Policies and procedures have been changed to cut the risk of personal information being compromised because of stolen or misplaced laptop computers and data storage devices, officials at three state agencies told a House committee Wednesday. "This is a real wake-up call,” said Dennis Shockley, executive director of the Oklahoma Housing Finance Agency. "We thought we had real good security.” More than a million names were on a stolen state Department of Human Services laptop computer and about 225,000 names were on a stolen Housing Finance Agency laptop, both swiped in April. About 5,000 names were on a flash drive of an Oklahoma Employment Security Commission employee that was lost in March. All the information contained at least the names, Social Security numbers and birth dates of the agencies’ clients. Shockley said his agency is looking at encryption software as well as putting the data on secure servers instead of letting employees place the information on their laptops, he said. As a result of the lost personal information, House Speaker Chris Benge, R-Tulsa, asked Rep. John Wright, chairman of the House Administrative Rules and Agency Oversight Committee, to review state information technology policies. Wright, R-Broken Arrow, started with the agencies where the personal information was compromised. "Three of these instances by different state agencies in a fairly short space of time does indicate the potential vulnerability in light of the number of government employees with sensitive information and should serve as a wake-up call to all of the state entities,” Wright said. In addition to protecting identify information of clients, it’s more affordable for state agencies to take security steps instead of having to pay costs associated with notifying and helping people whose information has been stolen, he said. Wright suggested employees take only a limited amount of personal information and not have large amounts of data on their laptops.Comments
Why and howDHS Director Howard Hendrick said a large number of his agency’s clients names were lost because the stolen laptop belonged to a "super user” — one of five in the agency. They no longer can take that amount of data out of the office, he said. Most employees don’t have data on their laptops and instead access information through a secure server, Hendrick said. Encryption software is being installed on laptops and eventually all data on devices such as BlackBerries will be encrypted, he said. Jerry Pectol, director of the Oklahoma Employment Security Commission’s unemployment insurance division, said employees now may use only flash drives that can be encrypted to protect personal information. Banning the use of personal flash drives is also a new rule, he said.
Upgrades in security urgedState agencies need to upgrade their security programs and policies on laptop computers and other devices to protect people’s personal information, a technology security expert said Wednesday. State lawmakers also brought in Dan Yost, chief technology officer for MyLaptopGPS in Stillwater, to make a pitch for legislation to create the job of chief information officer for the state. That person would be in charge of data security and would streamline computer operations and purchases. "The first step to laptop security is assuming you’re next,” Yost said. "If you just assume you’re next, common sense does a really good job.” Here’s a look at what Yost said: The problem Two state-owned laptops containing personal information of more than 1.2 million Oklahomans were reported stolen last month. A flash drive with names and Social Security numbers of about 5,000 Oklahomans was lost in March. State officials said the laptops had two layers of password protection, but Yost said they "essentially had no protection.” He said the thieves probably were after the hardware, but the data could be sold on the black market. Expert’s suggestions Oklahoma should do a better job of protecting the data and set policies on how much data is allowed on computers when taken out of the office, Yost said. He suggested the state look at encrypting data on portable devices and being able to delete it remotely. "Each agency can investigate technologies,” he said. "I would imagine vendors are coming out of the woodwork.” Legislative answers Two measures, House Bill 1704 and Senate Bill 980, would streamline information technology services and increase data security in state government. One bill will be submitted to lawmakers. Both measures would create a chief information officer to direct technology purchases and security policies for all state agencies. The chief information officer would be appointed by the governor. Oklahoma is only one of four states without a centralized technology officer, said Rep. Jason Murphey. Murphey, R-Guthrie, said "a nightmare scenario” exists in the state because each agency has its own policies on computers and data. Michael McNutt, Capitol Bureau