Data Breaches Approach 100,000,000 in the Past Two Years

According to Privacy Rights Clearinghouse, the total number of records containing sensitive personal information involved in security breaches over the past two years now stands at 93,754,333.

My concern with these numbers are many, but most concerning is the numbers of unaccounted or undisclosed lost data files. The number could easily be nearing 500 million rather than 100 million. I have included parts of a press release to demonstrate my point. For a copy of the September press release in its entirety visit, http://www.commerce.gov

FOR IMMEDIATE RELEASE
Thursday, September 21, 2006

Commerce Department Announces Information From Reviews of Missing Department Laptops and Potential Breaches of Personal Identity Data

WASHINGTON - The Department of Commerce today announced information from its recent Department-wide reviews of missing, lost or stolen laptops and potential breaches of personal identity data. The Department continues its review and is not aware of any data being improperly accessed or used. The information gathered from the reviews indicates that the Census Bureau had the disproportionate share of missing equipment and data. The reviews were in response to broad, government-wide Congressional and public inquiries.

Based on the review in response to the public inquiry, the Department determined that within its 15 operating units for the years 2001 to the present, out of over 30,000 laptops within the Department's inventory over that time period, 1,138* were either lost, stolen or missing. Of these laptops, 249 contained personally identifiable information (PII), although access passwords, complex database software, systemic safeguards and/or encryption technology significantly limit the potential for misuse of data on the laptops.

A separate review in response to a request for information from the House Committee on Government Reform Chairman Tom Davis (R-VA) regarding the loss or compromise of any sensitive personal information from 2003 to the present found that there were 297 instances. These included: 217 laptops; 15 handheld devices; 46 thumbdrives; and the rest involved documents or other materials.

Information on the two agencies within the Department that have missing laptops with personal data follows:

Bureau of the Census
Most of the missing laptops were assigned to the Census Bureau, which during the last five years has used over 20,000 laptops. Every year, thousands of Census field representatives fan out around the country to compile survey data, using laptops in their work. Much of the field workforce is comprised of temporary, hourly employees paid to gather data door-to-door. Given the unique nature of the Census workforce and method of data collection, the Bureau has long had technological and procedural mechanisms in place that limit any potential breach of information.

Regarding the unique nature of the Census laptops, the Bureau indicated that they contained the following:
Technological Protections:

• every Census laptop from 2001 on requires a password to access;
• systemic safeguards ensure that once a survey is completed, the data is automatically stored on a laptop and cannot be retrieved or accessed in the field, even by the Census field representative;
• and each laptop contains information on an estimated 20-30 households, and rarely more than 100;
• field offices report that typical laptops would contain zero-to-two incomplete surveys.

Procedural Protections:

• the survey data is contained in complex database formats requiring specialized applications to access;
• each laptop contains survey data that is regularly transmitted at the end of each day, and such data is fully removed from the laptops at the end of each survey period;
• and since 2001, the Census Bureau has been adding encryption technology on a rolling basis for extra protection, and today, all new laptops have encryption protection.

The Census Bureau reported:

• 672 missing laptops, of which 246 contained some degree of personal data;
• 107 of these laptops were fully encrypted;
• 139 were either partially encrypted or had no encryption;
• of the missing laptops involving PII, almost half of the unaccounted laptops were stolen (104), often from employees' vehicles, and another 113 were not returned from former employees;
• and 46 thumbdrives, all of which were fully encrypted and protected by systemic safeguards.

In addition to laptops, Census began evaluating the use of handheld devices to record survey data for testing processes in preparation for the 2010 Census. Of the approximately 2,400 in use since 2004, 15 have been lost, stolen or are missing with PII on them. All of these had encryption and required an initial password to operate the unit, and a second password to access the data that was only available to employees at Census headquarters. Unlike the laptops, it is possible for us to determine the potentially affected households, and we are in the process of contacting those 558 households even though the risk of misuse of data is extremely low.


In addition to those instances of potential breaches, the Census Bureau also reported 16 instances of non-electronic potential breaches of personal information, ranging from employee time and attendance records being lost in an office move to retirement information packages sent to the National Finance Center during Hurricane Katrina not being received. Where these potentially affected people can be identified, we are also in the process of contacting them.

Other Department of Commerce Bureaus and Offices
The following bureaus of the Commerce Department had the following number of laptops lost or stolen in the last 5 years: Bureau of Industry and Security, 9; Economic Development Administration, 6; Bureau of Economic Analysis, 4; International Trade Administration, 42; Technology Administration, 17; National Institute of Standards and Technology, 35; U.S. Patent and Trademark Office, 9; Office of the Inspector General, 2; and the Office of the Secretary, 17. None of these contained personally identifiable information.

This leaves me with a very uncomfortable feeling, if the government is doing as poor as "Corporate America" in regards to protecting our personal data, who should be passing laws and regulations?