GovernmentExecutive.com

An agencywide review at the Commerce Department turned up more than a thousand missing or stolen laptops over the last five years, with hundreds containing the personal information of American citizens.

In response to a congressional request and public inquiries, Commerce found that of 30,000-plus laptops inventoried across the department's 15 organizations since 2001, 1,137 had been lost or stolen. Of these, 249 contained personally identifiable information, with varying levels of security ranging from simple passwords to full encryption.

A separate Commerce report stated that since 2003, 297 electronic devices containing sensitive personal information have gone missing. This includes 217 laptops, 15 handheld devices and 46 thumb drives.

Commerce Secretary Carlos Gutierrez said even though the number of missing computers is high, the chance of data misuse is low.

"While we know of no instances of personal information being improperly used, we regret each instance of lost material and believe the volume of lost equipment is unacceptable," Gutierrez said. "This review process has clearly pointed out the flaws in the department's inventory and accountability efforts going back many years."

The Commerce announcement came partly in response to a request from House Government Reform Committee Chairman Tom Davis, R-Va., that agencies report all data breaches. The committee has received responses from all agencies except the Defense, Health and Human Services and Treasury departments. The Homeland Security and State departments have responded only partially.

David Marin, the committee's staff director, said the panel is still reviewing other agencies' responses.

"Perhaps the most shocking thing here is that the public might not have ever known of these breaches and their scope if we hadn't specifically asked for the information," Davis said in a statement. "Why aren't these inventories taken automatically, instinctively?"

Davis has proposed legislation (H.R. 5838) that would require the Office of Management and Budget to establish policies for agencies to follow in the event of a data breach.

Citing reports of lost, stolen or mishandled personal information that have come out of more than a dozen federal agencies in the last six months, Senate Minority Leader Harry Reid, D-Nev., blasted the Bush administration for disregarding the protection of personal information. "They talk tough about identify theft, but then show a complete disregard for the security and personal information of the American people," he said.

Of the agencies within Commerce, the Census Bureau had a disproportionate share of missing equipment and data due to the high amount of field work performed by temporary hourly-paid employees. It reported 672 missing laptops over the last five years, of which 246 contained some degree of personal data.

Full encryption was in place on 107 of the laptops while 139 were either partially encrypted or lacked any encryption. Nearly half of all unaccounted-for laptops were stolen from employees' vehicles and the other half were not returned when employees left the agency. All 46 missing thumb drives, a small device that can contain significant amounts of data, were encrypted.

Of about 2,400 handheld devices used to record survey data for the Census Bureau, 15 were lost or stolen with sensitive personal information, but each device was encrypted.

The bureau also reported 16 instances of nonelectronic breaches of personal information, including the loss of employee time and attendance records during an office move, and of retirement information packages sent to the National Finance Center during Hurricane Katrina.

The National Oceanic and Atmospheric Administration reported 325 missing laptops, of which three contained personal data. This included a laptop with the personal information, such as Social Security numbers, of 146 employees and contractors.

The other missing laptops -- spread across all Commerce agencies except the Economics and Statistics Administration, the Minority Business Development Agency, the National Technical Information Service and the National Telecommunications and Information Administration -- did not have personally identifiable information.

Gutierrez said the department is working to encrypt all laptops and will require two factors of authentication for remote electronic devices, as required in a June 23 OMB memorandum.

COMMENTS

• Again, how about we keep the data inside the walls of the respective organizations by making remote employees access this information via a VPN and Terminal server and never allowing the actual data to reside on a vulnerable laptop, or home PC for that matter. This does make it so remote employees have to maintain a connection to do their work, but broadband has never been cheaper and how much money have we all spent on senseless data loss and theft. GovExec.com reader Posted September 26, 2006 5:47 PM
• This should be great news for the VA employee (who got canned) and his attorney. With this information they should be assured to win their case. Wonder how many people were fired at the Commerce Department? Let's see -- we've got employees who supposedly lost the laptops and the managers who did nothing but covered the lost information up. Hmmmm? GovExec.com reader Posted September 26, 2006 11:05 AM
• The numbers in this story just blow my mine. 30,000 laptops at Commerce would mean we have invested at least $35,000,000 in toys for the Commerce personnel. Also, they have lost or cannot account for about $1,600,000 in laptops over the last five years. Someone at Commerce should be paying the price for this total incompetent management but it will never happen. I guess we just write off the $1,600,000 as perks for Commerce personnel and go on. This is a good example of why we should reduce the Commerce Department substantially -- especially the sections that write reports on various industries and provide no value added for a government. We should see the same information for Energy, Education and other government operations that serve no useful purpose other than to allow incumbents to buy votes for re-election. Taxpayer Posted September 25, 2006 7:06 AM