If the federal government was a college student, it would be on academic probation right now for a near-failing grade in Data Security 101.
In a report released last Friday, the Government Reform Committee slapped the feds with a pathetic D+ for its appalling track-record in adequately protecting U.S. citizens' personal data since 2003.
All 19 federal departments have suffered at least one data breach since 2003, according to the committee's report, which goes into quite some detail about the number of data breaches suffered by each department, including specific dates and incidences. (You can download the report here.)
According to the report, the Dept. of Veteran Affairs reported the most "incidents involving the loss or compromise of any sensitive personal data." The report didn't offer a specific number, just "hundreds." Next was the Dept. of Treasury, with 340 incidents. Third was the Dept. of Commerce with 297. The Dept. of Defense reported 43; the Dept. of Education, 41, and the Dept. of Health and Human Services have 24. The remaining departments each reported fewer than 10.
Perhaps even more troubling: It's possible that your information was swiped from a government database, and you don't even know it. According to the report, "agency responses to data losses appear to vary ... with some notifying all potentially affected individuals, and others not performing such notifications."
The thing is, they're not required to let you know if some malicious hacker makes off with your name, address, and Social Security number: "Despite the volume of sensitive information held by agencies, there is no requirement that the public be notified if their sensitive personal information is compromised," the report says.
Among the committee's overall findings:
Agencies do not always know what has been lost. "In many cases, agencies do not know what information has been lost or how many individuals could be impacted by a particular data loss. Similarly, agencies do not appear to be tracking all possible losses of personal information, making it likely that their reports to the committee are incomplete."
Physical security of data is essential. "Only a small number of the data breaches reported to the Committee were caused by hackers breaking into computer systems online. The vast majority of data losses arose from physical thefts of portable computers, drives, and disks, or unauthorized use of data by employees."
Contractors are responsible for many of the reported breaches. "Federal agencies rely heavily on private sector contractors for information technology management services. Thus, many of the reported data breaches were the responsibility of contractors."
Conspicuously absent from the 15-page report, however: a single recommendation of how to deal with the problem. In other words, the committee does a great job describing just how hot the fire is in the burning house, what might have caused it, and how many residents are trapped inside. But apparently someone else will need to come up with ideas on how to put it out. Ah, government inaction.