Government Reform Committee Releases Report on Agency Data Breaches

October 13, 2006

The federal government compiles and holds sensitive personal information on every citizen, including health records, tax returns, and military records.

In May 2006, the Department of Veterans Affairs announced that computer equipment containing the personal information of approximately 26.5 million veterans and active duty members of the military was stolen from the home of a VA employee. Since that time, several other agencies including the Social Security Administration, the IRS, and the Department of Health and Human Services have revealed security breaches that affected thousands more individuals.

Given the VA incident, and in order to develop a full picture of the risks posed by data breaches at federal agencies, the Government Reform Committee asked agencies to provide details about incidents involving the loss or compromise of any sensitive personal information held by an agency or a contractor since January 1, 2003. The Committee issued the request, dated July 10, 2006, to all cabinet agencies, as well as the Office of Personnel Management and the Social Security Administration.

Specifically, the Committee requested a brief summary of each incident, including the date, circumstances of the breach, information that was lost or compromised, and the number of individuals affected. In addition, the Committee requested, for each instance, documentation regarding the Department's remedial efforts, including any notification made to the individuals whose information was compromised. The Committee requested a response by July 24, 2006.

The agency responses show a wide range of incidents involving data loss or theft, privacy breaches, and security incidents. Agency responses to data losses appear to vary as well, with some notifying all potentially affected individuals, and others not performing such notifications. Despite the volume of sensitive information held by agencies, there is no requirement that the public be notified if their sensitive personal information is compromised. Legislation authored by Committee Chairman Tom Davis and included in the House passed Veterans Identity and Credit Security Act of 2006 would change that.

Agency reports to the Committee varied in the level of detail provided about data loses. Thus, this report, which provides highlights from agency responses, cannot be seen as a comprehensive review of data loss by federal agencies. Despite this limitation, some conclusions can be drawn:

1. Data loss is a government-wide occurrence.

All 19 Departments and agencies reported at least one loss of personally identifiable information since January 2003. This is not a problem that is restricted to the Department of Veterans Affairs or any other single agency.

2. Agencies do not always know what has been lost.

The letters received by the Committee demonstrate that, in many cases, agencies do not know what information has been lost or how many individuals could be impacted by a particular data loss. Similarly, agencies do not appear to be tracking all possible losses of personal information, making it likely that their reports to the committee are incomplete. For example, the Department of Justice reports that, prior to the May 2006 Veterans Administration data breach, "the Department did not track the content of lost, stolen, or otherwise compromised devices."

3. Physical security of data is essential.

Only a small number of the data breaches reported to the Committee were caused by hackers breaking into computer systems online. The vast majority of data losses arose from physical thefts of portable computers, drives, and disks, or unauthorized use of data by employees.

4. Contractors are responsible for many of the reported breaches.

Federal agencies rely heavily on private sector contractors for information technology management services. Thus, many of the reported data breaches were the responsibility of contractors.


View Full Report Here

ON A SEPARATE BUT RELATED NOTE:

In September, the Office of Inspector General (IG) at the Department of Interior released a report on the personal use of the internet by agency employees. The purpose of the IG report was to determine whether the Department had effective controls to ensure compliance with the agency's internet policies and guidelines. The IG found the Department's controls to be ineffective. Alarmingly, agency computer users were accessing sexually explicit, gambling, gaming, and auction websites at a high rate.

Misuse of internet resources presents a number of serious problems, including interfering with employee productivity and making agency technology resources more susceptible to security breaches and data loss. At Interior, over the course of one week, the IG discovered over 1 million log entries where 7,763 Department computer users spent over 2,400 hours accessing game and auction sites.

In order to develop a better understanding of the risks posed by inappropriate internet usage by federal government employees, earlier today, October 13, 2006, the Committee sent a letter to each Cabinet agency requesting the following: 1) a brief summary of how the agency's Internet policies are enforced, 2) the steps, if any, the agency planned to take to improve these policies and compliance programs, 3) whether the agency or Inspector General has conducted any internal reviews of employee internet usage, and if so, a summary of the findings, and 4) a summary of the technology the agency uses to monitor or prevent access to inappropriate websites.