September 22, 2006
An agencywide review at the Commerce Department turned up more than a thousand missing or stolen laptops over the last five years, with hundreds containing the personal information of American citizens.
In response to a congressional request and public inquiries, Commerce found that of 30,000-plus laptops inventoried across the department's 15 organizations since 2001, 1,137 had been lost or stolen. Of these, 249 contained personally identifiable information, with varying levels of security ranging from simple passwords to full encryption.
A separate Commerce report stated that since 2003, 297 electronic devices containing sensitive personal information have gone missing. This includes 217 laptops, 15 handheld devices and 46 thumb drives.
Commerce Secretary Carlos Gutierrez said even though the number of missing computers is high, the chance of data misuse is low.
"While we know of no instances of personal information being improperly used, we regret each instance of lost material and believe the volume of lost equipment is unacceptable," Gutierrez said. "This review process has clearly pointed out the flaws in the department's inventory and accountability efforts going back many years."
The Commerce announcement came partly in response to a request from House Government Reform Committee Chairman Tom Davis, R-Va., that agencies report all data breaches. The committee has received responses from all agencies except the Defense, Health and Human Services and Treasury departments. The Homeland Security and State departments have responded only partially.
David Marin, the committee's staff director, said the panel is still reviewing other agencies' responses.
"Perhaps the most shocking thing here is that the public might not have ever known of these breaches and their scope if we hadn't specifically asked for the information," Davis said in a statement. "Why aren't these inventories taken automatically, instinctively?"
Davis has proposed legislation (H.R. 5838) that would require the Office of Management and Budget to establish policies for agencies to follow in the event of a data breach.
Citing reports of lost, stolen or mishandled personal information that have come out of more than a dozen federal agencies in the last six months, Senate Minority Leader Harry Reid, D-Nev., blasted the Bush administration for disregarding the protection of personal information. "They talk tough about identify theft, but then show a complete disregard for the security and personal information of the American people," he said.
Of the agencies within Commerce, the Census Bureau had a disproportionate share of missing equipment and data due to the high amount of field work performed by temporary hourly-paid employees. It reported 672 missing laptops over the last five years, of which 246 contained some degree of personal data.
Full encryption was in place on 107 of the laptops while 139 were either partially encrypted or lacked any encryption. Nearly half of all unaccounted-for laptops were stolen from employees' vehicles and the other half were not returned when employees left the agency. All 46 missing thumb drives, a small device that can contain significant amounts of data, were encrypted.
Of about 2,400 handheld devices used to record survey data for the Census Bureau, 15 were lost or stolen with sensitive personal information, but each device was encrypted.
The bureau also reported 16 instances of nonelectronic breaches of personal information, including the loss of employee time and attendance records during an office move, and of retirement information packages sent to the National Finance Center during Hurricane Katrina.
The National Oceanic and Atmospheric Administration reported 325 missing laptops, of which three contained personal data. This included a laptop with the personal information, such as Social Security numbers, of 146 employees and contractors.
The other missing laptops -- spread across all Commerce agencies except the Economics and Statistics Administration, the Minority Business Development Agency, the National Technical Information Service and the National Telecommunications and Information Administration -- did not have personally identifiable information.
Gutierrez said the department is working to encrypt all laptops and will require two factors of authentication for remote electronic devices, as required in a June 23 OMB memorandum.
September 22, 2006