June 27,2006

Baucus Wants Review of SS Information Breach

Stolen laptop computer contained material on more than 200 SSA claimants

Washington, DC – U.S. Senator Max Baucus (D-Mont.), ranking Democrat on the Senate Finance Committee, today called for a “complete and wide-ranging review” of the security of Social Security Administration (SSA) systems and sensitive data. In a letter to Social Security Commissioner Ann Barnhart, Baucus cited the recent theft of a laptop computer belonging to a Social Security employee, which was stolen from a hotel room with information on 219 Social Security disability claimants. Baucus asked Barnhart for more information on the incident and what the agency will do to prevent further security breaches. He also requested that SSA consider new rules about the removal of individuals’ information from SSA property.

“There have been far too many stories lately about the loss of individuals’ information by government agencies. The Social Security Administration needs to make changes now to keep another security breaches from happening,” said Baucus. “This single breach at Social Security may seem like a small event compared to Veterans’ Administration’s loss of millions of files, but it’s a big deal to the folks who were affected. I don’t want it to happen again.”

The text of the Senator’s letter follows here:



June 26,2006

The Honorable Jo Anne B. Barnhart
Commissioner
Social Security Administration
6401 Security Boulevard
Baltimore, MD 21235

Dear Commissioner Barnhart:

Recently, senior officials from the Social Security Administration (SSA) brought to my attention that an SSA employee attending a conference had a laptop computer stolen from his hotel room. This laptop computer contained written material regarding as many as 219 Social Security disability benefits decisions that had been appealed by the claimants, including names and Social Security numbers. It appears that at the time that the laptop was stolen, the material it contained was not protected by a password.

Clearly, the unprotected exposure of any individually-identifiable information from SSA or any other Federal agency is of great concern. I am sure that you would agree that members of the public must be able to expect that the information they gave to an agency will not become available at any time to anyone outside of the agency. Therefore, it is imperative that this type of information be protected from any access by outsiders, and that SSA – as well as other agencies -- prevent incidents like this from happening again.

I urge you to conduct a complete and wide-ranging review of the security of all of your information systems and sensitive data. I understand you have begun a review, and I would like your review to answer at least five questions:

1. What went wrong in this situation?

2. Have any other security breaches occurred?

3. What potential vulnerabilities exist in the system?

4. What can the agency do to prevent further security breaches?

5. How many inspections of employees’ work-at-home stations have supervisors performed in the past year to determine if the security guidelines for working at home are being followed?

I ask that, in addition to thoroughly answering each of these five questions, you fully consider the following two options:

1. An option that forbids any sensitive data about individuals from being removed from SSA property and worked on away from SSA property.

2. An option that requires that any sensitive data about individuals be removed from SSA property only in media or formats that are already fully protected from security breaches.

I would also like you to consider the possibility of offering to pay for a subscription to one credit reporting and monitoring service for at least one year for each of the 219 potentially affected individuals who want to check that there is no sign that their identities have been stolen.

It is my understanding that the loss of the information in the laptop computer occurred at the end of March of this year, but that word of that loss did not reach senior officials in Washington and Baltimore until very recently. I am very troubled by this delay. I ask you to examine why it took so long for word to reach SSA headquarters and explore the possibility already surfaced by SSA officials that a reorganization that occurred at the same time caused the delay. Your review should also examine remedies to ensure that such a delay does not recur.

I would appreciate it if you could report back to me on the findings of your review by July 31. I look forward to hearing from you and to working with you to ensure that security breaches are not repeated. I thank you in advance for your efforts.

Sincerely,

Max Baucus

# # #