Department Of Defense Putting Data At Risk

The Department of Defense risks exposing personally identifiable information and other sensitive data because it isn't consistently following proper procedures in preparing computer equipment for disposal or reuse, the military's inspector general has found.

In an evaluation of DoD internal controls and processes, the inspector general found that several military departments didn't properly delete data and fully account for unclassified equipment before releasing it to other federal agencies, schools, and non-profit organizations.

In one case, a Navy division neglected to erase phone numbers, e-mail addresses, instant messages, and system log files from hard drives. And Defense Reutilization and Marketing Services, which is tasked with processing systems for hand off to third parties, failed to document that data had been properly wiped from drives.

Policies to avoid such problems have been in place since at least 2001, but weren't followed or supported by training or were out of date, according to the report.

Even at low levels, such breakdowns in procedure could pose privacy and national security concerns. In fiscal 2007 and 2008, the DoD disposed of more than 340,000 pieces of usable IT equipment from computers and hard drives to cell phones and USB drives.

The inspector general recommends that the CIOs of the Department of Defense and Navy update their policies, and that the rest of the DoD follow the proper procedures for getting rid of excess IT equipment.

InformationWeek has published an in-depth report on e-health and the federal stimulus package. Download the report here (registration required).