Agency Breach Policies May Outrun Technology, Officials Say

House Oversight Committee Ranking Member Tom Davis, R- Va., lauded OMB for acting in May without waiting for new legislation under which to issue rules for privacy and security. He also cited the committee’s early role in seeking information from agencies on breaches otherwise unreported. Davis agreed with an audience member that Congress often tells agencies what to do without authorizing funding. “Ultimately the [Bush] administration’s got to step forward,” he said. The question on funding is what to do with agencies that “constantly are not stepping up to the plate,” Davis said, citing an “incongruity” between those authorizing funding and those appropriating it.

Asked about more information security legislation, Davis said, “I think there will be a lot of attempts.” He told the audience to watch appropriations bills for buried information security legislation. “The only thing that’s going to pass… is attached to a larger bill,” he predicted.

By the end of August, the Department of Homeland Security (DHS) expects to issue privacy incident handling guidance in draft since before the OMB directive, Chief Privacy Officer Hugo Teufel said. Teufel’s office lately has been on a tear, telling DHS employees in a June memo not to collect Social Security numbers (SSNs) unless mandate by law or for a “specific authorized purpose.” The office also has set up a system for approving and overseeing programs that use SSNs. It also ordered each DHS component and directorate to assess its handling of personally identifiable information (PII) on personnel, to train employees in privacy and information technology (IT) procedures for personnel data and to distribute rules according to a series of deadlines ending September 15.

The Federal Trade Commission (FTC) breach notification plan was finished last month, using the same definitions for PII as mentioned in OMB’s September 2006 and May memos on data protection, said Marc Groman, chief privacy officer. Besides the threat of identity theft, the agency will consider whether lost data were illegally disclosed, encrypted or, if not illegally disclosed, potentially “embarrassing,” as with health data, in deciding whether to notify, he said. The plan created an internal team assigned to meet immediately upon news of a breach, and including among its members the agency’s chief information security officer, inspector general and even the chairman’s chief of staff and public affairs director, to make sure breaches are explained simply to the public, he said.

Groman became “really unpopular” at the FTC in March when he required its 1,200 employees to sign a PII compliance form requiring they promptly tell the agency of breaches, he said. “Given the size of your agencies, good luck” getting higher-ups to mandate similar contracts, he told other speakers. Groman instituted a “clean-up day” on which employees searched for and safely disposed of unnecessarily- held PII in paper or electronic form, an initial source of grumbling but later acknowledged by some who griped as long overdue. “We have to consider our audience” in developing breach policies, not just the IT staff, Groman said. A new internal promotional effort asks workers to “handle with care” any sensitive information, illustrated with a graphic of a dangling carton of eggs.

The National Institute of Standards and Technology (NIST) is producing several publications on PII and data protection guidelines, said Tim Grance, systems and network security manager. They will tell federal employees to consider whether publicly available material still might be deemed PII, such as IP addresses that can be linked to an individual. Workers also are being told to resist the temptation to “encrypt the hell out of everything,” which bars the public from legitimate Web-based information, he said. One publication will address common misconceptions about the strength of encryption in certain situations, Grance said. He knows of a government staffer who used his e-mail password as his encryption key, a faux pas. Agencies will be urged to devise policies for internal network access from public Wi-Fi zones, backup of encrypted data and the IPv6 transition, he said. Grance noted approvingly that one aerospace company bars any remote access to PII, requiring on-premises access.

Federal workers reading OMB directives might say “'Oh, we do that,'” but “the question is, do you do that everywhere?” said Mischel Kwon, chief IT security technologist at the Department of Justice. Many mobile devices used in federal work never touch the core network or are otherwise unknown to IT staff, and two-factor authentication may be a poor choice for BlackBerrys and other handhelds, she said. “A great deal of this is a people process,” Kwon said, such as asking if people really need to take work home on mobile devices. “Encryption could become your highest vulnerability” if offices use multiple encryption formats or users forget passwords, and can keep agencies from sharing information, she said.

The security incident response process “is still balancing out,” Kwon said. Definitions of PII can differ even within agencies and among different missions, she said. And an OMB stipulation that all breaches be reported within an hour of discovery to the U.S. Computer Emergency Readiness Team needs more discussion, she said, noting that Justice has 38 components, each with their own procedures for reporting breaches up the chain of authority. “That’s a hard tap dance to do in one hour,” she said. “Do we want to report a million ‘I have a possible [breach]’ or one a day of ‘I need some help here'?” Kwon called herself unenthused with OMB’s 120-day deadline for devising notification policies.

Agency movement away from using SSNs for identification must focus on varied alternatives, Grance said. “Be careful about replacements that become too interoperable. You don’t want to create another Social Security situation.” Kwon was more skeptical. “It’s going to be a while” before new identifiers are settled on. “So what are you going to do in the interim?” Grance agreed that practicalities may outweigh principles. The “deadbeat dad database” may be riddled with privacy and security holes, but no one wants to scrap such a resource, he said. “God and the devil both dwell in the implementation.” -- Greg Piper

Forum Notebook…

The House Oversight Committee plans a hearing next week on P2P networks in regard to government agency data breaches, Ranking Member Tom Davis, R-Va., said. “The volume… of [private] information out there is going to surprise a lot of people,” he said. The committee recently asked makers of file-sharing software if they had fixed features in their programs that may cause inadvertent sharing by users of information they want kept private, or leave traces of the programs when users try to uninstall them (WID July 9 p4). The committee held 2003 hearings on P2P use; more recently, the Patent and Trademark Office has been a major focus of concern over P2P networks’ potential to threaten the privacy and security of government-held data (WID March 6 p2). “All you need is one employee to have one vulnerability in their system,” exploited by P2P software, to compromise the entire network, Davis said. The hearing will hear testimony by U.S. employees whose systems have been compromised by P2P networks and experts in the technology, he said.