Reprinted with permission from CNET News

Enough already!

We are understandably tired of hearing about the potential compromise of personal information contained on lost government laptop computers. Indeed, in the past couple of months alone, the Department of Veterans Affairs, the Internal Revenue Service and the Federal Trade Commission have grappled with laptops that have gone missing that contained large amounts of private data.

Reacting to what could become a crisis, the Executive Office of the President's Office of Management and Budget (OMB), has issued new security guidelines to address and compensate for the lack of physical security controls when information is removed from or accessed from outside of federal department and agency locations.

Specifically, the OMB recommends that all departments and agencies:

  • Encrypt all data on mobile computers/devices that carry governmental data unless the data is determined to be nonsensitive;
  • Allow remote access only with "two factor" authentication where one of the factors is provided by a device separate from the computer gaining access;
  • Use a "time out" function for remote access and mobile devices that requires user reauthentication after 30 minutes of inactivity;
  • Log all computer-readable data extracts from databases holding sensitive information, and verify that each extract including sensitive data has been erased within 90 days or that its use is still required.

The purpose of the foregoing, as stated by the OMB, is "to properly safeguard our information assets while using information technology." That is correct, except that the information assets also obviously implicate the interests of the actual people whose data is housed on government laptops.

Unfortunately, the OMB has stopped short of issuing actual requirements here, and instead promulgated recommendations. The recommendations make sense as a first step, and, frankly, should be required.

The OMB has asked that the above safeguards be put in place within 45 days by federal departments and agencies. Hopefully, the expression "good enough for government work" soon will include federal action with respect to the OMB's recommendations, and we will stop hearing about misplaced government laptops that contain easily accessible sensitive data.

Eric J. Sinrod is a partner in the San Francisco office of Duane Morris. His focus includes information technology and intellectual property disputes. To receive his weekly columns, send an e-mail to ejsinrod@duanemorris.com with "Subscribe" in the subject line. The views expressed in this column do not necessarily reflect those of Sinrod's law firm or its individual partners.

This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.

Duane Morris LLP, among the 100 largest law firms in the United States, is a full-service firm of more than 600 lawyers. In addition to legal services, Duane Morris has independent affiliates employing approximately 100 professionals engaged in other disciplines. With offices in major markets, and as part of an international network of independent law firms, Duane Morris represents clients across the nation and around the world.