Clay Johnson III, Deputy Director for Management of the Office of Management and Budget, issued a memo on Tuesday to all department and agency heads ordering the implementation of new security measures to fight identity theft.
The agencies have until early 2009 to reduce and protect the personal identifying data that they maintain in records for public citizens and employees. The agencies must review their files within 120 days to identify cases where Social Security numbers are not required and “establish a plan in which the agency will eliminate the unnecessary collection and use of Social Security numbers within 18 months.” The agencies also have 120 days to establish a policy for notifying security officials, possible victims and the general public of loss or exposure of identifiying information. Further, agencies must encrypt all data on mobile computers or information storage devices unless there is written certification that the information is not sensitive, and must secure a safe method for remote access to sensitive data. Finally, agencies must improve security training of employees and establish written discipline descriptions for violations.
The memo stemmed from recommendations from the Identity Theft Task Force to reduce the growing loss and theft of personal information.