And so the series continues.  The Washington Post reports that the Department of Justice has just released “a scathing report” finding that over a 5-year period the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) “lost dozens of weapons and hundreds of laptops that contained sensitive information.” The DOJ’s Inspector General Glenn A. Fine found that 418 laptop computers and 76 weapons were lost. According to the report:

Yesterday’s report showed that ATF, a much smaller agency than the FBI, had lost proportionately many more firearms and laptops. “It is especially troubling that that ATF’s rate of loss for weapons was nearly double that of the FBI and [Drug Enforcement Administration], and that ATF did not even know whether most of its lost, stolen, or missing laptop computers contained sensitive or classified information,” Fine wrote.  […] Many of the missing laptops contained sensitive or classified material, according to the report. ATF began installing encryption software only in May 2007. ATF did not know what information was on 398 of the 418 lost or stolen laptops. The report called the lack of such knowledge a “significant deficiency.” Of the 20 missing laptops for which information was available, ATF indicated that seven — 35 percent — held sensitive information. One missing laptop, for example, held “300-500 names with dates of birth and Social Security numbers of targets of criminal investigations, including their bank records with financial transactions.” Another held “employee evaluations, including Social Security numbers and other [personal information].” Neither laptop was encrypted.

The findings regarding lost weapons were equally troubling, if not a bit humorous:

Two weapons were subsequently used to commit crimes. In one incident, a gun stolen from the home of a special agent was fired through the window of another home. Ten firearms were “left in a public place.” One of them was left on an airplane, three in bathrooms, one in a shopping cart and two on the top of cars as ATF employees drove away. A laptop also fell off the top of a car as an agent drove off. Another weapon “fell into the water while an agent was fishing,” according to the report.

Now I know the private sector actors lose things too, but as I’ve pointed out before, if any of this happened in the private sector, trial lawyers would be salivating and lawsuits would be flying. By contrast, when the government loses personal information—information that his usually more sensitive than that which private actors collect—about the most that ever comes out of it is another report calling for “more accountability.” Few ever are actually held accountable (i.e., lose their jobs or get sued.)

As I noted in previous installments of this series, our government seems to have an increasingly hard time keeping tabs on sensitive data. Unfortunately, there’s been another incident on this front. The Washington Post reported this morning that:

“A government laptop computer containing sensitive medical information on 2,500 patients enrolled in a National Institutes of Health study was stolen in February, potentially exposing seven years’ worth of clinical trial data, including names, medical diagnoses and details of the patients’ heart scans. The information was not encrypted, in violation of the government’s data-security policy. NIH officials made no public comment about the theft and did not send letters notifying the affected patients of the breach until last Thursday — almost a month later. They said they hesitated because of concerns that they would provoke undue alarm.”

Undue alarm? Geez, I can’t imagine why! My friend Leslie Harris of CDT notes in story that, “The shocking part here is we now have personally identifiable information — name and age — linked to clinical data. If somebody does not want to share the fact that they’re in a clinical trial or the fact they’ve got a heart disease, this is very, very serious. The risk of identity theft and of revealing highly personal information about your health are closely linked here.”

But hey, we wouldn’t want to provoke “undue alarm” by telling those folks about the data breach! Pathetic. As I’ve pointed out before, if this happened in the private sector, trial lawyers would be salivating and lawsuits would be flying. By contrast, when the government loses personal information—information that his usually more sensitive than that which private actors collect—about the most that ever comes out of it is another GAO report calling for “more accountability.”

I can’t wait to see how well all our health care records are “secured” once we have socialized medicine in this country.

Previous installments (1, 2, 3, 4 & 5) in this series have documented how our government seems to have a difficult time keeping tabs on laptops and personal information. The latest on this front comes from the Energy Department which notified Congress yesterday that it has lost 1,415 laptop PCs over the past six years. However, according to this report in Government Computer News, the DOE stressed that none of the laptops contained classified information. I guess that qualifies as good news on this front.

Previous installments (1, 2, 3 & 4) in this series have documented how our government seems to have a difficult time keeping tabs on laptops and personal information. The latest on this front comes from the Transportation Security Administration (TSA). Last week, the TSA informed us that a computer hard drive containing the personal, payroll and bank information of 100,000 current and former TSA workers has apparently gone missing and is assumed stolen. The FBI and the Secret Service have apparently opened a criminal investigation into the matter.

I was about to launch into another rant on this front, but then I picked up this morning’s Washington Post and their editorial on this issue really nails it:

This is getting ridiculous. When it comes to safeguarding private information from the growing identity theft industry, Uncle Sam’s track record is horrendous. Up until the TSA’s major breach, the Census Bureau, the Agriculture Department and the Federal Emergency Management Agency were the latest agencies to blunder by revealing Social Security numbers. Tooling around on an Internet site maintained by the Census Bureau, a bored Illinois farmer did a search of her farm’s name and found references to a loan application she filed with the USDA. There for all the world to see was her Social Security number. A review by the USDA found that the numbers of 38,700 farmers had been exposed on the site. Over at FEMA, the fumble was printing Social Security numbers on the outside address labels for 2,300 agency personnel who were being reappointed as disaster assistance employees. To its credit, FEMA moved quickly to correct the problem, apologize to the individuals affected and offer them credit-monitoring protection. The TSA also has apologized to its employees and offered them credit-monitoring protection. But because this is the TSA — the agency that employs airport screeners and air marshals — this is not your run-of-the-mill identity theft worry. There are security issues here, which is why the TSA was right to call in the FBI and the Secret Service to investigate. This episode reminds us of last year’s theft of the Department of Veterans Affairs laptop with information on 26.5 million people nestled in it. It was later returned with the information untouched. We can only hope for a similar outcome at the TSA.

I’d like to believe that someone will be held accountable for this, but I’m sure nothing much will change. When private sector data breeches occur–and they certainly do–lawsuits start flying and heads roll. By contrast, when the government loses personal information–information that his usually more sensitive than that which private actors collect–about the most that ever comes out of it is another GAO report calling for “more accountability.”

Steve Jobs wants to sell you back copies of your own home movies for a $1.99 apiece! Or so declares this humorous Onion parody, (which almost sounds like it might have been secretly penned by our own Tim Lee!)

And while you’re over at The Onion site, you might also want to check out this funny take-off on the government’s ongoing lost laptop problems, which I’ve been writing quite a bit about here.

As I noted in previous installments of this series, our government seems to have a problem keeping tabs on its laptop computers, especially the ones with sensitive information on them.

I know private sector companies lose plenty of laptops too. And sometimes those laptops also contain sensitive information. But there are at least two important qualitative differences between private and public laptop or data losses: (1) While some sensitive data may be lost or compromised when private laptops are lost, almost everything that government collects and stores on laptops is going to be at least somewhat sensitive information, and in other cases very sensitive. And much of that information that government collects about us is gathered without our consent. (2) When private companies lose laptops or data, someone is usually held accountable. Heads roll and lawsuits fly. Not so with the government, at least not most of the time.

That’s why I make such a big deal about government laptop losses. And that’s what makes this new Department of Justice report so disturbing.

The DOJ’s Office of Inspector General decided to conduct a follow-up audit of the Federal Bureau of Investigation (FBI) after a previous 2002 report revealed that the FBI had lost 317 laptops over a 28-month review period. That report also found that the FBI “did not always report the missing items to the DOJ or enter lost and stolen weapons and laptop computers into the National Crime Information Center (NCIC) database.” Moreover, the agency “did not have policies in place that required reporting lost or stolen laptop computers to its Office of Professional Responsibility (OPR), nor was the FBI investigating the loss of this equipment in a timely manner.” The FBI had also “not established deadlines for reporting losses, was not conducting physical inventories as required, and was not reconciling its property records to its financial records.” Finally, the agency “could not provide documentation to establish whether excessed laptop computers were properly disposed of as required.”

That’s not a pretty picture. Luckily, things have improved somewhat since 2002, but the results are still a bit disturbing. The DOJ’s follow-up audit of the FBI spanned a 44 month period this time around and the overall number of lost or stolen laptops dropped to 160. Interestingly, however, although the number of lost laptops dropped from an average of 10.7 per month to 2.6, the number of stolen laptops actually increased from 0.6 per month to 1 per month.

Overall, the DOJ was forced to conclude that:

“Our audit found that the FBI has not taken sufficient corrective action on several recommendations outlined in our 2002 audit report to address the issue of missing and stolen equipment. Perhaps most troubling, the FBI could not determine in many cases whether the lost or stolen laptop computers contained sensitive or classified information. Such information may include case information, personal identifying information, or classified information on FBI operations. Prior to our follow-up audit the FBI did not maintain records indicating which of its laptop computers actually contained sensitive or classified information. Moreover, during this follow-up review, the FBI could not identify for us the contents of many of the lost and stolen laptops, including whether they contained sensitive or classified information.”

But the FBI did reveal that at least 10 of these lost laptops contained sensitive or classified information.

As I mentioned in a previous essay on this subject, things like this should make us think twice before granting the government more authority to collect or retain data about the citizenry.

In recent blogs, I’ve been documented the troubling reports of government losing laptops and compromising private information. And as I mentioned in another report, Rep. Tom Davis (R-VA), the Chairman of the committee, has introduced H.R. 6163, the “Federal Agency Data Breach Protection Act” to try to get this problem under control, although the legislation would really do nothing of the sort.

Sadly, there’s more news to report on this front.

(1) Government Computer News reports that:

* “The Army’s Accessions Command in Ft. Monroe, Va., reported a laptop computer with personal information on 4,600 scholarship applicants for the Reserve Officer Training Corps went missing Oct. 23. The command just yesterday let the House Government Reform Committee know that the notebook went missing. The committee asked all agencies to report all data breaches since Jan. 1, 2003. Agencies had until July 24 to report their information, but the committee still is receiving reports of data breaches. Paul Boyce, an Army spokesman, said the data was password protected using the Common Access Card. This means whoever allegedly stole the laptop would need the card and the user’s personal identification number to access the computer. However, the data itself was not encrypted.”

(2) The Los Angeles Times reports that:

* “The Department of Veterans Administration confirmed Thursday that a computer containing the personal data of military veterans was stolen from the agency’s Manhattan hospital. VA spokeswoman Jo Schuda said the laptop computer, used to measure pulmonary function, was stolen from a locked room in a locked hallway at the VA hospital. The theft occurred Sept. 6, but VA officials sent out a letter to veterans only within the past two weeks. The personal data of about 1,600 people was on the computer’s hard drive. It was the third theft of personal data from a VA facility in less than a year.”

(3) Federal Computer Week reports that:

* “Rep. Tom Davis (R-Va.) says agencies may be underreporting their computer thefts…. Davis said he wonders if the agencies were “lucky, good or maybe…incomplete in their reports.” “Congress and the public wouldn’t have learned about these events unless we went proactively at the information,” he said. “This history of withholding events needs to stop.” He added that he would follow-up with agencies that reported few thefts to ensure that they properly reported losses.”

Not a pretty picture.

Quick update… Last week I discussed our government’s ongoing lost laptop follies after the House Committee on Government Reform reported that more than 1,100 laptop computers had vanished from the Department of Commerce since 2001, including nearly 250 from the Census Bureau containing such personal information as names, incomes and Social Security numbers. And the Committee is still collecting information about lost computers and compromised personal information from other federal agencies including: the departments of Agriculture, Defense, Education, Energy, Health and Human Services and Transportation and the Federal Trade Commission.

This week, in response to these findings, Rep. Tom Davis (R-VA), the Chairman of the committee, has introduced H.R. 6163, the “Federal Agency Data Breach Protection Act.” The bill would establish “policies, procedures, and standards for agencies to follow in the event of a breach of data security involving the disclosure of sensitive personal information and for which harm to an individual could reasonably be expected to result.” In other words, federal agencies would have to do a better job informing the public when personal data had been lost or compromised. Of course, it might be easier if they just stopped losing so many laptops!

Incidentally, why are government agencies allowing so much sensitive personal information to be kept on laptops, anyway? It doesn’t seem to make much sense to me in light of how easy it is for laptops to be taken out of a government building. Why not follow these two simple rules instead: (1) Keep the really sensitive stuff on desktop computers that are bolted to desks and make sure they don’t have any external inputs for personal storage devices. (2) If a government employee still finds a way to take that information home and then loses it, fire them immediately (and perhaps consider other penalties). After all, we’re talking about personal information about American citizens here. This stuff should not be taken lightly.

Honestly, I don’t get it. How in the world does government lose so many laptop computers? I don’t know if you heard this yesterday but Sonoma County, CA authorities reported that they had lost one-time JonBenet Ramsey murder suspect John Mark Karr’s laptop, which supposedly contains evidence of child pornography that could have been used to help prosecute him. In other words, we basically bought this freak a free plane ride back from Thailand and then gave him a big “Get Out of Jail Free” card. Brilliant. How in the world do you lose the laptop of the guy who has been all over the news for the past month?

But wait, there’s more missing laptop news. In response to an inquiry from the House Committee on Government Reform, 17 federal agencies where asked to report any loss of computers holding sensitive personal information. The results, revealed yesterday, are staggering. According to Alan Sipress of The Washington Post: “More than 1,100 laptop computers have vanished from the Department of Commerce since 2001, including nearly 250 from the Census Bureau containing such personal information as names, incomes and Social Security numbers…” The Census Bureau’s lost laptops alone could have compromised the personal information of about 6,200 households. Apparently, according to MSNBC, “Fifteen handheld devices used to record survey data for testing processes in preparation for the 2010 Census also were lost, the [Census] department said.” (And you thought that the Census was accurate!) Other government departments reporting lost computers with personal information include the departments of Agriculture, Defense, Education, Energy, Health and Human Services and Transportation and the Federal Trade Commission.

Of course, all this comes on top of the lost laptop scandal over at the Department of Veterans Affairs this summer. One lost laptop contained unencrypted information on about 26.5 million people and another had information on about 38,000 hospital patients. And in August, the Department of Transportation revealed that a laptop containing roughly 133,000 drivers’ and pilots’ records (including Social Security numbers) had been stolen.

I honestly don’t understand how are government agencies and officials losing all these laptops but next time they tell us that we can trust them with personal information and other sensitive things I hope we all remember these incidents. This is outrageous.