Fed gets D+ for weak data security

If the federal government was a college student, it would be on academic probation right now for a near-failing grade in Data Security 101.

In a report released last Friday, the Government Reform Committee slapped the feds with a pathetic D+ for its appalling track-record in adequately protecting U.S. citizens' personal data since 2003.

All 19 federal departments have suffered at least one data breach since 2003, according to the committee's report, which goes into quite some detail about the number of data breaches suffered by each department, including specific dates and incidences. (You can download the report here.)

According to the report, the Dept. of Veteran Affairs reported the most "incidents involving the loss or compromise of any sensitive personal data." The report didn't offer a specific number, just "hundreds." Next was the Dept. of Treasury, with 340 incidents. Third was the Dept. of Commerce with 297. The Dept. of Defense reported 43; the Dept. of Education, 41, and the Dept. of Health and Human Services have 24. The remaining departments each reported fewer than 10.

Perhaps even more troubling: It's possible that your information was swiped from a government database, and you don't even know it. According to the report, "agency responses to data losses appear to vary ... with some notifying all potentially affected individuals, and others not performing such notifications."

The thing is, they're not required to let you know if some malicious hacker makes off with your name, address, and Social Security number: "Despite the volume of sensitive information held by agencies, there is no requirement that the public be notified if their sensitive personal information is compromised," the report says.

Among the committee's overall findings:

Agencies do not always know what has been lost. "In many cases, agencies do not know what information has been lost or how many individuals could be impacted by a particular data loss. Similarly, agencies do not appear to be tracking all possible losses of personal information, making it likely that their reports to the committee are incomplete."

Physical security of data is essential. "Only a small number of the data breaches reported to the Committee were caused by hackers breaking into computer systems online. The vast majority of data losses arose from physical thefts of portable computers, drives, and disks, or unauthorized use of data by employees."

Contractors are responsible for many of the reported breaches. "Federal agencies rely heavily on private sector contractors for information technology management services. Thus, many of the reported data breaches were the responsibility of contractors."

Conspicuously absent from the 15-page report, however: a single recommendation of how to deal with the problem. In other words, the committee does a great job describing just how hot the fire is in the burning house, what might have caused it, and how many residents are trapped inside. But apparently someone else will need to come up with ideas on how to put it out. Ah, government inaction.

Of course, data breaches don't just affect the government. Businesses -- and as a result, their customers and employees -- continue to fall victim to data theft. Yet aside from offering a year of free credit monitoring, companies appear to be moving at a glacial pace to address the problem.

Trouble is, until we see some compliance legislation forcing companies to better protect users' private data, there's no real incentive for them to invest the time and money toward, perhaps, exploring encryption technology, improving security measures to limit what kind of data employees can carry around, and keeping a better tab on how partners are handling your sensitive data.

But there's really no excuse for the government not to get its act together, and to do it now. If the data of citizens, including veterans, is so easily accessible, who knows what other information malicious hackers and thieves might have access to. Securing our nation isn't just limited to having well-trained soldiers on the border, state-of-the-art jets in the sky, and satellites in space keeping tabs on enemies; not in the Internet Age.

Unfortunately, this hasn't become an election-year issue, so it's not garnering the attention it deserves from the powers-that-be. I recommend taking a moment to send a letter to your local reps, citing this report and telling them to do something about it now.

Or am I overreacting? Is the government doing enough to keep our data safe? What's the answer here? There's an interesting discussion group going on right now in InfoWorld's IT Exec-Connect community where this topic could be expanded on further.