Privacy officials discuss government data breaches
Hugo Teufel, chief privacy officer at the Homeland Security Department, said whenever humans are involved, accidents can happen. TSA, which is part of Homeland Security, is investigating why a missing computer drive containing payroll data was not protected with encryption.
Teufel said TSA has moved quickly to implement better security. "How TSA management handles that should be a model for action," he said.
"We could have the greatest plans in place, but unless our employees, staff and contractors know about them, we are still at risk," said Marc Groman, chief privacy officer at the FTC.
Groman shared slides of an internal FTC advertising campaign likening personal data to an egg and showing what steps an employee must take if that egg gets broken. Later he said the agency had all its 1,200 employees sign pledges to protect personal data and inform a supervisor if any personal data is lost or stolen.
Teufel said he issued an internal memorandum Tuesday on how Homeland Security needs to respond to a White House Office of Management and Budget directive issued this week that asks agencies to inventory by Sept. 22 the personal data they are storing.
"When you look at policy and guidance, it looks oh so simple until you look at your mission and how your network is put together," said Mischel Kwon, chief security technologist at the Justice Department.
Kwon said earlier federal directives to decrease the use of Social Security numbers linked to other personal data will be a challenge, as will a requirement that agencies notify the U.S. Computer Emergency Readiness Team within one hour of a data breach.
"The one-hour notification definitely needs to be revisited," Kwon said. She said with more than two dozen departments and a chain of command to forward information to, that can be "a hard tap dance to do in one hour." She also said having some amount of time to evaluate and investigate a potential breach to determine whether it is meaningful might be more useful than lots of notifications about potential breaches.
Federal privacy and security officers also said the challenge of protecting data is changing as the workforce becomes more mobile with laptop computers and BlackBerry handheld devices. They said restricting telework and what data can be removed do not entirely solve the problem because many employees still need to travel.
Kwon said evolving technology changes how agencies need to address OMB directives.
She also noted that one solution often proposed does not solve all problems. "Full disc encryption [of data] only works when your computer is off," Kwon said. "That's important to understand. Encryption could become your highest vulnerability."