Lost Laptop Legislation Introduced

by on September 26, 2006 · 16 comments

Quick update… Last week I discussed our government’s ongoing lost laptop follies after the House Committee on Government Reform reported that more than 1,100 laptop computers had vanished from the Department of Commerce since 2001, including nearly 250 from the Census Bureau containing such personal information as names, incomes and Social Security numbers. And the Committee is still collecting information about lost computers and compromised personal information from other federal agencies including: the departments of Agriculture, Defense, Education, Energy, Health and Human Services and Transportation and the Federal Trade Commission.

This week, in response to these findings, Rep. Tom Davis (R-VA), the Chairman of the committee, has introduced H.R. 6163, the “Federal Agency Data Breach Protection Act.” The bill would establish “policies, procedures, and standards for agencies to follow in the event of a breach of data security involving the disclosure of sensitive personal information and for which harm to an individual could reasonably be expected to result.” In other words, federal agencies would have to do a better job informing the public when personal data had been lost or compromised. Of course, it might be easier if they just stopped losing so many laptops!

Incidentally, why are government agencies allowing so much sensitive personal information to be kept on laptops, anyway? It doesn’t seem to make much sense to me in light of how easy it is for laptops to be taken out of a government building. Why not follow these two simple rules instead: (1) Keep the really sensitive stuff on desktop computers that are bolted to desks and make sure they don’t have any external inputs for personal storage devices. (2) If a government employee still finds a way to take that information home and then loses it, fire them immediately (and perhaps consider other penalties). After all, we’re talking about personal information about American citizens here. This stuff should not be taken lightly.

  • http://tieguy.org/ Luis Villa

    As I asked the first time you discussed this, Adam, why the focus on government? Private industry has lost plenty of laptops full of sensitive private information of citizens, like credit reports and social security numbers, and puts that kind of data on laptops all the time. [I know of at least one circumstance where an excel file with customer data of every customer the company had was put on the public, searchable internet- forget a laptop.]

    I agree strongly with you that this is a problem, but I wonder if your anti-government point of view isn’t giving you blinders as to the nature of the problem and solutions. I’d rephrase ‘fire any government employee who loses private data on a laptop’ as ‘imprison anyone who loses private data on a laptop’, perhaps with some tie between length of sentence and number of citizens impacted. Clearly the current fines and prospective tort losses are not sufficient disincentive.

  • http://tieguy.org/ Luis Villa

    As I asked the first time you discussed this, Adam, why the focus on government? Private industry has lost plenty of laptops full of sensitive private information of citizens, like credit reports and social security numbers, and puts that kind of data on laptops all the time. [I know of at least one circumstance where an excel file with customer data of every customer the company had was put on the public, searchable internet- forget a laptop.]

    I agree strongly with you that this is a problem, but I wonder if your anti-government point of view isn’t giving you blinders as to the nature of the problem and solutions. I’d rephrase ‘fire any government employee who loses private data on a laptop’ as ‘imprison anyone who loses private data on a laptop’, perhaps with some tie between length of sentence and number of citizens impacted. Clearly the current fines and prospective tort losses are not sufficient disincentive.

  • http://www.alarm-alarm.com Peter Suderman

    Luis,

    There’s a huge difference between government-stored personal info and the info stored by private organizations. Much of the information the government has on you is given out on either a mandatory basis or something close (to live and work in this country, anyway). Information collected by a business, though, is given up voluntarily. We don’t have a choice not to give out info to a government agency that demands it, meaning that any irresponsibility on their part won’t cost them–there’s no possibility of a market backlash when mandates are involved. That means that the government, if you think it needs to have personal data on file at all, has a unique responsibility to safeguard that information (and, I’d argue, to absolutely minimize the scope of the information it does collect and store).

  • http://www.alarm-alarm.com Peter Suderman

    Luis,

    There’s a huge difference between government-stored personal info and the info stored by private organizations. Much of the information the government has on you is given out on either a mandatory basis or something close (to live and work in this country, anyway). Information collected by a business, though, is given up voluntarily. We don’t have a choice not to give out info to a government agency that demands it, meaning that any irresponsibility on their part won’t cost them–there’s no possibility of a market backlash when mandates are involved. That means that the government, if you think it needs to have personal data on file at all, has a unique responsibility to safeguard that information (and, I’d argue, to absolutely minimize the scope of the information it does collect and store).

  • dennis parrott

    while i think luis is right — corporate entities owe everyone privacy and confidentiality for our information the same way our government does — i think the problem is really more of a system architecture issue.

    there are plenty of decent technologies for creating VPNs and doing end-to-end encryption. there are also plenty of ways to serve remote filesystems up to a user over a VPN. why is that sort of data EVER on an end user system period? it belongs on a remote filesystem served up securely over a VPN EVEN IN THE OFFICES!

    if the data never really leaves the nice comfy confines of the data center, losing the laptop, desktop or PDA that can connect to that data should not be that big of a deal unless the user has also compromised the security token along with the computer or PDA.

    instead of specifying stupid penalties and bureaucratic procedures that will make NO SENSE at all, we should get them to wise up and specify some intelligent modernization of their computing architectures so that laptops don’t have that sort of data just lying about on the hard drive.

  • http://tieguy.org/ Luis Villa

    Information collected by a business, though, is given up voluntarily.

    Hahahahhaa. I want to live on your planet, where you opted into credit reports, and you can live without regularly giving up your social security number, credit card number, phone number, etc. It sounds pretty nice. Imaginary (or perhaps you are neighbors with the Unabomber) but nice.

  • dennis parrott

    while i think luis is right — corporate entities owe everyone privacy and confidentiality for our information the same way our government does — i think the problem is really more of a system architecture issue.

    there are plenty of decent technologies for creating VPNs and doing end-to-end encryption. there are also plenty of ways to serve remote filesystems up to a user over a VPN. why is that sort of data EVER on an end user system period? it belongs on a remote filesystem served up securely over a VPN EVEN IN THE OFFICES!

    if the data never really leaves the nice comfy confines of the data center, losing the laptop, desktop or PDA that can connect to that data should not be that big of a deal unless the user has also compromised the security token along with the computer or PDA.

    instead of specifying stupid penalties and bureaucratic procedures that will make NO SENSE at all, we should get them to wise up and specify some intelligent modernization of their computing architectures so that laptops don’t have that sort of data just lying about on the hard drive.

  • http://tieguy.org/ Luis Villa

    Information collected by a business, though, is given up voluntarily.

    Hahahahhaa. I want to live on your planet, where you opted into credit reports, and you can live without regularly giving up your social security number, credit card number, phone number, etc. It sounds pretty nice. Imaginary (or perhaps you are neighbors with the Unabomber) but nice.

  • http://http:/0zu.tw/ shorturl

    e4ef25fa8eb8 Very good shorturl shorturl

  • shorturl

    e4ef25fa8eb8 Very good shorturl shorturl

  • http://www.abc-acupuncture.com/baxqorav tramadol

    81e31de21f46 Nice site tramadol tramadol

  • http://www.abc-acupuncture.com/baxqorav tramadol

    81e31de21f46 Nice site tramadol tramadol

  • http://www.abc-acupuncture.com/baxqorav tramadol

    81e31de21f46 Great work tramadol tramadol

  • http://www.abc-acupuncture.com/baxqorav tramadol

    81e31de21f46 Great work tramadol tramadol

  • http://www.abc-acupuncture.com/jaxyzuw home based business

    81e31de21f46 My homepage home based business home based business
    personal finance personal finance
    house tour house tour
    business business
    investment loan investment loan
    home business idea home business idea
    free credit reports free credit reports
    tax forms tax forms
    loan calculator loan calculator
    mortgage lender mortgage lender

  • http://www.abc-acupuncture.com/jaxyzuw home based business

    81e31de21f46 My homepage home based business home based business
    personal finance personal finance
    house tour house tour
    business business
    investment loan investment loan
    home business idea home business idea
    free credit reports free credit reports
    tax forms tax forms
    loan calculator loan calculator
    mortgage lender mortgage lender

Previous post:

Next post: