Complain about a product or service

Report: Feds Still Not Doing Enough To Secure Data

Agencies have mixed record of security improvements

By Martin H. Bosworth
ConsumerAffairs.com

February 28, 2008

The GAO was commissioned to investigate 24 federal agencies to determine if they had implemented data security recommendations from the Office of Management and Budget (OMB), including encrypting data on mobile devices such as laptop computers, developing policies for notifying individuals affected by data breaches, using multiple means to authenticate an individual's right to access information, and fulfilling directives on a "checklist" developed by the National Institute for Standards and Technology (NIST) for dealing with theft or loss of equipment containing sensitive data.

Of the 24 agencies, only two -- the Treasury Department and the Department of Transportation -- met all of OMB's requirements for protecting data. 22 of the agencies had enacted policies for encrypting information on mobile devices, but only four had implemented use of the NIST data security checklist.

The Associated Press reported that two agencies -- the Small Business Administration and the National Science Foundation -- had not met any of the requirements. The VA met four of the five recommendations made by OMB, but did not implement usage of the checklist.

The report was commissioned in part by Sen. Norm Coleman (R-MN) after the VA data breach. Coleman and Sen. Susan Collins (R-ME), both members of the Committee on Homeland Security and Governmental Affairs, wrote letters to all 24 agencies asking for timelines as to when they would implement all of OMB's recommendations for data security.

'Very troubling'

"The findings released in this report are very troubling – indicating that agency after agency has failed to make securing citizens' personal information a high priority," said Coleman.

"The clock is ticking and we need to know when the agencies are going to have the protections in place to stop the numerous data breaches we have seen over the past few years. The bottom line is the federal government has a responsibility to ensure the personal information it collects from its citizens is properly secured and protected."

"The federal government collects and stores large amounts of personal information that is a tempting target for identity thieves," said Collins. "Agencies cannot act quickly enough to implement policies to help protect and secure this sensitive data."

The VA data breach was not the first time a government agency had lost sensitive personal data, but the size and scope of the breach made it a touchpoint for demands that the government do more to secure citizens' personal data against theft or loss.

The VA laptop theft was covered up for several weeks before details were made public, and the agency had covered up two smaller breaches in the year preceding the theft. The laptop itself was recovered several months later, and authorities claimed the data had not been compromised or misused.

In February 2007, the VA notified 1.8 million veterans and military doctors that a hard drive containing their personal and billing information had gone missing from an Alabama hospital a month earlier. To date, the drive has not been recovered.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Back to the top |