The Transportation Security Administration (TSA) has effectively ordered contractors to encrypt all data related to TSA activities.  Apparently, the tipping point was the recent loss of two laptops that carried the information of nearly four thousand Hazmat truckers.  This is not the first time the TSA has had issues with lost data: earlier this year a hard drive containing the employment records of 100,000 government workers was lost as well.  In that particular case, the information included Social Security numbers, dates of birth, payroll information, and bank account information.  The TSA got into a lot of trouble for that particular loss, as the hard drive disappeared from a controlled area at TSA headquarters.  As far as I know, the case remains unresolved and pending.

Obviously, the more recent loss is not the fault of TSA, but of the contractors working for the administration—hence the order.  The TSA already has policies requiring contractors to delete data after it has been collected and served their purpose; however, I’m sure the TSA must have found, rather late, that this does not protect individuals if the devices containing the information are stolen or lost before there was a chance to delete the data. 

On a side note, if I may, chances are the information, when deleted, is not truly deleted.  The news abounds with researchers who were able to extract deleted data from hard drives, not that this is exactly “news.”  If by chance the thief or thieves had stolen a laptop after sensitive information was deleted, they might be able to reconstitute the data.  The software to do so is relatively cheap and easily available in the market.  While deleting data is always a good idea (let’s not make things easy for the perps, right?), it’s not really a security measure in the strictest sense: it’s about as secure as leaving your house keys under the welcome mat at the front door.

I’m sure this is why the TSA is looking for contractors to sign up for encryption services such as AlertBoot.  Encryption is a powerful tool for deterring sensitive data from being read (and, consequently, abused) by criminals.  If the TSA makes a mistake, it can accept it; make and enforce changes for better security; and move on.  If outside contractors are involved who are lax with data security, the TSA still has to deal with the issues of the data breach though they’re not at fault. 

An added benefit to encrypting content is that, as I sometimes mention in my posts, encrypted data cannot be retrieved in the same way that deleted data can.  The only way to gain access to the information is to know the username and password.

An added benefit for people using AlertBoot?  If a laptop gets stolen, you can get rid of usernames and passwords completely so there’s no way to access the data at all.  This is a great feature if there’s a sinking suspicion that the theft was an inside job, or there’s reason to suspect that the perps somehow figured out the keys to accessing the data.