- The Washington Times - Wednesday, May 23, 2007

ASSOCIATED PRESS

Federal agencies, plagued by regular breaches in the security of personal data, were ordered yesterday to eliminate the unnecessary collection and use of Social Security numbers by early 2009.

That order and several other new security measures against identity theft were outlined in a memo to all department and agency heads from Clay Johnson III, deputy director for management of the Office of Management and Budget.

Mr. Johnson gave the agencies 120 days to review all their files for instances in which the use of Social Security numbers is superfluous and “establish a plan in which the agency will eliminate the unnecessary collection and use of Social Security numbers within 18 months.”

Beyond that, agencies were directed to review all information that could be used to identify an individual citizen or employee, to ensure such records are accurate and “to reduce them to the minimum necessary for the proper performance” of their duties.

The order is based on the principle that “the federal government should not unnecessarily collect or maintain personally identifiable information,” OMB spokesman Sean Kevelighan said. By requiring agencies to reduce such data to a minimum, the risk of harm from identity theft will decline.

The order was the culmination of steps taken since the Veterans Affairs Department reported one year ago that a laptop with information for more than 26.5 million military personnel, including data on 2.2 million active-duty military, Guard and Reserve members, was stolen from a department employee.

The massive VA breach created an uproar among the public and in Congress. The Bush administration set up an Identity Theft Task Force, which made recommendations last month.

Mr. Johnson’s memo “formalizes the recommendations of the task force,” Mr. Kevelighan said. “Agencies will reduce the unnecessary use of the Social Security number, thus reducing the potential for loss of personal data and the potential for identity theft.”

It was not clear whether Congress would be satisfied with the timeline set by the administration or with the range of steps ordered.

After the VA breach, an investigation by the House Oversight and Government Reform Committee found that 19 agencies had lost personal information about thousands of employees and the public in 788 incidents since Jan. 1, 2003.

The blunders keep occurring.

Last month, a discovery by an Illinois farmer alerted the government that the Social Security numbers of 38,700 recipients of Agriculture Department grants had been posted on a government Web site since 1996.

And this month, the Transportation Security Administration lost an external hard drive containing Social Security numbers, bank data and payroll information for about 100,000 employees.

Among the other measures ordered by Mr. Johnson was a requirement that agencies encrypt all data on mobile computers or storage devices, unless the department’s deputy secretary certifies in writing that it is not sensitive.

In a civil lawsuit filed after the TSA drive was lost, four airport security screeners and their union, the American Federation of Government Employees, asked the federal court in Washington to order the TSA to encrypt personnel data and install electronic monitoring on any mobile equipment that stores personnel information.

Mr. Johnson also ordered each agency to establish a policy within 120 days for notifying security officials, potential victims and the public about the loss or exposure of sensitive personal information based on risk principles he outlined.

For example, an office Rolodex with names and phone numbers “probably would not be considered sensitive information,” Mr. Johnson wrote. “However, the same information in a database of patients at a clinic which treats contagious disease probably would be considered sensitive information.”

Earlier suggestions, which Mr. Johnson said agencies now must implement, include a secure method for granting remote access to data, automatic time out of remote access unless the user re-authenticates before 30 minutes of inactivity, and logs of all extracts of information from databases with sensitive data.

The memo also called for better training of employees in security rules and written descriptions of potential discipline for violations.

LOAD COMMENTS ()

 

Click to Read More

Click to Hide