June 28, 2006 8:22 AM PDT

White House orders better security for sensitive data

The U.S. government has 45 days to upgrade its security standards for protecting the data it holds on millions of U.S. citizens.

The Office of Management and Budget (OMB), which operates under the White House, sent a "Memorandum for the Heads of Departments and Agencies" (click here for PDF) on June 23 requesting the implementation of new security standards and practices concerning data.

The request comes in the wake of several embarrassing government security breaches due to losses of laptops holding sensitive information. Many of the incidents resulted in an accidental release of Social Security numbers and dates of birth--two key pieces of data used in identity theft.

Perhaps the worst breach took place May 22, when the Department of Veterans Affairs lost the personal data of 26.5 million U.S. veterans and their spouses after a laptop was stolen from the home of a government employee. Other government agencies that have recently lost sensitive data include the Federal Trade Commission, the Department of Agriculture and the Department of Energy.

The new standards include encryption for all data on notebooks and mobile devices unless it is specifically classified as "nonsensitive" in writing by a Deputy Secretary or other empowered superior. Agencies must additionally require two forms of authentication to access the information, such as a password and key card system.

Government employees must also employ "time-outs" that require the user to re-authenticate every 30 minutes for both remote access and mobile devices. All data downloads must be logged, and sensitive data may remain on a laptop or handheld for a maximum of 90 days, unless specifically permitted for a longer period. The memo includes a list of guidelines from the National Institutes of Standards and Technology (NIST) on protecting information.

While the new procedures are presented as a "recommendation" from the OMB, Deputy Director Clay Johnson III adds that the office will be sending government inspectors to see that the request is properly and promptly carried out. The OMB has provided a flowchart illustrating the steps it would like agencies to take, in addition to procedural lists.

"Most departments and agencies have these measures already in place," Johnson said in the memo. "We intend to work with the Inspectors General community to review these items as well as the checklist to ensure we are properly safeguarding the information the American taxpayer has entrusted to us. Please ensure these safeguards have been reviewed and are in place within the next 45 days."

In less bureaucratic terms, the sentiment seems to be: Get it done, and soon.

Data loss has been a point of contention in the private sector as well. Many companies, or their affiliates, have lost customers' personal data. In June, approximately 243,000 Hotels.com customers were put at risk via an Ernst & Young laptop loss, and 1.3 million Texas Guaranteed Student Loan company customers had their data exposed.

In March, data on 200,000 Hewlett-Packard employees was affected by a loss. Ohio University and the University of Southern California have also recently experienced breaches of information.

See more CNET content tagged:
security standard, agency, laptop computer, mobile device, handheld

Add a Comment (Log in or register) 5 comments
After 89,399,953 - Its about time
by Nkully86 June 28, 2006 9:55 AM PDT
Wow...I must applaud the government for FINALLY implementing this. These new rules and regulations are a start and hopefully can only get stricter over time. The next step we need to take is to move this beyond a "recommendation".

I have been up to date on nearly every security breach over the past few months and according to:
http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP
the total number of people affected has been 89,399,953 since February of 2005.

While the government has done a good job in finally establishing this as a major National problem, it took them far too long. Why did they wait until nearly 90 MILLION people were affected before this. It's not too late, but it coulda/shoulda been done quite a while back.

Sadly, a majority of these data breaches were caused by the government's lack of emphasis on security so establishing these laws is the least they can do. While the government continues to ammend their policies on security and encryption they should read up on some recent facts of email encryption:
http://www.essentialsecurity.com/Documents/article15.htm
Reply to this comment
About Time
by marileev June 28, 2006 9:56 AM PDT
With the rampant data thefts, it's about time that the Government's officially responded. The article says, "The request comes in the wake of several embarrassing government security breaches due to losses of laptops holding sensitive information," embarrassment is an understatement - what about flagrant disregard for personal information. Let's not forget that last week the FTC also lost a laptop. There are solutions out there, but organizations need to use them before it's too late http://www.essentialsecurity.com/howitworks_laptop.htm
Reply to this comment
How about NOT taking the data home
by mystereojones June 28, 2006 10:56 AM PDT
That would be a start, right?
Reply to this comment View all 2 replies
Powered by Jive Software
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement

Inside CNET News

Scroll Left Scroll Right
  • News - Business Tech

    IBM's EMEA revenue growth shaping up with same past path

    IBM announces its third quarter revenue growth in Europe, the Middle East and Africa is shaping up to post a similar growth pattern as the first half of the year - a.k.a. a moderate IT spending environment.

  • Gallery

    Photos: Top 10 reviews of the week

    Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.

  • The Open Road

    Disservice to partners may bite Apple

    The Mac maker does many things right, but partner management is not one of them. Delays in App Store updates and general lack of communication is frustrating developers.

  • Coop's Corner

    Chris Shipley 1, Internet lynch mob 0

    Demo's impresario goes public with a tart and smartly written riposte to the shoot-from-the-lip crowd.

  • Video

    Katie Couric reflects on first Webcast

    The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.

  • News - Digital Media

    Want top search results? Tread carefully

    In the business of promoting Web sites to top search results, some push limits to find what tricks are allowed. But there's evidence the trade is getting more respectable.

  • Video

    YouTube plays party politics

    During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.

  • News - Gaming and Culture

    Say Where brings voice recognition to iPhone apps

    Forthcoming iPhone app from Dial Directions aims to give users a way to get information from sites like Yelp, MapQuest and others by speaking instead of typing.

  • News - Cutting Edge

    Execs predict next Google-like tech

    On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.

  • Gallery

    Images: The art of 'Spore' prototypes

    Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.

  • Webware

    Google announcement coming later today

    Google is scheduled to make a presentation at 11:45 a.m. PDT on a still unknown topic at the TechCrunch50 event in San Francisco. We'll be there.

  • Green Tech

    TI does energy efficiency on a chip

    Its line of Piccolo microcontrollers can reduce power consumption significantly of home appliances, hybrid cars, LED lighting, and even solar panels.