The federal government’s loss of sensitive information, often stored on laptop computers (laptops), has generated significant concern.¹ For example, in May 2006 a laptop with 26.5 million records containing sensitive information on veterans and their spouses was stolen from a Department of Veterans Affairs employee. In June 2006, the Department of Agriculture disclosed that three of its systems were compromised, potentially making available the names, social security numbers, and photographs of 26,000 of its employees, contractors, and retirees in the Washington, D.C., area. In August 2006, a laptop containing personal information on 30,000 Navy applicants, recruiters, and prospects fell off a motorcycle belonging to a recruiter and was observed by a roadside worker being picked up by someone in a car.

According to a 2006 report on federal agency data breaches by the House Committee on Government Reform, 19 federal departments and agencies have reported hundreds of instances of loss of personally identifiable information (PII) since January 2003.² The number of individuals affected in each incident ranged from 1 to 26.5 million. The type of information lost and potentially compromised included personal information such as names, home addresses, photographs, dates of birth, social security numbers, fingerprints, medical information, tax information, earnings records, user passwords, law enforcement information requests, and personal information on law enforcement employees.

These incidents highlight the risk that PII and other sensitive data can be compromised when computers or storage media such as disks, CD-ROMs, and flash drives, are lost or stolen. The PII on lost or stolen computers or storage media can be used to commit fraud or identity theft. Further, other types of sensitive information, such as proprietary business information or sensitive law enforcement information, could be inappropriately disclosed or copied for purposes of industrial espionage, retaliation, or other crimes.

Because of the importance of these issues, the OIG conducted this review to identify the policies and procedures nine Department components are required to follow to (1) report and identify losses of sensitive information, including PII and classified information, and (2) notify affected parties of losses of their sensitive information.³

The report begins with a background section that provides information about the roles and responsibilities of the staff within the Department’s Office of the Chief Information Officer and the development of the Department’s reporting procedures by that office. The report then describes the Department’s reporting and incident response procedures. The report also contains appendices that provide a detailed description of each of the nine components’ reporting procedures and policies.

This review is intended to provide an overview of the policies and procedures the Department has established to respond to and report computer security incidents.⁴ However, in this review, we did not verify that components followed Department reporting procedures or verify the accuracy of the data contained in the database used by the Department to track these incidents. Rather, the intent of this review was to identify what policies had been established, and what procedures were being followed in reporting computer security incidents.

1. The Department of Justice defines sensitive information in its Security Program Operating Manual as, “ Any information, the loss, misuse, modification of, or unauthorized access to, could affect the national interest, law enforcement activities, the conduct of Federal programs, or the privacy to which individuals are entitled under Section 552a of Title 5, U.S. Code, but that has not been specifically authorized under criteria established by an executive order or an act of Congress to be kept classified in the interest of national defense or foreign policy.”

2. See Committee on Government Reform, U.S. House of Representatives, 109th Congress, Agency Data Breaches Since January 1, 2003, October 13, 2006. According to Office of Management and Budget (OMB) Memorandum M-06-19, July 12, 2006, PII is defined as “any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history and criminal or employment history and information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual.”

3. The nine components reviewed were the Bureau of Alcohol, Tobacco, Firearms and Explosives; Federal Bureau of Prisons; Criminal Division; Drug Enforcement Administration; Executive Office for United States Attorneys; Federal Bureau of Investigation; Justice Management Division; Tax Division; and United States Marshals Service. These nine components were chosen because they accounted for a large percentage of the total number of all computer security incidents, including PII and other sensitive data loss incidents, reported to the Department between December 2005 and November 2006.

4. According to DOJCERT, a computer security incident is any unexpected, unplanned event that could have a negative impact on IT resources. Computer security incidents can include the loss of both classified and unclassified systems, unauthorized removal of computer equipment, and exploited weaknesses in a computer system that allows unauthorized access to password files. DOJCERT considers losses of sensitive information to be a subset of computer security incidents.