Diane Krieger Spivak of the Post-Tribune reports that a laptop containing Social Security numbers and other personal information on approximately 50 victims of the September’s floods was stolen from a housing inspector’s car on November 4. There was no explanation of why a housing inspector was in possession of the laptop. A FEMA spokesperson acknowledged that 13 laptops with information were stolen last year.
Stolen laptops are not the totality of FEMA’s data protection woes. In April 2007, FEMA had to notify 2,300 disaster assistance employees that their re-appointment letters exposed their Social Security numbers on the outside of the envelopes. In 2008, Robert Davis, a former FEMA employee, pleaded guilty and was sentenced for aggravated identity theft; 30 of the victims were those who had applied to FEMA for disaster relief.
The FEMA spokesperson explained the 4-month delay in notification in the present incident by saying that’s about how long it takes to identify victims and determine a course of action. A spokesperson for the Identity Theft Resource Center concurred, but this blogger respectfully disagrees. Indeed, when another laptop was stolen on July 7th last summer, by July 18th FEMA had arranged for credit monitoring services and contacted everyone. That incident affected even more people than the present incident. In both reports, there was no indication that the data were encrypted.
Certainly, with 13 laptops having been stolen in a one year period and with at least a few (if not all) of them having been stolen from cars, one has to ask why FEMA has not done more to encrypt personal information and to make it clear that laptops with personal information should not be left in cars.