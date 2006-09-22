The U.S. Commerce Department reported that 1,137 laptops have been lost or stolen since 2001, with 249 of them containing some degree of personal data.

The department couldn't determine whose data may have been on the machines, of which 672 belonged to the U.S. Census Bureau. It isn't aware of any data having been used improperly, it said Thursday.

The findings are from a Commerce Department review covering 15 agencies that use a total of 30,000 laptops. It comes as businesses and governments try to tighten their control over mobile devices after several high-profile incidents concerning the loss of sensitive data.

The Census Bureau's laptops -- used for collecting census data in the field -- rarely contain data on more than 100 households, and the data can't be accessed by the surveyors, many of whom are temporary, hourly employees, the department said.

However, the Census Bureau also lost 15 handheld computers used to gather survey data. As a result, the department is contacting 558 households. The risk of the data being misused is "extremely low," it said, since the data is encrypted and two passwords are required for access.

The National Oceanic and Atmospheric Administration, which falls under the Commerce Department, lost 325 laptops, three of which had personal data. One of the laptops was stolen after a fire at one of its buildings in Seattle. The machine contained addresses, birth dates and Social Security numbers for 146 employees, the department said.

Commerce Secretary Carlos M. Gutierrez said the agency plans to strengthen accountability standards, encrypt data on all department laptops and implement two-factor authentication.

The seriousness of the laptop losses depends entirely on whether the data on them was encrypted or not, said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc.

"If they did have encryption on them, it changes the whole thing from a data loss to simply a hardware loss," Pescatore said. "So if you lost 1,000 laptops, you just had a $2 million loss" at $2,000 per laptop, Pescatore said. However, if the data was not encrypted, the potential costs could be much higher, he said.

"Whenever you have a situation where you have a lot of temporary workers out in the field [as the Census Bureau does], carrying laptops, it is very important to encrypt sensitive data," he said.

U.S. government agencies have been stung by hardware losses in recent months. In May, a laptop and external hard drive stolen from the home of a U.S. Department of Veterans Affairs employee contained data on 26.5 million veterans and active-duty military personnel. The laptop was recovered, and two teenagers were arrested in June.

Alan Paller, director of research at the Bethesda, Md.-based SANS Institute expressed similar sentiments.

"The bottom line is that the vast majority of the stolen laptops are simple theft and resale crimes," he said. But that in no way eliminates the "absolute requirement" to encrypt all sensitive data on these laptops to protect against any chance of data theft or accidental compromise, he said.

Computerworld's Jaikumar Vijayan contributed to this report.