Commerce Dept. Loses 1,137 Laptops
In advance of a House Committee on Government Reform hearing, in which the matter would have come up anyway, the U.S. Commerce Dept. responded to a Committee request by disclosing in a private briefing yesterday that it believes as many as 1,137 laptop computers have been lost from the Dept.'s inventory since 2001.
Commerce Secretary Carlos M. Gutierrez delivered the message personally to three Committee members, presumably including Chairman Tom Davis (R - Virginia), and ranking member Henry Waxman (D - Calif.), who first inquired about how the DOC manages its computer inventory in a letter dated July 10.
In a statement released late yesterday, the DOC credited "broad, government-wide Congressional and public inquiries" for having led to the notification of these systems' loss, rather than a single letter from a prominent Democrat.
It then went on to provide statistics, including the revelation that 672 of the missing laptops had been distributed to the U.S. Census Bureau, representing about 3.4% of all laptops used by the Bureau over a five-year period. Of those lost, 246 "contained some degree of personal data," says the DOC, though typically no more than about 100 households.
That figure suggests the 100 households on a computer at any one time could be the maximum amount that is cached on the system's local hard drive, as it browses entries from the broader government network. As to whether the persons into whose hands the missing systems fall may have access to that network -- and thus to potentially millions of records -- the DOC statement said, "Access passwords, complex database software, systemic safeguards and/or encryption technology significantly limit the potential for misuse of data on the laptops."
"Perhaps the most shocking thing here is that the public might not have ever known of these breaches, and their scope, if we hadn't specifically asked for the information," Rep. Davis said in a statement released by his office this morning. "Why aren't these inventories taken automatically, instinctively?"
Incidentally, the National Oceanic and Atmospheric Administration reported 325 missing laptops over the period, at least one of which had been stolen last July from a NOAA office in Seattle. On it were records of at least 146 federal employees and contractors, all of whom received complementary credit counseling.
Meanwhile, since 2004, the Census Bureau has been experimenting with the use of handheld devices for use in surveying. Of the 2,400 handheld units in use since 2004, the DOC said, 15 of those lost contained personal information on a total of 558 households. The DOC did not say how many other handhelds were lost that did not contain vital data, although it asserts that all its handhelds being tested were fully encrypted.
Full encryption as well as two-factor authentication would be a nice thing for laptops to have going forward, Sec. Gutierrez is recommending. In addition, he is asking for the U.S. Inspector General perform a full investigation of the matter, and that a senior DOC management team be assembled to perform a "team review" of the Census Bureau. That might be convenient, seeing as how a law was passed in 2002 requiring government agencies to make such assessments on an annual basis.
The Federal Information Security Management Act of 2002 (FISMA), championed by Rep. Davis, "requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level," the congressman said this morning.
"FISMA requires agency program officials, Chief Information Officers, and Inspectors General to conduct annual reviews of the agency's information security program and report the results to OMB. And every year, the Government Reform Committee releases its FISMA scorecard, grading each agency, A through F. Commerce went from F in '04 to D+ in '05."
"The reality is, we are incapable of storing, moving and accessing information," Rep. Davis added. "No government does these things well, especially big governments. We spend tens of billions of dollars a year on information technology. You'd think we could share information by now. But we are still an analog government in a digital economy and culture."
BetaNews has contacted Rep. Waxman's office for comment and a statement, which is expected later today. A section of Waxman's Web site has been set aside for information concerning identity theft and personal protection against it.