NewsMax.com Wires
Wednesday, May 23, 2007

Reprint Information

Book on Katie Couric Makes Waves White House: We're Not Subject to FOIA FBI Seeks 2 Mysterious Men on Ferry Publisher: Conservatives Do Read As Much As Liberals Romney Shrugs Off Mormon History Film

WASHINGTON -- Plagued by regular breaches in the security of personal data, federal agencies were ordered Tuesday to eliminate the unnecessary collection and use of Social Security numbers by early 2009.

That order and several other new security measures against identity theft were outlined in a memo to all department and agency heads from Clay Johnson III, deputy director for management of the Office of Management and Budget.

Johnson gave the agencies 120 days to review all their files for instances in which the use of Social Security numbers is superfluous and "establish a plan in which the agency will eliminate the unnecessary collection and use of Social Security numbers within 18 months."

Beyond that, agencies were directed to review all information they have that could be used to identify an individual citizen or employee, to ensure such records are accurate and "to reduce them to the minimum necessary for the proper performance" of their duties.

The order is based on the principle that "the federal government should not unnecessarily collect or maintain personally identifiable information," OMB spokesman Sean Kevelighan said. By requiring agencies to reduce such data to a minimum, the risk of harm from identity theft will decline, he added.

The order was the culmination of steps taken since the Veterans Affairs Department reported one year ago that a laptop with information for more than 26.5 million military personnel, including data on 2.2 million active-duty military, Guard and Reserve members, was stolen from a department employee.

Story Continues Below

The massive VA breach created an uproar among the public and in Congress. The Bush administration set up an Identity Theft Task Force, which made recommendations last month.

Johnson's memo "formalizes the recommendations of the task force," Kevelighan said. "Agencies will reduce the unnecessary use of the Social Security number, thus reducing the potential for loss of personal data and the potential for identity theft."

It was not immediately clear whether Congress would be satisfied with the timeline set by administration or with the range of steps ordered.

After the VA breach, an investigation by the House Government Reform Committee found that 19 agencies had lost personal information about thousands of employees and the public in 788 incidents since Jan. 1, 2003.

And the blunders just keep on coming.

Last month, a discovery by an Illinois farmer alerted the government that the Social Security numbers of 38,700 recipients of Agriculture Department grants had been posted on a government Web site since 1996.

And this month, the Transportation Security Administration lost an external computer hard drive containing Social Security numbers, bank data and payroll information for about 100,000 employees.

Among the other measures ordered by Johnson was a requirement that agencies encrypt all data on mobile computers or storage devices, unless the department's deputy secretary certifies in writing that it is not sensitive.

In a civil lawsuit filed after the TSA drive was lost, four airport security screeners and their union, the American Federation of Government Employees, asked the federal court in Washington to order the TSA to encrypt personnel data and install electronic monitoring on any mobile equipment that stores personnel information.

Johnson also ordered each agency to establish a policy within 120 days for notifying security officials, potential victims and the public about the loss or exposure of sensitive personal information based on risk principles he outlined.

For example, an office Rolodex with names and phone numbers "probably would not be considered sensitive information," Johnson wrote. "However, the same information in a database of patients at a clinic which treats contagious disease probably would be considered sensitive information."

Earlier suggestions, which Johnson said agencies now must implement, include a secure method for granting remote access to data, automatic time-out of remote access unless the user re-authenticates before 30 minutes of inactivity, and logs of all extracts of information from databases with sensitive data.

The memo also called for better training of employees in security rules and written descriptions of potential discipline for violations.

Editor's note:
Drink coffee with Reagan and Bush – Click Here Now
Alan Greenspan Warns of Housing Bust, Worse....
Doctor: Natural ‘Medicine' Reduces Cholesterol

Read more on this subject in related Hot Topics:
Privacy