TSA breach prompts call for new data protection measure

The head of the House panel that oversees the Transportation Security Administration -- the most recent agency to experience a significant data breach -- said Friday that legislation is needed to protect personal information held by the government.

Rep. Sheila Jackson Lee, D-Texas, chairwoman of the House Homeland Security Subcommittee on Transportation Security and Infrastructure Protection, said the legislation would focus on procedures for protecting sensitive data and penalties for those who do not follow them.

"We want our enemies to know, because there has been a lot of discussion about breaches of security, that we are vigilant and diligent and that this is not an issue that will be covered up," Jackson Lee said. "This will be an issue that is thoroughly investigated and this is not an indication that we are vulnerable to our enemies."

Jackson Lee made her intentions known after a 45-minute closed door meeting with TSA Administrator Kip Hawley on the investigation of the loss of an external hard drive containing the personal and financial information of 100,000 current and former agency workers. TSA employs about 50,000 people.

"We've had a very serious confidential briefing with Administrator Hawley, face-to-face, eyeballing, to raise the level of ire and I would say raise the level of rage," Jackson Lee said. "There is no doubt that the level of rage of this committee really focuses on the importance of our employees."

Hawley said he was pleased to have a good, open relationship with the committee: "We've moved fast and we've been transparent and with the utmost concern for the employees so that they can continue to focus on the work that they have to do."

Jackson Lee said she would work with the members of other committees that have jurisdiction over federal information security, including Rep. Tom Davis, R-Va., who introduced legislation on May 3 that would require the government to better protect the sensitive information it collects from citizens and inform them if data is lost or stolen.

"We are going to be thoughtful, steady," Jackson Lee said. "We are going to try to assess whether the legislation should be amended or whether there should be direct legislation that focuses specifically on issues under Homeland Security."

Davis' Federal Agency Data Breach Protection Act (H.R. 2124) would require the executive branch to establish practices and standards for notifying citizens of lost information. In addition, the bill would empower agency chief information officers to ensure employees comply with information security laws already in place.

A spokesman for Davis said he would like to speak with Jackson Lee about how her legislation would differ from his proposal.

TSA officials said Friday they have yet to determine whether the lost hard drive had any security protections such as encryptions or passwords. They confirmed that the data was contained on a PDF file of scanned microfiche. The Secret Service is conducting the investigation along with TSA officials, and the FBI is being kept apprised of the situation.

TSA learned on May 3 that the external drive holding the sensitive data was missing from a controlled area at the headquarters' human capital office. The breach affects all TSA employees hired between January 2002 and August 2005; the missing data includes names, Social Security numbers, dates of birth, payroll information, financial allotments, and bank account and routing numbers.

Jackson Lee said public hearings on the matter are likely and that Hawley has been forthright, direct and honest in keeping her committee informed.

On Thursday, Jackson Lee and Reps. Bennie Thompson, D-Miss., chairman of the House Homeland Security Committee and Ed Markey, D-Mass., sent Homeland Security Secretary Michael Chertoff a letter asking for more information on the missing computer equipment.

"This terrible incident at TSA does not give any peace of mind to its thousands of employees nor the American public it serves on a daily basis," Thompson said. "If TSA cannot keep track of equipment with sensitive data, it is difficult to understand how the American public can expect TSA to protect and secure our nation's transit, aviation, and rail systems."