Data insecurity has long been a government flaw


Office workers bring work home. No big deal - unless that work involves millions of people's names, birth dates and Social Security numbers.

This week's revelation of a vast security breach at the Department of Veterans Affairs puts a glaring light on the issue of who in the government has access to everything from tax records to Medicare histories and what they're allowed to do with that data.

The rules vary from agency to agency, and so does security. Congress has said the VA is among the worst at safeguarding information, while praising the Woodlawn-based Social Security Administration as among the best.

But when a thumbnail-sized computer drive can replace a mountain of paper records - and when "telecommuters" can log directly into government computer networks from home - securing Americans' privacy is trickier than ever.

"The issue isn't what individuals are permitted to bring home per se, because Congress has been pushing for a long time to encourage more work from home, to make the government more family-friendly," said Franklin Reeder, a former chief of information policy at the Office of Management and Budget.

"It's whether the employees are exercising reasonable diligence in safeguarding the way they bring it home."

A government survey of 1.8 million federal workers found 140,694, or almost 8 percent, teleworking during 2004. That figure doesn't include folks occasionally working from home at night or while traveling.

At the same time, however, the Government Accountability Office, Congress and the federal budget office repeatedly have criticized some agencies - including the VA - for sloppiness in securing their computer systems.

Though agencies are likely to customize their security policies, Reeder listed three safeguards that should always be in place when taking sensitive information home: having permission from a supervisor to do so; requiring a password to access the laptop; and, most important, encrypting all sensitive files.

The rules at the Social Security Administration give a glimpse into how seriously that agency takes data security and how the VA's recent breach so widely deviated from the government's best practices.

Mark Lassiter, the SSA's chief spokesman, said that no one in his agency would be allowed to take home a database that includes Social Security numbers.

In fact, only a few employees are allowed to take home anything with someone's Social Security number on it - typically agency lawyers and administrative law judges handling cases in which a person has been denied benefits and has appealed.

Those workers must first sign a "flexi-place" agreement, transport the documents home in a locked briefcase and then store them inside a locked file cabinet or safe that has been inspected by a supervisor.

"These things are very tightly controlled, at the most one or two cases are taken home at a time," Lassiter said. "Of our 65,000 employees overall, just a small number of those types of agreements are in place."

The VA's security breach illustrates what can go wrong when basic security protocols are not followed. According to the Justice Department, burglars struck the home of an unidentified VA employee early this month and took a government-issued laptop with disks containing information on up to 26.5 million veterans and some of their spouses.

Agency officials have said the analyst, who was working on an annual study about veterans' demographics, did not have permission to take the data home. The agency has not said whether the computer was password-protected or the data encrypted.

"I was mystified and horrified," Reeder said of the VA incident. "Several things had to have gone wrong. ... Human beings who aren't paying attention are capable of defeating the best practices, so I'm reluctant to point fingers at the system."

The government requires agencies - under the Federal Information Security Management Act of 2002 - to train employees each year on this issue. But in March a Government Accountability Office review of 24 large agencies found that 81 percent of employees got the training in fiscal year 2005, down from 88 percent in 2004.

Only half of the agencies reviewed reported that they had provided specialized security training to 90 percent or more of their employees who have "significant" security responsibilities.

"We've been writing reports on information security, more specifically weaknesses in information security, for well over a decade," said Gregory C. Wilshusen, director of information security issues at the GAO. "Agencies are making progress but face daunting challenges. Systems are increasingly becoming interconnected among agencies, and while that has added benefits, it also poses new threats and vulnerabilities."

The GAO has passed on long to-do lists to some agencies - especially those still without a basic inventory of their computers, where they are and the networks to which they are connected.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.