notification of individuals affected. But more significant is another provision that requires agencies to develop and maintain 'an inventory of all personal computers, laptops, or any other hardware containing sensitive personal information.'
This inventory is a crucial first step to protecting personal data. All of the policies and all of the software in the world will not solve the problem if those in charge do not know what information they have and where it is. The inventory not only would help administrators protect the data, but it could also open a few eyes. Confronted with the volume of data floating around on a variety of devices, some top level managers may be prompted to say, 'Holy cow! We've got to get a handle on this.'
But first, the bill would have to pass. And as Johnston pointed out, 'this legislation doesn't seem to get much traction.'
The current bill is identical to one Davis introduced in the last Congress and was passed as part of the Veterans Identity and Credit Security Act, which passed the House but died in the Senate. Well, it is early in the 110th Congress. Maybe over the next year and a half this bill can gain some traction.
William Jackson is a Maryland-based freelance writer.