Nearly two years after an embarrassing flap in which veterans’ personal information was put at risk of identity theft, federal agencies are still not doing all they can to prevent further lapses, investigators have found.
Most of the two dozen federal agencies examined by the Government Accountability Office, Congress’ investigative arm, have not implemented five federal recommendations aimed at protecting personal information. Only two agencies — the Treasury and Transportation departments — met each of those recommendations. Two others — the Small Business Administration and the National Science Foundation — met none of them.
The other 18 agencies met the recommendations to varying degrees.
The recommendations were among those issued by the White House Office of Management and Budget following the 2006 VA incident, when a computer hard drive containing millions of names, Social Security numbers and birth dates was stolen from a VA employee’s home in Maryland. The hard drive was later recovered intact.
A spokesman for the Small Business Administration, Sean Rushton, said his agency received additional funds in 2007 to enhance security.
“SBA is working hard to improve its cybersecurity in accordance with OMB directives,” he said.
Officials with the National Science Foundation had no comment on the report after business hours Thursday night.
“The findings released in this report are very troubling — indicating that agency after agency has failed to make securing citizens’ personal information a high priority,” said Sen. Norm Coleman, Minnesota Republican, who asked for the GAO report along with Rep. Susan A. Davis, California Democrat, after the 2006 VA incident.
“The clock is ticking and we need to know when the agencies are going to have the protections in place to stop the numerous data breaches we have seen over the past few years,” he said.
Mr. Coleman, the ranking Republican on the Homeland Security committee’s permanent subcommittee on investigations, and Sen. Susan Collins of Maine, the ranking Republican on the Homeland Security and Governmental Affairs Committee, wrote to the agencies asking them how soon they’d be able to implement the recommendations.
“The federal government collects and stores large amounts of personal information that is a tempting target for identity thieves,” Miss Collins said. “Agencies cannot act quickly enough to implement policies to help protect and secure this sensitive data.”
In the report, the GAO looked at OMB recommendations such as encrypting data on mobile computers and other devices that carry agency data; and using a checklist to protect personally identifiable information that is accessed remotely or physically transported outside the agency. Only four agencies met that last recommendation. The VA was not one of them, but it did meet the other four recommendations.