U.S. careless with citizens’ information

Personal files maintained by the federal government on all U.S. citizens “remain at risk,” according to a House report released yesterday, which said the stored information is routinely lost because of carelessness, misconduct or theft.

“The federal government compiles and holds sensitive personal information on every citizen, including health records, tax returns and military records,” said a report by the House Government Reform Committee.

“In many cases, agencies do not know what information they have, who has access to the information, and what devices containing information have been lost, stolen or misplaced.”

The report said much of the information was lost when laptop computers were stolen, documenting the theft of more than 1,800 government-owned laptop computers — including one belonging to the Defense Department and containing personal information on 30,000 applicants, recruiters and prospects that “fell off a motorcycle belonging to a Navy recruiter.”

The committee, chaired by Rep. Thomas M. Davis III, Virginia Republican, began an investigation into the government’s ability to keep its files secure after the Department of Veterans Affairs’ disclosure that computer equipment containing the personal information of 26.5 million veterans and active-duty members of the military had been stolen from the home of a department employee.

Since that time, several other agencies — including the Social Security Administration, the Internal Revenue Service and the Department of Health and Human Services — have acknowledged security breaches that affected thousands more people.

To develop what the committee called “a full picture of the risks posed by data breaches at federal agencies,” it asked agencies to provide details about incidents involving the loss or compromise of any sensitive personal information held by the agency or a contractor since Jan. 1, 2003.

The report outlined a “wide range of incidents involving data loss or theft, privacy breaches and security incidents,” noting that despite the volume of sensitive information held by the agencies, there is no requirement that the public be notified if it is compromised.

The committee found that data loss is a governmentwide occurrence, noting that 19 federal departments and agencies had reported at least one loss of personally identifiable information since January 2003. It said the agencies do not always know what has been lost or how many people could be affected by a particular data loss.

It also said that only a small number of the data breaches are reported to the committee were caused by hackers breaking into computer systems online, with the vast majority of losses resulting from thefts of portable computers, drives and disks, or unauthorized use of data by employees.

The committee also said that federal agencies rely heavily on private-sector contractors for information-technology management services and, as a result, many of the reported data breaches were the responsibility of contractors.

According to the committee, problems concerning the loss of personal information were found at Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, Interior, Justice, Labor, State, Transportation, Treasury, Veterans Affairs, Office of Personnel Management and the Social Security Administration.