Following contractor's loss of laptops, TSA now requires encryption

Published 19 October 2007

Contractors for TSA must now encrypt all data on their computers; order issued after loss of laptops holding information on nearly 4,000 hazmat drivers

The Transportation Security Administration (TSA) has had enough. Following the loss and possible theft of two laptops containing the personal data of 3,930 truckers who handle hazardous materials, TSA has mandated that contractors must encrypt any and all data on top of any deletion policies they have in place. According to a letter the TSA sent to lawmakers on 12 October, the laptops — both of which belonged to a TSA contractor — contain names, addresses, birthdays, commercial driver’s license numbers and, in some instances, Social Security numbers of the affected truckers. First, one laptop was lost. At that time, the contractor, the Integrated Biometric Technology division of Stamford, Connecticut-based L-1 Identity Solutions, told TSA that the truckers’ information had been deleted from the system, TSA public affairs manager Ann Davis told eWeek’s Lisa Vaas. Then, another laptop disappeared. After the second theft or loss, TSA conducted an IT forensic investigation that ascertained that the deleted information could be retrieved if a thief had the proper training. “So even though [there’s only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place,” Davis said.

TSA requires that all individuals who transport hazardous waste provide information for a security clearance in a program called the Hazardous Materials Endorsement Threat Assessment which is mandated under the Patriot Act. This is not the first time a data breach has occured at TSA, and it is not the agency’s biggest data breach, either. On 7 May, the agency said that a hard drive containing personal information belonging to 100,000 government workers had been lost.