About 70 percent of federal agencies’ laptop computers and mobile computing devices were unencrypted as of September, according to a new report (pdf) from the Government Accountability Office (the investigative arm of Congress). This isn’t a surprise. In May, I discussed news that the federal government admitted 60 percent of its mobile computing equipment was unencrypted.
Besides the lack of encrypted devices, the GAO also found that, of the 24 major federal agencies surveyed, "none of the agencies had documented comprehensive plans to guide encryption implementation activities, such as inventorying information to determine encryption needs; documenting how the agency plans to select, install, configure, and monitor encryption technologies; developing and documenting encryption policies and procedures; and training personnel in the use of installed encryption."
The federal government has been embarrassed by a string of losses (pdf) or thefts of unencrypted computing devices, yet it continues to ignore this basic security practice. The agencies get up to an 85 percent discount on the price of encryption software through the government’s SmartBuy program, so they cannot use cost as an excuse.
The data held by the federal government is especially sensitive and should be strongly guarded. Of the 24 major federal agencies surveyed by the GAO, "10 agencies reported having systems that contain sensitive medical information, 16 reported having systems that contain sensitive regulatory information, 19 reported having systems that contain sensitive personal information, and 20 reported having systems that contain sensitive program-specific information."
The 24 major federal agencies are the Agency for International Development; the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Environmental Protection Agency; the General Services Administration; the National Aeronautics and Space Administration; the National Science Foundation; the Nuclear Regulatory Commission; the Office of Personnel Management; the Small Business Administration; and the Social Security Administration. In May, we learned that more than a third of these agencies received a "D" or "F" on the FY 2007 Computer Security Report Card (pdf) released by the House Committee on Oversight and Government Reform.
More coverage of the GAO report here, here, here, and here.
You can learn more about security breaches and identity theft at Privacy Rights Clearinghouse. The organization has a “Chronology of Data Breaches,” which shows that 227 million records have been exposed because of security breaches in the public and private sectors since January 2005.