Lost Laptop Follies, Part 4

by on February 12, 2007 · 6 comments

As I noted in previous installments of this series, our government seems to have a problem keeping tabs on its laptop computers, especially the ones with sensitive information on them.

I know private sector companies lose plenty of laptops too. And sometimes those laptops also contain sensitive information. But there are at least two important qualitative differences between private and public laptop or data losses: (1) While some sensitive data may be lost or compromised when private laptops are lost, almost everything that government collects and stores on laptops is going to be at least somewhat sensitive information, and in other cases very sensitive. And much of that information that government collects about us is gathered without our consent. (2) When private companies lose laptops or data, someone is usually held accountable. Heads roll and lawsuits fly. Not so with the government, at least not most of the time.

That’s why I make such a big deal about government laptop losses. And that’s what makes this new Department of Justice report so disturbing.


The DOJ’s Office of Inspector General decided to conduct a follow-up audit of the Federal Bureau of Investigation (FBI) after a previous 2002 report revealed that the FBI had lost 317 laptops over a 28-month review period. That report also found that the FBI “did not always report the missing items to the DOJ or enter lost and stolen weapons and laptop computers into the National Crime Information Center (NCIC) database.” Moreover, the agency “did not have policies in place that required reporting lost or stolen laptop computers to its Office of Professional Responsibility (OPR), nor was the FBI investigating the loss of this equipment in a timely manner.” The FBI had also “not established deadlines for reporting losses, was not conducting physical inventories as required, and was not reconciling its property records to its financial records.” Finally, the agency “could not provide documentation to establish whether excessed laptop computers were properly disposed of as required.”

That’s not a pretty picture. Luckily, things have improved somewhat since 2002, but the results are still a bit disturbing. The DOJ’s follow-up audit of the FBI spanned a 44 month period this time around and the overall number of lost or stolen laptops dropped to 160. Interestingly, however, although the number of lost laptops dropped from an average of 10.7 per month to 2.6, the number of stolen laptops actually increased from 0.6 per month to 1 per month.

Overall, the DOJ was forced to conclude that:

“Our audit found that the FBI has not taken sufficient corrective action on several recommendations outlined in our 2002 audit report to address the issue of missing and stolen equipment. Perhaps most troubling, the FBI could not determine in many cases whether the lost or stolen laptop computers contained sensitive or classified information. Such information may include case information, personal identifying information, or classified information on FBI operations.

Prior to our follow-up audit the FBI did not maintain records indicating which of its laptop computers actually contained sensitive or classified information. Moreover, during this follow-up review, the FBI could not identify for us the contents of many of the lost and stolen laptops, including whether they contained sensitive or classified information.”

But the FBI did reveal that at least 10 of these lost laptops contained sensitive or classified information.

As I mentioned in a previous essay on this subject, things like this should make us think twice before granting the government more authority to collect or retain data about the citizenry.

  • http://tieguy.org/blog/ Luis Villa

    Sigh. I’m going to have to say this every time you bring this up:

    (1) most corporate data collection is not voluntary; people are regularly horrified when they realize how much data corporations have on them. C’mon- the US government goes to credit agencies now to find out about us, not the other way around.

    (2) the reaction of most businesses to this problem has not been head-rolling, but coverups, or firing of the little guys who lost the laptop and not the CTOs who made the bad decisions about data security. It is nice to assert that such things happen more reliably than in government, but it is just an assertion.

  • http://tieguy.org/blog/ Luis Villa

    Sigh. I’m going to have to say this every time you bring this up:

    (1) most corporate data collection is not voluntary; people are regularly horrified when they realize how much data corporations have on them. C’mon- the US government goes to credit agencies now to find out about us, not the other way around.

    (2) the reaction of most businesses to this problem has not been head-rolling, but coverups, or firing of the little guys who lost the laptop and not the CTOs who made the bad decisions about data security. It is nice to assert that such things happen more reliably than in government, but it is just an assertion.

  • http://www.blogger.com/profile/14019452 Steve R.

    Forbes Magazine, Sept. 7, 2006, ran an article: “Laptop Hall of Shame”. While this article details, as you note, government laptop faux pas; it also goes into detail concerning the lack of corporate data laptop security. Robert Ellis Smith, of Forbes, wrote: “The monthly newsletter I publish, Privacy Journal, reported 24 serious instances of Social Security numbers and other sensitive data compromised through stolen or lost laptops in 2006. The newsletter called it the “Lost or Stolen Laptops Hall of Shame.” And we still have four months left in 2006. There were at least ten incidents during the final four months of 2005. All these incidents involved companies that handle personal information routinely. (Apparently too routinely!)” (emphasis added) Clearly, the lack of security is not just a government problem, it is a universal problem. In developing a policy responsive to this issue we need to also acknowledge in any proposed policy the failure of corporations to take proactive action.

  • http://www2.blogger.com/profile/14380731108416527657 Steve R.

    Forbes Magazine, Sept. 7, 2006, ran an article: “Laptop Hall of Shame”. While this article details, as you note, government laptop faux pas; it also goes into detail concerning the lack of corporate data laptop security. Robert Ellis Smith, of Forbes, wrote: “The monthly newsletter I publish, Privacy Journal, reported 24 serious instances of Social Security numbers and other sensitive data compromised through stolen or lost laptops in 2006. The newsletter called it the “Lost or Stolen Laptops Hall of Shame.” And we still have four months left in 2006. There were at least ten incidents during the final four months of 2005. All these incidents involved companies that handle personal information routinely. (Apparently too routinely!)” (emphasis added) Clearly, the lack of security is not just a government problem, it is a universal problem. In developing a policy responsive to this issue we need to also acknowledge in any proposed policy the failure of corporations to take proactive action.

  • http://dsgazette.blogspot.com False Data

    It’s not a technical problem–many operating systems have had file system encryption for years–it’s a social and legal one. There’s been considerable discussion of a related issue, liability for software bugs, on Bruce Schneier’s blog. I’m not yet convinced a liability rule is the right answer for software bugs because software engineering is still such a young field. On the other hand, I can see a stronger argument in favor of liability for data loss because, at least with lost laptops, effective and fairly inexpensive methods of preventing it already exist. It may make sense to let customers and citizens hold corporations and governments liable for the consequences of negligently losing their sensitive data. Of course, if we did that we should also let the corporations and governments turn around and recover whatever they can from the people who intentionally misuse that data.

  • http://dsgazette.blogspot.com False Data

    It’s not a technical problem–many operating systems have had file system encryption for years–it’s a social and legal one. There’s been considerable discussion of a related issue, liability for software bugs, on Bruce Schneier’s blog. I’m not yet convinced a liability rule is the right answer for software bugs because software engineering is still such a young field. On the other hand, I can see a stronger argument in favor of liability for data loss because, at least with lost laptops, effective and fairly inexpensive methods of preventing it already exist. It may make sense to let customers and citizens hold corporations and governments liable for the consequences of negligently losing their sensitive data. Of course, if we did that we should also let the corporations and governments turn around and recover whatever they can from the people who intentionally misuse that data.

Previous post:

Next post: