Politics & Government

Security is poor for personal data held by government

WASHINGTON — Government agencies have a long way to go before they can assure taxpayers that the country's secrets — as well as citizens' personal information — are secure, according to recent government reports.

In fact, the Government Accountability Office testified to Congress last week that "poor information security is a widespread problem with potentially devastating consequences."

Among the potential concerns that the GAO identified in testimony to a Senate subcommittee: If systems aren't secure, sensitive information, such as taxpayer data, Social Security records and medical records, could be "inappropriately disclosed, browsed or copied for improper or criminal purposes."

As in the breach of three presidential candidates' passport files, the use of outside contractors has been cited as a possible problem by the GAO and other government investigators.

In a 2005 report, the GAO found that most government agencies have security policies on the books and written in contracts with outside vendors. But those policies often didn't go far enough to properly oversee the work of those contractors, the GAO said.

In the recent GAO testimony, investigators found that the percentage of employees and outside contractors receiving security-awareness training had dropped from 2006 to 2007.

The issue of security for the personal information kept by the federal government has been a major issue since 2006, when a portable hard drive and laptop computer belonging to a Department of Veterans Affairs employee was stolen, putting at risk the personal information of nearly 26 million veterans and military personnel.

The episode resolved itself without any known damage to veterans' personal information, but it did expose holes in VA security.

Although the main episode involved a VA employee, the VA's inspector general subsequently found that the information entrusted to contractors also needed to be protected better. Sensitive information provided to contractors was "not adequately safeguarded," the inspector general wrote, and many contracts didn't consistently include clauses to protect information.

As an example, the inspector general detailed an episode at a medical center in which 29 physicians were access to the VA's medical records system although none had adequate background checks.

Since the 2006 data breach, the VA has significantly strengthened its information policies.

The recent GAO testimony also highlighted a separate stolen laptop issue at the Centers for Medicare and Medicaid Services. There, a contractor reported that a laptop containing personal information on nearly 50,000 Medicare beneficiaries was stolen.

"It is a serious problem," said Marc Rotenberg, executive director of the Washington-based Electronic Privacy Information Center. He said growing use of outside contractors, as well as questions over what legal responsibility they have over private information, makes the issue one that the presidential candidates should address.

"They now know what it means to have their private information improperly accessed," he said.

Related stories from McClatchy DC