GAO Finds Data Protection Lagging

By Christopher Lee
Washington Post Staff Writer
Tuesday, February 26, 2008

Despite a steady stream of embarrassing computer security breaches, many major federal agencies still are doing too little to safeguard the sensitive personal information in their possession, according to congressional investigators.

Only two of 24 agencies studied by the Government Accountability Office in a report released last week had implemented all five security measures recommended by the Office of Management and Budget to protect personal information.

The top performers included the Treasury Department and the Department of Transportation. The worst were the Small Business Administration and the National Science Foundation, neither of which had adopted any of the measures, according to Sen. Norm Coleman (R-Minn.), one of two senators who requested the study. But officials at both agencies said yesterday that they had completed most or all of the recommended measures since GAO investigators last visited them in October.

"Since that report, we've followed OMB directives, and we are now up to speed," said Christine Mangi, an SBA spokeswoman.

Coleman and Sen. Susan Collins (R-Maine) asked the GAO to look into how agencies were handling security in 2006 after the disclosure that a Department of Veterans Affairs external hard drive containing Social Security numbers and other personal information on millions of veterans had been stolen from the home of a VA employee. The drive eventually was recovered by police.

"The findings released in this report are very troubling -- indicating that agency after agency has failed to make securing citizens' personal information a high priority," Coleman said in a statement. "We need to know when the agencies are going to have the protections in place to stop the numerous data breaches we have seen over the past few years."

The loss or theft of personal data can inconvenience or embarrass the people whose information is compromised, but the biggest concern is the potential for identity theft and other fraud. In 2006, identity theft of all varieties -- not merely cases associated with federal data breaches -- accounted for $49.3 billion in losses to people and organizations nationwide, according to the GAO report.

At least 19 federal agencies have experienced at least one data breach that could expose employees or members of the public to identity theft, according to the GAO. In March 2006, for instance, a portable data storage device with personal information on more than 207,000 Marines was lost. In July of that year, a laptop was stolen from the car of an employee of the DOT inspector general's office, putting the personal information of 133,000 Florida pilots and other residents at risk.

Agencies are supposed to take steps such as encrypting all data on laptop computers and mobile devices; limiting remote access to authorized users with two methods of authenticating their identity; and documenting when sensitive information is downloaded and by whom.

Most of the 24 agencies examined by the GAO had adopted two or three of the security measures, but few had implemented them all.

George Strawn, chief information officer for the National Science Foundation, said that, contrary to the GAO report, his agency has implemented all or part of all five measures.

"We have been working on this diligently for two or three years and are in pretty good shape," he said. "There will always be more to do and the crooks will always try to get ahead of you, but we have been paying a lot of attention to it and we don't intend to lower our vigilance."

© 2008 The Washington Post Company