The FBI loses between three and four of its laptop computers every month, as well as the same number of weapons, according to a recent report by the Department of Justice’s Inspector General.
Over the last 44 months, 160 FBI laptops were reported lost or stolen — some containing potentially sensitive information — along with 160 weapons.
That’s the bad news.
The good news is that those numbers are down from a similar audit conducted in 2002, which found that 317 laptops had gone missing or been stolen over the previous 28 months, along with 354 weapons. That previous audit had also found that the FBI did not always report or investigate the losses in a timely manner.
Not Enough Correction
“Our audit found that the FBI has not taken sufficient corrective action on several recommendations outlined in our 2002 audit report to address the issue of missing and stolen equipment,” stated the Inspector General’s report. “Perhaps most troubling, the FBI could not determine in many cases whether the lost or stolen laptop computers contained sensitive or classified information. Such information may include case information, personal identifying information, or classified information on FBI operations.”
Of the 160 missing computers, documentation could be found for only 152 of them. Of those, 101 were marked as not containing sensitive or classified information; eight, on the other hand, did. For a full 43, however, it was not indicated what type of information they contained.
“This is a significant deficiency,” the report stated. “Some of these laptops may have contained classified or sensitive information, such as personally identifiable information or investigative case files. Without knowing the contents of these lost and stolen laptop computers, it is impossible for the FBI to know the extent of the damage these losses might have had on its operations or on national security.”
“It is notable that the Inspector General has concluded the FBI has made significant progress in decreasing the rate of loss for weapons and laptops,” FBI Assistant Director John Miller said. “When compared with figures from 2002, there has been a 349 percent reduction in the average number of weapons lost or stolen in a given month and a 312 percent reduction in the loss or theft of laptop computers.”
Nevertheless, “While the Inspector General acknowledged that the loss of certain resources is inevitable in an organization the size of the FBI, we stand committed to increasing institutional and personal accountability to further increase the progress we have made in minimizing the loss of firearms and information technology components,” Miller added.
“This whole issue of data breaches is nothing new,” Liz Gasster, acting executive director and general counsel for the Cyber Security Industry Alliance, told the E-Commerce Times. “It’s a broad-based problem.”
Only 35 states require notification of individuals when their personal information has been compromised, as recently happened at TJX Companies.
“This underscores the need for across-the-board legislation not just to notify individuals when their information has compromised,” Gasster said, “but also to put reasonable security standards in place to proactively enhance the level of security with which information is treated, which would reduce the likelihood of breaches in the first place.” As the old adage goes, Gasster added, an ounce of prevention is worth a pound of cure.
Definitions Too Broad
Recent legislation in response to a laptop breach at the Veteran’s Administration did enact some good measures, Gasster claimed, but it left too broad the definitions of what is sensitive information, and what constitutes a security breach.
“It’s important for agencies to be enhancing the actual level of security and not just be engaged in paper exercise,” she noted. “There are not enough enforcement consequences for agencies that are not implementing strong security.”
Key questions in Gasster’s mind include what steps were taken to secure data on the FBI laptops to begin with, and if a laptop contained sensitive information, was it protected with strong encryption, as required by agency policy?
“Of course accidents happen,” she concluded. “You don’t want to be so punitive that it’s unfair. But these organizations have a fiduciary duty to safeguard the information thoroughly so that if the worst happens, it is still protected.”