GAO: Most sensitive data on government laptops still unencrypted
Watchdog agency says only 30% of such info was encrypted as of last September
IDG News Service - Despite a series of high-profile data breaches at federal agencies in recent years, only about 30% of the sensitive information stored on laptops and mobile devices used by federal workers was encrypted as of last September, according to a report issued by the Government Accountability Office.
The GAO, which released the report to the public today (download PDF), examined the use of encryption technology at 24 major agencies. The federal watchdog defined several types of data as sensitive, including medical records, other personal information, law enforcement records and information deemed to be essential for homeland security purposes.
"While all agencies have initiated efforts to deploy encryption technologies, none had documented comprehensive plans to guide encryption implementation activities," the GAO said in the report. "As a result, federal information may remain at increased risk of unauthorized disclosure, loss, and modification."
The report follows a string of security mishaps involving government-issued laptops. The biggest occurred in May 2006, when the Department of Veterans Affairs reported that a laptop and hard drive containing the personal information of 26.5 million military veterans and active-duty personnel had been stolen from the home of an agency employee. Law enforcement officers recovered the hardware the following month, and the VA began encrypting the data on all of its PCs, handheld devices and smart phones later that year.
But the VA has had plenty of company. Last year, for example, the GAO reported that 490 laptops were lost or stolen from the Internal Revenue Service between early 2003 and mid-2006. Many of those laptops likely contained the personal data of U.S. taxpayers, according to a separate report by an auditor at the IRS.
In another example, the Department of Commerce reported in September 2006 that 1,137 of its laptops had been lost or stolen since 2001, with 249 of them containing some personal data.
The GAO's new report notes that several laws, including the Federal Information Security Management Act of 2002, require agencies to protect their data. In addition, the White House Office of Management and Budget (OMB) first recommended in 2006, then required in May of last year, that agencies encrypt all sensitive data stored on mobile computers.
Following the lead of the VA, federal agencies have been increasing their encryption efforts. But two members of the House Homeland Security Committee said this week that they're disappointed with the progress being made by agencies, based on the GAO's findings.
"Encryption is not an option, it is a mandate," Rep. Bennie Thompson (D-Miss.) said in a statement. "Unfortunately, I'm not surprised that despite mandates by OMB, the federal government is only 30% of the way there." Thompson, the Homeland Security Committee's chairman, added that investing properly in cybersecurity now "will keep us from paying dearly in the long run."
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts