I know private sector companies lose plenty of laptops too. And sometimes those laptops also contain sensitive information. But there are at least two important qualitative differences between private and public laptop or data losses: (1) While some sensitive data may be lost or compromised when private laptops are lost, almost everything that government collects and stores on laptops is going to be at least somewhat sensitive information, and in other cases very sensitive. And much of that information that government collects about us is gathered without our consent. (2) When private companies lose laptops or data, someone is usually held accountable. Heads roll and lawsuits fly. Not so with the government, at least not most of the time.
That’s why I make such a big deal about government laptop losses. And that’s what makes this new Department of Justice report so disturbing.
The DOJ’s Office of Inspector General decided to conduct a follow-up audit of the Federal Bureau of Investigation (FBI) after a previous 2002 report revealed that the FBI had lost 317 laptops over a 28-month review period. That report also found that the FBI “did not always report the missing items to the DOJ or enter lost and stolen weapons and laptop computers into the National Crime Information Center (NCIC) database.” Moreover, the agency “did not have policies in place that required reporting lost or stolen laptop computers to its Office of Professional Responsibility (OPR), nor was the FBI investigating the loss of this equipment in a timely manner.” The FBI had also “not established deadlines for reporting losses, was not conducting physical inventories as required, and was not reconciling its property records to its financial records.” Finally, the agency “could not provide documentation to establish whether excessed laptop computers were properly disposed of as required.”
That’s not a pretty picture. Luckily, things have improved somewhat since 2002, but the results are still a bit disturbing. The DOJ’s follow-up audit of the FBI spanned a 44 month period this time around and the overall number of lost or stolen laptops dropped to 160. Interestingly, however, although the number of lost laptops dropped from an average of 10.7 per month to 2.6, the number of stolen laptops actually increased from 0.6 per month to 1 per month.
Overall, the DOJ was forced to conclude that:
“Our audit found that the FBI has not taken sufficient corrective action on several recommendations outlined in our 2002 audit report to address the issue of missing and stolen equipment. Perhaps most troubling, the FBI could not determine in many cases whether the lost or stolen laptop computers contained sensitive or classified information. Such information may include case information, personal identifying information, or classified information on FBI operations.
Prior to our follow-up audit the FBI did not maintain records indicating which of its laptop computers actually contained sensitive or classified information. Moreover, during this follow-up review, the FBI could not identify for us the contents of many of the lost and stolen laptops, including whether they contained sensitive or classified information.”
But the FBI did reveal that at least 10 of these lost laptops contained sensitive or classified information.
As I mentioned in a previous essay on this subject, things like this should make us think twice before granting the government more authority to collect or retain data about the citizenry.