GovernmentExecutive.com

A federal labor union filed a class action lawsuit Tuesday against the Homeland Security Department and its Transportation Security Administration, charging that the government acted recklessly when it lost sensitive personal data on 100,000 TSA employees.

The lawsuit, filed by the American Federation of Government Employees and four transportation security officers in the U.S. District Court for the District of Columbia, seeks an order for TSA to develop new security procedures consistent with the 2001 Aviation and Transportation Security Act and the 1974 Privacy Act.

The 15-page civil suit also asks that affected employees be granted administrative leave to give them time to protect against potential identity theft and financial problems created by the incident.

"TSA's reckless behavior is clearly in violation of the law," said John Gage, AFGE's national president. "TSA must be held liable for this wanton disregard for employee privacy. A DHS agency that cannot even shield its own employee data is not reassuring."

TSA learned on May 3 that the external computer hard drive holding the sensitive data was missing from a controlled area at the agency's headquarters human capital office. The breach affects all TSA employees hired between January 2002 and August 2005; the missing data includes names, Social Security numbers, dates of birth, payroll information, financial allotments and bank account and routing numbers.

Law enforcement officials were immediately notified and a criminal investigation was launched by the Secret Service and the FBI, according to TSA. Agency officials notified all employees of the incident on May 4 after an initial search failed to turn up the hard drive.

TSA officials refused to comment on the lawsuit, but have said there is no evidence that an unauthorized individual has used the information.

TSA is advising affected individuals to monitor financial accounts continuously for suspicious activity, and is providing one year of free credit monitoring from Identity Force, a service that includes identity theft insurance up to $25,000.

The Aviation and Transportation Security Act requires the TSA administrator to "ensure the adequacy of security measures at airports" and the Privacy Act directs that every federal agency have in place a security system to prevent the unauthorized release of personal records.

"The maintenance and safeguarding of personnel data is vital to the protection of security at our nation's airports," Gage added. "If the stolen information were to fall into the wrong hands, false identity badges easily could be created in order to gain access to secure areas."

The TSA data breach is the latest in a series of security breakdowns that have touched nearly every federal agency. The largest occurred in May 2006 when a computer containing the personal information of about 26.5 million veterans and active-duty military members was stolen from the home of a Veterans Affairs Department employee. The computer was later recovered.

Just last month, Agriculture Department officials learned that 38,700 Social Security numbers of farmers were publicly available on the Internet. The Census Bureau said in March that it accidentally posted personal information concerning 302 American households on a public Web site.

COMMENTS

• The vulnerabilities of the present database system have long been known. A more effective method of securing all types of data from VA patient records to TSA worker files was presented to agency officials long before the major security breeches and could have been prevented but the issues were ignored the rest is history. The threat to the security of all forms of information is growing and the continued reliance upon the existing systems dependent upon a system, that was never designed with security in mind, with its demonstrated vulnerabilities, is a disservice to Federal employeess and the people they serve. An independent outside review is necessary to insure that solutions that conflict with the status quo are not coninually ignored. Frederick Scheffler Posted May 14, 2007 10:10 AM
• Lost is also a euphemism for slip-shod business processes such as my case, "We lost your security package, could you fill out another background questionaire?" If government loses the chain of custody on sensitive information and expects that standard to be "normal" why can't citizens respond in kind. "Oops, I lost my tax deduction receipts. Trust me for it" "Oops, Officer, I lost my drivers license." Shouldn't we hold the government to the same standard the government holds us too." It's taken 4 years to get my security investigation off someone's desk. And this is not an initial background check. I am a 26 year career civil servant with prior clearance. My government wouldn't accept poor slip-shod work from me. Why should I accept poor administrative and chain of custody accidents from them? Cynthia Hilsinger Posted May 10, 2007 3:57 PM
• Lost now is being used as a euphemism for "stolen." Less public outrage is generated and some compassion is associated with a mistake or lost. Anyone who has ever worked for the Federal government knows "nothing is ever lost!" There are always several millions copies around, you just have to be diligent in seeking the existing records. As for the lost TSA data, lost should not be the focus, but who has stolen the records and how much money they have received. I'm sure the affected employees are now receiving unsolicited offers in bulk daily. The fox is guarding the henhouse and the chicken continue to be lost...missing...eaten! C.L.B Posted May 10, 2007 10:18 AM