The U.S. Department of Veterans Affairs (VA) suffered months of bad headlines after computer equipment with sensitive data was stolen from the home of an agency employee last May, exposing
The House Committee on Government Reform gave the government a D-plus in its report (.pdf) after reviewing a long list of incidents in the various federal agencies.
In response to the report, the Cybersecurity Industry Alliance renewed its call for a federal data security law that forces government agencies to notify citizens when there's a data breach and gives government security officers greater authority to institute stronger controls.
"You have CIOs and CISOs in government, but they don't necessarily have the authority to get things done," said Paul Kurtz, executive director of the Cybersecurity Industry Alliance. "There needs to be a law that gives them greater ability to make something stick."
The conclusions summarized
Since the VA data breach, the report said, several other agencies have acknowledged security incidents, including the Social Security Administration, the Internal Revenue Service and the Department of Health and Human Services. Agency responses to these data breaches varied considerably, the report said. For example, some departments notified potentially affected individuals after a breach, while others didn't.
"Despite the volume of sensitive information held by agencies, there is no requirement that the public be notified if their sensitive personal information is compromised," the report said.
Overall, the committee found:
Data loss is a government-wide problem. All 19 departments and agencies reported at least "one loss of personally identifiable information since January 2003."
Agencies do not always know what has been lost. In many cases, agencies don't know what information has been lost or how many individuals could be impacted, and agencies don't appear to be tracking all possible losses. For example, the Department of Justice reported that prior to the VA data breach, "the Department did not track the content of lost, stolen, or otherwise compromised devices."
Physical security of data is essential. Only a small number of the data breaches reported to the committee were caused by hackers breaking into computer systems online. The vast majority of data losses stemmed from physical thefts of portable computers, drives and disks, or unauthorized use of data by employees.
Contractors are responsible for many of the reported breaches. Federal agencies rely heavily on private-sector contractors for IT management services. Thus, many of the reported data breaches were the responsibility of contractors.
A tale of two agencies
The report offers a detailed look at individual agencies and the security breaches they reported to the committee. For example:
The Department of Agriculture confirmed eight security incidents since Jan. 1, 2003. On Feb. 24, 2005, for example, a system containing research data was compromised by someone cracking a password or a user account and installing hacking software.
The Department of Commerce confirmed 297 incidents since Jan. 1, 2003. In one example, 217 laptops housing sensitive personal information was lost, stolen or misplaced. The vast majority of these, 214, were Census computers. Another 46 incidents involved the loss of Census thumb drives containing sensitive personal information.
In another incident, the agency learned that a former employee had copied sensitive letters and a database of employee information. The documents contained medical information on 51 employees, including names, home addresses, description of issues, and employees' medical diagnoses and prognoses. The database included information about 883 cases involving current and former employees.
Federal legislation a must
The report said provisions in the Veterans Identity and Credit Security Act of 2006 would give government CIOs greater authority to bolster security and force agencies to notify citizens when a data breach occurs. U.S. Rep. Tom Davis, a Republican who represents Virginia's 11th Congressional district and is chairman of the committee, authored the legislation. The House has passed it, but no action has been taken on the Senate side.
Kurtz said Davis' bill would force agencies to get serious about data security, but that any law must affect both the public and private sector.
"The bill is a big step in the right direction and would force greater accountability in government agencies," he said. "But having it only affect government agencies would be a half measure. Citizens need to know that their data is safe whether it's in the hands of the government or a retailer."