Analysis of Loss of Control Over Sensitive Personally Identifiable Information and Follow-up Actions to Strengthen its Protection
On August, 28, 2007 we issued a memorandum on our analysis of the circumstances surrounding the July 27, 2006 theft of an OIG laptop from a government vehicle in Doral, Florida and a prior theft that had occurred on April 24, 2006 from a hotel conference room in Orlando, Florida. Both laptops contained Sensitive Personally Identifiable Information (SPII) information on 138,000 individuals that heightened their potential risk of identity theft. Following our notification of the July theft, Members of the Florida congressional delegation requested that we examine our procedures for handling and storing such information and identify steps we have taken to ensure that such a breach would not happen again.
As part of our efforts, we employed ID Analytics, Inc. to monitor the SPII information to determine if it was being exploited. We have now received four reports from ID Analytics and it appears that the loss of control has not resulted in identity theft.
We identified three interrelated factors that contributed to the loss of our control over the sensitive personal information stored on the laptops:(1) measures taken to protect the physical security of the laptops were insufficient; (2) the data on the laptops had been decrypted to preserve the data during an upgrade to the OIG's information technology (IT) system; and (3) SPII databases were stored on laptop computers, which are inherently less secure than computers that operate in a centralized environment. The memorandum also sets forth the steps we have taken to improve the physical security of our laptops and improve how sensitive personal information is handled and stored.