30 December 2010

Data loss (again)

Despite strong public criticism of recurrent losses of official laptops (in particular devices that hold unencrypted sensitive personal information) some US government agencies just don't seem to be getting the message, articulating guidelines for the management of the machines but then ignoring them.

A 34 page report from the Office of Inspector General (ie the internal compliance unit) at the national Government Printing Office on Control and Accountability of Laptop Computers (Audit Report 1102, 6 December 2010) indicates that as many as one-third of the 629 laptops issued to GPO employees and contractors since 2005 may be missing. To lose a few devices is bad luck; to lose a third of the complement looks like carelessness.

The report indicates that GPO managers could not explain where the laptops have gone (into the hopper bin, stolen, lost, with an executive's kids, in someone's bottom drawer?). GPO management did not adhere to standard written policies meant to ensure that the devices are tracked, indeed GPO recordkeeping does not identify which laptops went to which employee or contractor. The agency doesn't systematically collect laptops when employees leave.

Apart from concerns regarding expenditure (we might the estimate of US$470,730, given that laptops do wear out or get damaged) the Inspector General commented that the missing laptops risk exposing sensitive information on audits and investigations, acquisitions and personal data, including information on "the manufacture and issuance of security documents such as US passports". The organisation was exhorted to implement standard operating procedures covering acquisition, storage, delivery and return of laptops, underpinned by a better recordkeeping process. It should also inventory laptops each year, with investigation of those that go AWOL.