White House orders better security for sensitive data

The U.S. government has 45 days to upgrade its security standards for protecting the data it holds on millions of U.S. citizens.

The Office of Management and Budget (OMB), which operates under the White House, sent a "Memorandum for the Heads of Departments and Agencies" (click here for PDF) on June 23 requesting the implementation of new security standards and practices concerning data.

The request comes in the wake of several embarrassing government security breaches due to losses of laptops holding sensitive information. Many of the incidents resulted in an accidental release of Social Security numbers and dates of birth--two key pieces of data used in identity theft.

Perhaps the worst breach took place May 22, when the Department of Veterans Affairs lost the personal data of 26.5 million U.S. veterans and their spouses after a laptop was stolen from the home of a government employee. Other government agencies that have recently lost sensitive data include the Federal Trade Commission, the Department of Agriculture and the Department of Energy.

The new standards include encryption for all data on notebooks and mobile devices unless it is specifically classified as "nonsensitive" in writing by a Deputy Secretary or other empowered superior. Agencies must additionally require two forms of authentication to access the information, such as a password and key card system.

Government employees must also employ "time-outs" that require the user to re-authenticate every 30 minutes for both remote access and mobile devices. All data downloads must be logged, and sensitive data may remain on a laptop or handheld for a maximum of 90 days, unless specifically permitted for a longer period. The memo includes a list of guidelines from the National Institutes of Standards and Technology (NIST) on protecting information.

While the new procedures are presented as a "recommendation" from the OMB, Deputy Director Clay Johnson III adds that the office will be sending government inspectors to see that the request is properly and promptly carried out. The OMB has provided a flowchart illustrating the steps it would like agencies to take, in addition to procedural lists.

"Most departments and agencies have these measures already in place," Johnson said in the memo. "We intend to work with the Inspectors General community to review these items as well as the checklist to ensure we are properly safeguarding the information the American taxpayer has entrusted to us. Please ensure these safeguards have been reviewed and are in place within the next 45 days."

In less bureaucratic terms, the sentiment seems to be: Get it done, and soon.

Data loss has been a point of contention in the private sector as well. Many companies, or their affiliates, have lost customers' personal data. In June, approximately 243,000 Hotels.com customers were put at risk via an Ernst & Young laptop loss, and 1.3 million Texas Guaranteed Student Loan company customers had their data exposed.

In March, data on 200,000 Hewlett-Packard employees was affected by a loss. Ohio University and the University of Southern California have also recently experienced breaches of information.

[Nkully86]

After 89,399,953 - Its about time

Wow...I must applaud the government for FINALLY implementing this. These new rules and regulations are a start and hopefully can only get stricter over time. The next step we need to take is to move this beyond a "recommendation".

I have been up to date on nearly every security breach over the past few months and according to:
http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP
the total number of people affected has been 89,399,953 since February of 2005.

While the government has done a good job in finally establishing this as a major National problem, it took them far too long. Why did they wait until nearly 90 MILLION people were affected before this. It's not too late, but it coulda/shoulda been done quite a while back.

Sadly, a majority of these data breaches were caused by the government's lack of emphasis on security so establishing these laws is the least they can do. While the government continues to ammend their policies on security and encryption they should read up on some recent facts of email encryption:
http://www.essentialsecurity.com/Documents/article15.htm

[marileev]

About Time

With the rampant data thefts, it's about time that the Government's officially responded. The article says, "The request comes in the wake of several embarrassing government security breaches due to losses of laptops holding sensitive information," embarrassment is an understatement - what about flagrant disregard for personal information. Let's not forget that last week the FTC also lost a laptop. There are solutions out there, but organizations need to use them before it's too late http://www.essentialsecurity.com/howitworks_laptop.htm

[mystereojones]

How about NOT taking the data home

That would be a start, right?

[Nkully86]

Completely Agree

Seems like that would solve all of our problems, eh?

How many of these laptops have been stolen from inside the business or department?

[WulfTheSaxon]

Unbreakable Encryption

Nobody has ever broken 256bit AES encryption (the best out there, which I assume is what they're going to use...), and nobody expects it to be broken for at least another decade.