Dear Commissioner Barnhart:
Recently, senior officials from the Social Security Administration (SSA) brought to my attention that an SSA employee attending a conference had a laptop computer stolen from his hotel room. This laptop computer contained written material regarding as many as 219 Social Security disability benefits decisions that had been appealed by the claimants, including names and Social Security numbers. It appears that at the time that the laptop was stolen, the material it contained was not protected by a password.
Clearly, the unprotected exposure of any individually-identifiable information from SSA or any other Federal agency is of great concern. I am sure that you would agree that members of the public must be able to expect that the information they gave to an agency will not become available at any time to anyone outside of the agency. Therefore, it is imperative that this type of information be protected from any access by outsiders, and that SSA - as well as other agencies -- prevent incidents like this from happening again.
I urge you to conduct a complete and wide-ranging review of the security of all of your information systems and sensitive data. I understand you have begun a review, and I would like your review to answer at least five questions:
1. What went wrong in this situation?
2. Have any other security breaches occurred?
3. What potential vulnerabilities exist in the system?
4. What can the agency do to prevent further security breaches?
5. How many inspections of employees’ work-at-home stations have supervisors performed in the past year to determine if the security guidelines for working at home are being followed?
I ask that, in addition to thoroughly answering each of these five questions, you fully consider the following two options:
1. An option that forbids any sensitive data about individuals from being removed from SSA property and worked on away from SSA property.
2. An option that requires that any sensitive data about individuals be removed from SSA property only in media or formats that are already fully protected from security breaches.
I would also like you to consider the possibility of offering to pay for a subscription to one credit reporting and monitoring service for at least one year for each of the 219 potentially affected individuals who want to check that there is no sign that their identities have been stolen.
It is my understanding that the loss of the information in the laptop computer occurred at the end of March of this year, but that word of that loss did not reach senior officials in Washington and Baltimore until very recently. I am very troubled by this delay. I ask you to examine why it took so long for word to reach SSA headquarters and explore the possibility already surfaced by SSA officials that a reorganization that occurred at the same time caused the delay. Your review should also examine remedies to ensure that such a delay does not recur.
I would appreciate it if you could report back to me on the findings of your review by July 31. I look forward to hearing from you and to working with you to ensure that security breaches are not repeated. I thank you in advance for your efforts.
Sincerely,
Max Baucus
