Nearly two years after an embarrassing flap in which veterans' personal information was put at risk of identity theft, federal agencies are still not doing all they can to prevent further lapses, investigators have found.
Most of the two dozen federal agencies examined by the Government Accountability Office, Congress' investigative arm, have not implemented five federal recommendations aimed at protecting personal information. Only two agencies — the Treasury and Transportation departments — met each of those recommendations while two others — the Small Business Administration and the National Science Foundation — met none of them.
The other 18 agencies met the recommendations to varying degrees.
The recommendations were among those issued by the White House Office of Management and Budget following the 2006 VA incident, when a computer hard drive containing millions of names, Social Security numbers and birth dates was stolen from a VA employee's home in Maryland. The hard drive was later recovered intact.
A spokesman for the Small Business Administration, Sean Rushton, said his agency received additional funds in 2007 to enhance security.
"SBA is working hard to improve its cyber security in accordance with OMB directives," he said.
Officials with the National Science Foundation had no comment on the report after business hours Thursday night.
"The findings released in this report are very troubling — indicating that agency after agency has failed to make securing citizens' personal information a high priority," said Sen. Norm Coleman, a Minnesota Republican, who asked for the GAO report along with Rep. Susan Davis, D-Calif.
"The clock is ticking and we need to know when the agencies are going to have the protections in place to stop the numerous data breaches we have seen over the past few years," he said.
Coleman, the ranking Republican on the Permanent Subcommittee on Investigations, and Sen. Susan Collins of Maine, the ranking Republican on the Homeland Security Committee, wrote to the agencies asking them how soon they'd be able to implement the recommendations.
"The federal government collects and stores large amounts of personal information that is a tempting target for identity thieves," Collins said. "Agencies cannot act quickly enough to implement policies to help protect and secure this sensitive data."
Coleman and Davis asked for the report after the 2006 VA incident. A separate GAO report last September found that the VA had yet to implement several safety measures.
In the new report, the GAO looked at OMB recommendations such as encrypting data on mobile computers and other devices that carry agency data; and using a checklist to protect personally identifiable information that is accessed remotely or physically transported outside the agency.
Only four agencies met that last recommendation. The VA was not one of them, but it did meet the other four recommendations.
"VA is committed to ensuring the personal information of our veterans is secured," VA spokesman Matt Smith said in a statement. "We are continually enhancing our protections and welcome opportunities to improve."
Karen Evans, OMB's administrator for e-government and information technology, said in a statement: "OMB continues to work with the agencies and monitor their progress in addressing the recommendations of the president's Identity Theft Task Force. We are working to ensure that agencies have the proper security controls in place to minimize and prevent risks to the public's information."