When the Government Breaches Data Security

By Courtney Macavinta

Alan Webber was following the news closely in May when the story broke that 26.5 million U.S. military personnel and veterans' personal information -- including their Social Security numbers -- had been compromised when a Department of Veterans Affairs employee's laptop was stolen from his home. Though the data theft was the second largest of its kind to date, Webber, a Forrester Research Senior Government Analyst, wasn't just interested in the incident from an industry analyst's perspective.
For  him the security breach was much more personal.

"I'm a veteran and my information was on that computer," Webber says. "I didn't get a letter [informing me of the breach] for three weeks. I'm a veteran, an IT expert, and I cover this market -- I don't mind saying that this is completely unacceptable."

The VA did have a policy prohibiting employees from taking home electronic data like the information that was on the stolen laptop. Although the laptop was recovered and the FBI says the data was not actually accessed or compromised, the breach triggered a wave of calls for better government data protection practices, as well as a class-action lawsuit filed on behalf of veterans whose data was threatened.

As a result of the VA laptop theft, Congress also is working on legislation to centralize the VA's information technology operation under a new "Undersecretary of Information Services" and to hire a third party to perform a risk analysis of its data management processes. Under the proposed law, the VA would also have to immediately report any security breaches to Congress, vets, and federal authorities.

Even the White House is chiming in. In late June, the Office of Management and Budget issued a memo laying out standards for the "protection of sensitive agency information."

Perhaps there is renewed fervor for government agencies to better safeguard personal sensitive information because the VA is not alone in failing to prevent data breaches. This summer, laptops also were stolen from Navy offices in New Jersey that had personal information about 31,000 recruiters and their prospective recruits. In another example, the names, addresses, and Social Security numbers of an estimated 540,000 injured New York workers was lost -- the data was on hardware that went missing from an insurance firm that helps manages the state's worker's compensation system.

For CIOs of public agencies, improving the handling and security of citizens' sensitive data comes down to being more proactive and reacting quickly if there is a breach -- such as not waiting weeks to send out letters to people who might have been affected, as Webber says happened in his case.

"As a citizen, you expect your government to keep better control over protecting your information," Webber says. "They need to compartmentalize data better in the first place. Then if there is a breach or loss you can minimize damage. Also, you have to notify people as soon as possible if something happens."

Though government agencies do need to collect some personal data to function and provide services, citizens are increasingly becoming distrustful of what they hand over, according to a May Forrester report by Webber called Citizens' Concerns For eGovernment Privacy And Security Run High.

Case in point: When asked whether "it was acceptable for the government to link their personal information with other information in both government and private company databases," 74% of U.S. citizens said no and "also strongly disapproved of government's retaining information for an indefinite period of time."

To ease people's fears -- and stave off regulatory crackdowns and fines -- public sector CIOs can start by taking the following steps:

Step 1: Have strong policies -- and enforce them 
Webber and other IT privacy experts agree that data security measures are only as strong as the policies that back them. For starters, public CIOs should evaluate their data security practices, and then implement policies and procedures and training about the collection, handling, and safeguarding of any personal information an agency collects.

Next, CIOs should make sure information is properly categorized so it can be adequately protected or prohibited from being accessed remotely, for instance.

"Government IT managers need to get beyond security-in-a-box syndrome," Webber says. "You have to figure out your security controls first and use the products to implement the controls -- not the other way around." And then, Webber adds, agency employees and CIOs "need to follow the policies they have in place."

If an agency prohibits storing sensitive information on laptops, it will need to perform sweeps to make sure the policy isn't being violated. The agency can also use technology to prevent the copying of certain databases onto laptops.

Step 2: Secure the fort   
Taking a page from the White House memo on security following the VA laptop theft, government agency CIOs can also take these additional steps outlined by the OMB and a National Institute of Standards and Technology safety checklist:

• Encrypt data  If sensitive personal data is going to be stored on mobile devices, such as laptops, it should be encrypted.
• Limit access  The OMB says agencies should allow remote access to sensitive data only if "two-factor authentication" is in place. In other words, an agency employee's identity would need to be verified in two distinct ways before he or she could access sensitive data remotely. Or CIOs could have a process in place to allow only partial access to information from remote computers -- not access to entire records.
• Authenticate often  Another best practice is to implement a "time-out" function for remote access and mobile devices that would require user re-authentication after 30 minutes of inactivity.
• Track data  When sensitive data is extracted from government databases and stored on a laptop, CIOs can implement a policy that it must be erased within a given amount of time, such as 90 days.

Step 3: Stay ahead of the curve
Webber says it's key for government agencies to stay on top of data privacy threats along with the best practices for shielding data. Letting citizens know why their data is being collected and how it will be protected is also essential.

Agencies such as the United States Agency for International Development (USAID) and National Science Foundation (NSA) have done a good job of being proactive in the data privacy front, he notes. "USAID and the NSF are making sure people are trained and that processes are followed," Webber says. "You have to look at policies, people, processes, and technology. The policy violations come down to people in most cases, so it has to be a focus. You have to have an ongoing compliance and risk management process. Technology is important, but it's not the complete answer."

Courtney Macavinta is a Silicon Valley-based business and technology writer. Her articles have appeared in CNET News.com, Business 2.0, Red Herring, Wired News, and The Washington Post. She also is managing editor of  The Online Family (TheOnlineFamily.net).