GovernmentExecutive.com

The head of the House panel that oversees the Transportation Security Administration -- the most recent agency to experience a significant data breach -- said Friday that legislation is needed to protect personal information held by the government.

Rep. Sheila Jackson Lee, D-Texas, chairwoman of the House Homeland Security Subcommittee on Transportation Security and Infrastructure Protection, said the legislation would focus on procedures for protecting sensitive data and penalties for those who do not follow them.

"We want our enemies to know, because there has been a lot of discussion about breaches of security, that we are vigilant and diligent and that this is not an issue that will be covered up," Jackson Lee said. "This will be an issue that is thoroughly investigated and this is not an indication that we are vulnerable to our enemies."

Jackson Lee made her intentions known after a 45-minute closed door meeting with TSA Administrator Kip Hawley on the investigation of the loss of an external hard drive containing the personal and financial information of 100,000 current and former agency workers. TSA employs about 50,000 people.

"We've had a very serious confidential briefing with Administrator Hawley, face-to-face, eyeballing, to raise the level of ire and I would say raise the level of rage," Jackson Lee said. "There is no doubt that the level of rage of this committee really focuses on the importance of our employees."

Hawley said he was pleased to have a good, open relationship with the committee: "We've moved fast and we've been transparent and with the utmost concern for the employees so that they can continue to focus on the work that they have to do."

Jackson Lee said she would work with the members of other committees that have jurisdiction over federal information security, including Rep. Tom Davis, R-Va., who introduced legislation on May 3 that would require the government to better protect the sensitive information it collects from citizens and inform them if data is lost or stolen.

"We are going to be thoughtful, steady," Jackson Lee said. "We are going to try to assess whether the legislation should be amended or whether there should be direct legislation that focuses specifically on issues under Homeland Security."

Davis' Federal Agency Data Breach Protection Act (H.R. 2124) would require the executive branch to establish practices and standards for notifying citizens of lost information. In addition, the bill would empower agency chief information officers to ensure employees comply with information security laws already in place.

A spokesman for Davis said he would like to speak with Jackson Lee about how her legislation would differ from his proposal.

TSA officials said Friday they have yet to determine whether the lost hard drive had any security protections such as encryptions or passwords. They confirmed that the data was contained on a PDF file of scanned microfiche. The Secret Service is conducting the investigation along with TSA officials, and the FBI is being kept apprised of the situation.

TSA learned on May 3 that the external drive holding the sensitive data was missing from a controlled area at the headquarters' human capital office. The breach affects all TSA employees hired between January 2002 and August 2005; the missing data includes names, Social Security numbers, dates of birth, payroll information, financial allotments, and bank account and routing numbers.

Jackson Lee said public hearings on the matter are likely and that Hawley has been forthright, direct and honest in keeping her committee informed.

On Thursday, Jackson Lee and Reps. Bennie Thompson, D-Miss., chairman of the House Homeland Security Committee and Ed Markey, D-Mass., sent Homeland Security Secretary Michael Chertoff a letter asking for more information on the missing computer equipment.

"This terrible incident at TSA does not give any peace of mind to its thousands of employees nor the American public it serves on a daily basis," Thompson said. "If TSA cannot keep track of equipment with sensitive data, it is difficult to understand how the American public can expect TSA to protect and secure our nation's transit, aviation, and rail systems."

COMMENTS

• This is a problem that can not be resolved with more legislation or more sophisticated technology. The weak link here is the personnel that are responsible for safeguarding the data they are managing. Federal employees from the top down are refusing to comply with already existing IT security laws and policies. The first step in addressing this ever increasing problem is enforcing the already existing laws and policies. I was recently fired from a Department of Interior IT position because I questioned the agency’s top level managements’ lack of compliance with it’s own IT Password Policy. The first line of defense against IT security breaches are accountability of those that are entrusted to protect the data they are managing. I bet federal employees would be more apt to comply with IT security policies if they really believed that last paragraph (in all federal IT Password Policy memorandums) that states that if an employee violates the policy they can face termination. SC Posted May 18, 2007 9:06 AM
• Well, here we go again. The government, rather than enforcing the existing regulations, will inevitably decide to create some new and bizarre series of rules. The rules, probably something stupid like locking out USB ports, or blocking all access to the internet, won't address the real problem. What it will do is make work much more difficult, take valuable tools away from the people in the field, and basically make management look like it's doing SOMETHING. Here's a thought- why don't they try something novel, like actually MANAGING the problem? John Locke Posted May 14, 2007 11:10 PM