Skip the navigation

GAO: Most sensitive data on government laptops still unencrypted

Watchdog agency says only 30% of such info was encrypted as of last September

By Grant Gross
July 29, 2008 12:00 PM ET

IDG News Service - Despite a series of high-profile data breaches at federal agencies in recent years, only about 30% of the sensitive information stored on laptops and mobile devices used by federal workers was encrypted as of last September, according to a report issued by the Government Accountability Office.

The GAO, which released the report to the public today (download PDF), examined the use of encryption technology at 24 major agencies. The federal watchdog defined several types of data as sensitive, including medical records, other personal information, law enforcement records and information deemed to be essential for homeland security purposes.

"While all agencies have initiated efforts to deploy encryption technologies, none had documented comprehensive plans to guide encryption implementation activities," the GAO said in the report. "As a result, federal information may remain at increased risk of unauthorized disclosure, loss, and modification."

The report follows a string of security mishaps involving government-issued laptops. The biggest occurred in May 2006, when the Department of Veterans Affairs reported that a laptop and hard drive containing the personal information of 26.5 million military veterans and active-duty personnel had been stolen from the home of an agency employee. Law enforcement officers recovered the hardware the following month, and the VA began encrypting the data on all of its PCs, handheld devices and smart phones later that year.

But the VA has had plenty of company. Last year, for example, the GAO reported that 490 laptops were lost or stolen from the Internal Revenue Service between early 2003 and mid-2006. Many of those laptops likely contained the personal data of U.S. taxpayers, according to a separate report by an auditor at the IRS.

In another example, the Department of Commerce reported in September 2006 that 1,137 of its laptops had been lost or stolen since 2001, with 249 of them containing some personal data.

The GAO's new report notes that several laws, including the Federal Information Security Management Act of 2002, require agencies to protect their data. In addition, the White House Office of Management and Budget (OMB) first recommended in 2006, then required in May of last year, that agencies encrypt all sensitive data stored on mobile computers.

Following the lead of the VA, federal agencies have been increasing their encryption efforts. But two members of the House Homeland Security Committee said this week that they're disappointed with the progress being made by agencies, based on the GAO's findings.

"Encryption is not an option, it is a mandate," Rep. Bennie Thompson (D-Miss.) said in a statement. "Unfortunately, I'm not surprised that despite mandates by OMB, the federal government is only 30% of the way there." Thompson, the Homeland Security Committee's chairman, added that investing properly in cybersecurity now "will keep us from paying dearly in the long run."

Reprinted with permission from IDG.net. Story copyright 2014 International Data Group. All rights reserved.
Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!