Contact: Richard Mills (Commerce)
ER Anderson (Economics & Statistics Administration)
Ruth Cymber (Census)
WASHINGTON – The Department of Commerce today announced information from its recent Department-wide reviews of missing, lost or stolen laptops and potential breaches of personal identity data. The Department continues its review and is not aware of any data being improperly accessed or used. The information gathered from the reviews indicates that the Census Bureau had the disproportionate share of missing equipment and data. The reviews were in response to broad, government-wide Congressional and public inquiries.
Based on the review in response to the public inquiry, the Department determined that within its 15 operating units for the years 2001 to the present, out of over 30,000 laptops within the Department’s inventory over that time period, 1,137 were either lost, stolen or missing. Of these laptops, 249 contained personally identifiable information (PII), although access passwords, complex database software, systemic safeguards and/or encryption technology significantly limit the potential for misuse of data on the laptops.
A separate review in response to a request for information from the House Committee on Government Reform Chairman Tom Davis (R-VA) regarding the loss or compromise of any sensitive personal information from 2003 to the present found that there were 297 instances. These included: 217 laptops; 15 handheld devices; 46 thumbdrives; and the rest involved documents or other materials.
“We have an obligation to be good stewards of public property and government data. The amount of missing computers is high, but fortunately, the vulnerability for data misuse is low. While we know of no instances of personal information being improperly used, we regret each instance of lost material and believe the volume of lost equipment is unacceptable,” said Commerce Secretary Carlos M. Gutierrez. “All of the equipment that was lost or stolen contained protections to prevent a breach of personal information, and we are moving to institute better management, accountability, inventory controls, 100% encryption, and improved training.”
Information on the two agencies within the Department that have missing laptops with personal data follows:
Most of the missing laptops were assigned to the Census Bureau, which during the last five years has used over 20,000 laptops. Every year, thousands of Census field representatives fan out around the country to compile survey data, using laptops in their work. Much of the field workforce is comprised of temporary, hourly employees paid to gather data door-to-door. Given the unique nature of the Census workforce and method of data collection, the Bureau has long had technological and procedural mechanisms in place that limit any potential breach of information.
Regarding the unique nature of the Census laptops, the Bureau indicated that they contained the following:
The Census Bureau reported:
In addition to laptops, Census began evaluating the use of handheld devices to record survey data for testing processes in preparation for the 2010 Census. Of the approximately 2,400 in use since 2004, 15 have been lost, stolen or are missing with PII on them. All of these had encryption and required an initial password to operate the unit, and a second password to access the data that was only available to employees at Census headquarters. Unlike the laptops, it is possible for us to determine the potentially affected households, and we are in the process of contacting those 558 households even though the risk of misuse of data is extremely low.
In addition to those instances of potential breaches, the Census Bureau also reported 16 instances of non-electronic potential breaches of personal information, ranging from employee time and attendance records being lost in an office move to retirement information packages sent to the National Finance Center during Hurricane Katrina not being received. Where these potentially affected people can be identified, we are also in the process of contacting them.
NOAA reported 325 missing laptops, of which 3 contained personal data. NOAA currently has over 12,000 laptops in their inventory. In one instance, a NOAA law enforcement agent’s laptop with some case file information was stolen. On July 5, 2006, a laptop containing information (D.O.B., addresses and Social Security numbers) on 146 employees and contractors was reported stolen following a building fire in a NOAA facility in Seattle, Washington. NOAA contacted each of the affected people and offered credit counseling.
The following bureaus of the Commerce Department had the following number of laptops lost or stolen in the last 5 years: Bureau of Industry and Security, 9; Economic Development Administration, 6; Bureau of Economic Analysis, 4; International Trade Administration, 42; Technology Administration, 17; National Institute of Standards and Technology, 35; U.S. Patent and Trademark Office, 9; Office of the Inspector General, 2; and the Office of the Secretary, 17. None of these contained personally identifiable information.
Four Commerce agencies, the Economics and Statistics Administration, the Minority Business Development Agency, the National Technical Information Service, and the National Telecommunications and Information Administration, had no missing laptops.
Secretary Gutierrez outlined the steps that the Department is implementing to protect against further missing laptops or potential breaches of personal identity data, such as:
The Department takes very seriously these high instances of missing laptops, as well as potential breaches of personal identity data. This review process has clearly pointed out the flaws in the Department’s inventory and accountability efforts going back many years. We are viewing this process with the spirit of actively rooting out the problems and addressing them immediately,” added Gutierrez.