The U.S. government has 45 days to upgrade its security standards for protecting the data it holds on millions of U.S. citizens.
The Office of Management and Budget (OMB), which operates under the White House, sent a "Memorandum for the Heads of Departments and Agencies" (click here for PDF) on June 23 requesting the implementation of new security standards and practices concerning data.
The request comes in the wake of several embarrassing government security breaches due to losses of laptops holding sensitive information. Many of the incidents resulted in an accidental release of Social Security numbers and dates of birth--two key pieces of data used in identity theft.
Perhaps the worst breach took place May 22, when the Department of Veterans Affairs lost the personal data of 26.5 million U.S. veterans and their spouses after a laptop was stolen from the home of a government employee. Other government agencies that have recently lost sensitive data include the Federal Trade Commission, the Department of Agriculture and
the Department of Energy.
The new standards include encryption for all data on notebooks and mobile devices unless it is specifically classified as "nonsensitive" in writing by a Deputy Secretary or other empowered superior. Agencies must additionally require two forms of authentication to access the information, such as a password and key card system.
Government employees must also employ "time-outs" that require the user to re-authenticate every 30 minutes for both remote access and mobile devices. All data downloads must be logged, and sensitive data may remain on a laptop or handheld for a maximum of 90 days, unless specifically permitted for a longer period. The memo includes a list of guidelines from the National Institutes of Standards and Technology (NIST) on protecting information.
While the new procedures are presented as a "recommendation" from the OMB, Deputy Director Clay Johnson III adds that the office will be sending government inspectors to see that the request is properly and promptly carried out. The OMB has provided a flowchart illustrating the steps it would like agencies to take, in addition to procedural lists.
"Most departments and agencies have these measures already in place," Johnson said in the memo. "We intend to work with the Inspectors General community to review these items as well as the checklist to ensure we are properly safeguarding the information the American taxpayer has entrusted to us. Please ensure these safeguards have been reviewed and are in place within the next 45 days."
In less bureaucratic terms, the sentiment seems to be: Get it done, and soon.
Data loss has been a point of contention in the private sector as well. Many companies, or their affiliates, have lost customers' personal data. In June, approximately 243,000 Hotels.com customers were put at risk via an Ernst & Young laptop loss, and 1.3 million Texas Guaranteed Student Loan company customers had their data exposed.
Wow...I must applaud the government for FINALLY implementing this. These new rules and regulations are a start and hopefully can only get stricter over time. The next step we need to take is to move this beyond a "recommendation".
I have been up to date on nearly every security breach over the past few months and according to: <a class="jive-link-external" href="http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP" target="_newWindow">http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP</a> the total number of people affected has been 89,399,953 since February of 2005.
While the government has done a good job in finally establishing this as a major National problem, it took them far too long. Why did they wait until nearly 90 MILLION people were affected before this. It's not too late, but it coulda/shoulda been done quite a while back.
Sadly, a majority of these data breaches were caused by the government's lack of emphasis on security so establishing these laws is the least they can do. While the government continues to ammend their policies on security and encryption they should read up on some recent facts of email encryption: <a class="jive-link-external" href="http://www.essentialsecurity.com/Documents/article15.htm" target="_newWindow">http://www.essentialsecurity.com/Documents/article15.htm</a>
With the rampant data thefts, it's about time that the Government's officially responded. The article says, "The request comes in the wake of several embarrassing government security breaches due to losses of laptops holding sensitive information," embarrassment is an understatement - what about flagrant disregard for personal information. Let's not forget that last week the FTC also lost a laptop. There are solutions out there, but organizations need to use them before it's too late <a class="jive-link-external" href="http://www.essentialsecurity.com/howitworks_laptop.htm" target="_newWindow">http://www.essentialsecurity.com/howitworks_laptop.htm</a>
Nobody has ever broken 256bit AES encryption (the best out there, which I assume is what they're going to use...), and nobody expects it to be broken for at least another decade.
Chinese authorities have reportedly taken iPads from a third-party retailer, a move apparently brought on by Apple's continued refusal to honor a trademark for the iPad name owned by a Chinese manufacturer.
NY professor believes that a word-based algorithm can help bring together those who believe, with one glimpse, that they have found and lost the love of their lives.
After a higher-than-expected fourth quarter, the video subscription service unburdens itself of a pending yearlong class action suit and settles for $9 million.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
This week, we pass around Sony's new PlayStation Vita for some hands-on testing, check out HP's newest Beats Audio laptop, and debate the best and worst Valentine's Day gadget gifts.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
I have been up to date on nearly every security breach over the past few months and according to:
<a class="jive-link-external" href="http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP" target="_newWindow">http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP</a>
the total number of people affected has been 89,399,953 since February of 2005.
While the government has done a good job in finally establishing this as a major National problem, it took them far too long. Why did they wait until nearly 90 MILLION people were affected before this. It's not too late, but it coulda/shoulda been done quite a while back.
Sadly, a majority of these data breaches were caused by the government's lack of emphasis on security so establishing these laws is the least they can do. While the government continues to ammend their policies on security and encryption they should read up on some recent facts of email encryption:
<a class="jive-link-external" href="http://www.essentialsecurity.com/Documents/article15.htm" target="_newWindow">http://www.essentialsecurity.com/Documents/article15.htm</a>
How many of these laptops have been stolen from inside the business or department?