Thursday, May 25, 2006

GAO says VA not alone in data carelessness

GAO says VA not alone in data carelessness

WASHINGTON (AP) — It isn't just Veterans Affairs. Personal information about Americans isn't safeguarded properly throughout the government, and the consequences could be disastrous, congressional investigators say.

The potential damage was shown this week in the disclosure that personal data on 26.5 million veterans was stolen.

Veterans Affairs was one of eight departments given failing grades for computer security practices in 2005. The Pentagon and the departments of Homeland Security, State, Energy and Health and Human Services also got Fs from the House Committee on Government Reform in its annual report card released in March.

"For many years, we have reported that poor information security is a widespread problem that has potentially devastating consequences," Greg Wilshusen, the Government Accountability Office's director of information security issues, told the committee then.

"There's a vast amount of highly sensitive information that the government collects and maintains," Wilshusen said Wednesday. "A number of agencies are vulnerable to similar data breaches."

A law passed in 2002 requires government agencies to make sure the information they and their contractors handle is secure. Agencies must evaluate their technology and systems, train employees and put procedures in place to protect information and to respond if security is breached.

As the Veterans Affairs theft reveals, data security has as much to do with procedures — such as who gets access to data and what they do with it — as it does with hackproof computer systems.

Evaluations of the government's computer security practices in 2005 resulted in an overall grade of D+ by the government.

Five agencies — including Justice, Treasury and the Nuclear Regulatory Commission — did worse in 2005 than in 2004, according to the committee.

Ten, including the Social Security Administration, improved. The Agency for International Development received an A+ two years in a row.

Bruce Schneier, author of "Beyond Fear: Thinking Sensibly About Security in an Uncertain World," said that making data more secure doesn't get to the root of the problem that people don't control the use of information about themselves.

Identity theft wouldn't be such a big problem if credit card companies, for example, didn't make it so easy to get a credit card, Schneier said.

"We're not going to solve this by making data hard to steal," he said. "The way we're going to solve it is by making the data hard to use.

Find this article at: