Lost Laptop Follies

And so the series continues.  The Washington Post reports that the Department of Justice has just released “a scathing report” finding that over a 5-year period the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) “lost dozens of weapons and hundreds of laptops that contained sensitive information.” The DOJ’s Inspector General Glenn A. Fine found that 418 laptop computers and 76 weapons were lost. According to the report:

Yesterday’s report showed that ATF, a much smaller agency than the FBI, had lost proportionately many more firearms and laptops. “It is especially troubling that that ATF’s rate of loss for weapons was nearly double that of the FBI and [Drug Enforcement Administration], and that ATF did not even know whether most of its lost, stolen, or missing laptop computers contained sensitive or classified information,” Fine wrote.  [...]

Many of the missing laptops contained sensitive or classified material, according to the report. ATF began installing encryption software only in May 2007. ATF did not know what information was on 398 of the 418 lost or stolen laptops. The report called the lack of such knowledge a “significant deficiency.” Of the 20 missing laptops for which information was available, ATF indicated that seven — 35 percent — held sensitive information. One missing laptop, for example, held “300-500 names with dates of birth and Social Security numbers of targets of criminal investigations, including their bank records with financial transactions.” Another held “employee evaluations, including Social Security numbers and other [personal information].” Neither laptop was encrypted.

The findings regarding lost weapons were equally troubling, if not a bit humorous:

Continue reading →

As I noted in previous installments of this series, our government seems to have an increasingly hard time keeping tabs on sensitive data. Unfortunately, there’s been another incident on this front. The Washington Post reported this morning that:

“A government laptop computer containing sensitive medical information on 2,500 patients enrolled in a National Institutes of Health study was stolen in February, potentially exposing seven years’ worth of clinical trial data, including names, medical diagnoses and details of the patients’ heart scans. The information was not encrypted, in violation of the government’s data-security policy. NIH officials made no public comment about the theft and did not send letters notifying the affected patients of the breach until last Thursday — almost a month later. They said they hesitated because of concerns that they would provoke undue alarm.”

Undue alarm? Geez, I can’t imagine why! My friend Leslie Harris of CDT notes in story that, “The shocking part here is we now have personally identifiable information — name and age — linked to clinical data. If somebody does not want to share the fact that they’re in a clinical trial or the fact they’ve got a heart disease, this is very, very serious. The risk of identity theft and of revealing highly personal information about your health are closely linked here.”

But hey, we wouldn’t want to provoke “undue alarm” by telling those folks about the data breach! Pathetic. As I’ve pointed out before, if this happened in the private sector, trial lawyers would be salivating and lawsuits would be flying. By contrast, when the government loses personal information—information that his usually more sensitive than that which private actors collect—about the most that ever comes out of it is another GAO report calling for “more accountability.”

I can’t wait to see how well all our health care records are “secured” once we have socialized medicine in this country.

Previous installments (1, 2, 3, 4 & 5) in this series have documented how our government seems to have a difficult time keeping tabs on laptops and personal information. The latest on this front comes from the Energy Department which notified Congress yesterday that it has lost 1,415 laptop PCs over the past six years. However, according to this report in Government Computer News, the DOE stressed that none of the laptops contained classified information. I guess that qualifies as good news on this front.

Previous installments (1, 2, 3 & 4) in this series have documented how our government seems to have a difficult time keeping tabs on laptops and personal information. The latest on this front comes from the Transportation Security Administration (TSA). Last week, the TSA informed us that a computer hard drive containing the personal, payroll and bank information of 100,000 current and former TSA workers has apparently gone missing and is assumed stolen. The FBI and the Secret Service have apparently opened a criminal investigation into the matter.

I was about to launch into another rant on this front, but then I picked up this morning’s Washington Post and their editorial on this issue really nails it:

Continue reading →

Steve Jobs wants to sell you back copies of your own home movies for a $1.99 apiece! Or so declares this humorous Onion parody, (which almost sounds like it might have been secretly penned by our own Tim Lee!)
The Onion on iTunes

And while you’re over at The Onion site, you might also want to check out this funny take-off on the government’s ongoing lost laptop problems, which I’ve been writing quite a bit about here.

As I noted in previous installments of this series, our government seems to have a problem keeping tabs on its laptop computers, especially the ones with sensitive information on them.

I know private sector companies lose plenty of laptops too. And sometimes those laptops also contain sensitive information. But there are at least two important qualitative differences between private and public laptop or data losses: (1) While some sensitive data may be lost or compromised when private laptops are lost, almost everything that government collects and stores on laptops is going to be at least somewhat sensitive information, and in other cases very sensitive. And much of that information that government collects about us is gathered without our consent. (2) When private companies lose laptops or data, someone is usually held accountable. Heads roll and lawsuits fly. Not so with the government, at least not most of the time.

That’s why I make such a big deal about government laptop losses. And that’s what makes this new Department of Justice report so disturbing.

Continue reading →

In recent blogs, I’ve been documented the troubling reports of government losing laptops and compromising private information. And as I mentioned in another report, Rep. Tom Davis (R-VA), the Chairman of the committee, has introduced H.R. 6163, the “Federal Agency Data Breach Protection Act” to try to get this problem under control, although the legislation would really do nothing of the sort.

Sadly, there’s more news to report on this front.

Continue reading →

Quick update… Last week I discussed our government’s ongoing lost laptop follies after the House Committee on Government Reform reported that more than 1,100 laptop computers had vanished from the Department of Commerce since 2001, including nearly 250 from the Census Bureau containing such personal information as names, incomes and Social Security numbers. And the Committee is still collecting information about lost computers and compromised personal information from other federal agencies including: the departments of Agriculture, Defense, Education, Energy, Health and Human Services and Transportation and the Federal Trade Commission.

This week, in response to these findings, Rep. Tom Davis (R-VA), the Chairman of the committee, has introduced H.R. 6163, the “Federal Agency Data Breach Protection Act.” The bill would establish “policies, procedures, and standards for agencies to follow in the event of a breach of data security involving the disclosure of sensitive personal information and for which harm to an individual could reasonably be expected to result.” In other words, federal agencies would have to do a better job informing the public when personal data had been lost or compromised. Of course, it might be easier if they just stopped losing so many laptops!

Incidentally, why are government agencies allowing so much sensitive personal information to be kept on laptops, anyway? It doesn’t seem to make much sense to me in light of how easy it is for laptops to be taken out of a government building. Why not follow these two simple rules instead: (1) Keep the really sensitive stuff on desktop computers that are bolted to desks and make sure they don’t have any external inputs for personal storage devices. (2) If a government employee still finds a way to take that information home and then loses it, fire them immediately (and perhaps consider other penalties). After all, we’re talking about personal information about American citizens here. This stuff should not be taken lightly.

Honestly, I don’t get it. How in the world does government lose so many laptop computers? I don’t know if you heard this yesterday but Sonoma County, CA authorities reported that they had lost one-time JonBenet Ramsey murder suspect John Mark Karr’s laptop, which supposedly contains evidence of child pornography that could have been used to help prosecute him. In other words, we basically bought this freak a free plane ride back from Thailand and then gave him a big “Get Out of Jail Free” card. Brilliant. How in the world do you lose the laptop of the guy who has been all over the news for the past month?

But wait, there’s more missing laptop news. In response to an inquiry from the House Committee on Government Reform, 17 federal agencies where asked to report any loss of computers holding sensitive personal information. The results, revealed yesterday, are staggering. According to Alan Sipress of The Washington Post: “More than 1,100 laptop computers have vanished from the Department of Commerce since 2001, including nearly 250 from the Census Bureau containing such personal information as names, incomes and Social Security numbers…” The Census Bureau’s lost laptops alone could have compromised the personal information of about 6,200 households. Apparently, according to MSNBC, “Fifteen handheld devices used to record survey data for testing processes in preparation for the 2010 Census also were lost, the [Census] department said.” (And you thought that the Census was accurate!) Other government departments reporting lost computers with personal information include the departments of Agriculture, Defense, Education, Energy, Health and Human Services and Transportation and the Federal Trade Commission.

Of course, all this comes on top of the lost laptop scandal over at the Department of Veterans Affairs this summer. One lost laptop contained unencrypted information on about 26.5 million people and another had information on about 38,000 hospital patients. And in August, the Department of Transportation revealed that a laptop containing roughly 133,000 drivers’ and pilots’ records (including Social Security numbers) had been stolen.

I honestly don’t understand how are government agencies and officials losing all these laptops but next time they tell us that we can trust them with personal information and other sensitive things I hope we all remember these incidents. This is outrageous.