Report: Agency loss of personal information widespread

By Daniel Pulliam

October 13, 2006

The loss of personal data is a common occurrence across government, largely because of poor physical security and portable computers and disks that go missing, according to a new report from the House Government Reform Committee.

In many cases, agencies did not know precisely what information has been lost or how many people could be affected by a particular data breach, the report said. Many of the reported breaches were the responsibility of government contractors.

Only a small number described to the committee were caused by online hackers, according to the report.

The review came in response to the May 2006 Veterans Affairs Department data breach, in which a computer containing the personal information of about 26.5 million veterans and active duty military members was stolen from the home of an agency employee. It later was recovered.

More than a dozen other agencies have since revealed security breaches. On July 10, the Government Reform Committee asked agencies to provide details about each incident since 2003 involving the loss or compromise of any sensitive personal information they or their contractors held.

The report details nearly 50 incidents since Jan. 1, 2003, each with a brief summary, including the date, the circumstances of the breach, the information that was lost or compromised and the number of people affected. In total, agencies reported more than 700 incidents.

Agencies described a wide range of situations, including data loss or theft, privacy breaches and security incidents. Their responses to data losses also varied -- some notified all potentially affected individuals and others failed to make any notification.

Under legislation proposed by House Government Reform Committee Chairman Tom Davis, R-Va., agencies would be required to notify the public if sensitive personal information was compromised.

The language passed the House as part of a measure that would substantially alter the 2002 Federal Information Security Management Act and the Veterans Affairs Department's technology management structure. The measure is awaiting Senate action that would have to come in a November lame duck session after the elections.

In a separate development, Davis is asking agencies to submit summaries of how their Internet policies are enforced. The request came in response to a September report from the Interior Department's inspector general on the personal use of the Internet by agency employees. The IG found the agency's controls were ineffective and employees were accessing sexually explicit, gambling and auction Web sites.

By Daniel Pulliam

October 13, 2006