TSA Laptop Missing: Lessons Learned
By now you’ve probably heard of the missing laptop at the San Francisco International Airport. The fact that a laptop turned up missing at an airport is hardly newsworthy; what is significant about this particular laptop is that it was lost by a Transportation Security Administration (TSA) contractor, Verified Identity Pass. Information, including names, address and birth dates, and in some cases driver’s license, green card numbers, and passport information pertaining to approximately 33.000 individuals enrolled in the Clear program (a program designed to accelerate getting through airport security) was on this computer. Fortunately, no Social Security numbers or digital fingerprint data were stored on the missing computer. However, the data were not encrypted; they were protected only by passwords.
After attempting to find the computer for a while, Verified Identity Pass told airport law enforcement that the computer was missing. Not too long afterwards, the computer mysteriously showed up in what this company called an unlikely location. An investigation to determine whether or not the laptop had actually been stolen is being conducted. A company spokesperson stated that the company does not believe any data were compromised. The TSA ordered Verified Identity Pass to notify all 33,000 individuals who were potentially affected by the computer’s loss or theft and also required this company to demonstrate that all of its computers have data encryption before more individuals can be enrolled in the Clear program.
It is tempting to exclusively blame Verified Identity Pass for this mishap, and some of the blame does indeed fall on this company, but in this situation the blame goes much deeper. In many ways both the TSA and the US Department of Homeland Security (DHS) of which it is a part are even more to blame in that they should have had policy provisions that governed how contractors must protect personal data in place. Effective information security governance requires proactively managing third-party services, something that both the TSA and DHS neglected to do. Data encryption should have been specified and required as a condition for obtaining a contract, and the degree to which the third-party service provider was meeting this requirement should have been continuously monitored. Given the critical role of both entities in national security, their failure to do so is particularly dismaying.
The good news is that it appears that the TSA has at least in part learned its lesson; it required Verified Identity Pass to encrypt personal data related to the Clear program from now on. But whether or not the TSA will make other, more profound changes in accordance with sound information security governance practices is uncertain. Verified Identity Pass is without doubt only one of hundreds or perhaps even thousands of DHS contractors, and data related to the Clear program are almost certainly only a small proportion of all the data that these contractors must store and process. All contracts awarded by DHS and the agencies within need to contain detailed data protection requirements and monitoring processes need to be created and implemented. Until these changes are made, serious data security breach incidents such as the one by Verified Identity Pass are likely to continue to occur too frequently.