If Youâre Collecting Our Data, You Ought to Protect It
LAST summer, employees at the National Aeronautics and Space Administration received an in-house newsletter illustrated with mock front pages of USA Today and The Washington Post and seemingly hyperbolic headlines like: âNASA Laptop Stolen, Potential Compromise of 10,000 Employeesâ Private Information!â
The catastrophizing turned out to be prescient.
On Halloween, just a few months after the newsletter went out, a laptop used by an employee at NASA headquarters in Washington was stolen from a parked car. Subsequently, NASA sent letters to about 10,000 current and former employees and contractors, warning them that the laptop had not been encrypted. The letter explained that confidential details â" like employeesâ names, birth dates, Social Security numbers and, in some cases, personal information from background checks â" may have been compromised.
When Robert M. Nelson, a solar systems scientist who recently retired after 34 years at the Jet Propulsion Laboratory, part of NASA, received the letter, he felt vindicated. Several years earlier, he and 27 other civilian scientists at the lab sued the agency to try to stop it from conducting open-ended background checks of researchers like them who worked on nonmilitary space projects.
âYouâd think an agent of NASA would be a little more careful,â Dr. Nelson says. âWhy does NASA need personal data unrelated to our work and then treat it in such a cavalier way that it is stolen from a car unencryptedâ
NASA has since notified an additional 30,000 people whose personal information may have been on the stolen laptop, says Robert Jacobs, a NASA spokesman. He declined to provide the job title of the person who left the laptop in the car. But he said that there had been no indication of identity theft and that the agency has encrypted practically all of its 38,000 laptops.
By now, reports of lost or stolen business devices are so common that many people open data-breach notices from their banks, insurers, medical institutions, schools and state agencies with something like resignation. In fact, negligence by employees and contractors has been a more common cause of corporate data breaches in the United States than malicious attacks, according to a study of 2011 done by the Ponemon Institute, a research center on data security, and financed by Symantec, a data security company. Institutions, companies and government agencies often devote more resources to collecting information about employees and consumers than to protecting it, security specialists say.
âThis is an unfortunate but perfectly cautionary tale of not only how we should look more carefully at protecting data after it is collected,â says Lee Tien, a senior staff lawyer at the Electronic Frontier Foundation, a digital rights group in San Francisco, âbut also how the data is to be safeguarded before we collect it to make sure it isnât used improperly or disclosed accidentally.â
Dr. Nelson and his colleagues at the Jet Propulsion Lab, which is operated for NASA by the California Institute of Technology in Pasadena, didnât set out to become crusaders for workplace data privacy and security. Initially, they wanted only to challenge NASAâs background checks, arguing that civilian scientists had a right to keep their romantic, psychiatric and other intimate information private from the government. Besides, they contended, the space agency would not be able to safeguard the information.
The scientists took their case all the way to the Supreme Court, only to lose. In 2011, the justices unanimously ruled that NASA had legitimate reasons to look into personal issues, like whether an employee had received drug counseling. A federal law called the Privacy Act of 1974, which restricts how government agencies share a personâs data, the justices said, should protect the information obtained in background checks.
âThey were clearly wrong,â says Marc Rotenberg, executive director of the Electronic Privacy Information Center, an advocacy group in Washington that filed a friend-of-the-court-brief in the case. âExactly the problem people anticipated came to pass.â
Privacy advocates say that one obstacle to improving workplace information security is a lack of consequences for employees who compromise personal data. In 2009, for example, the Government Accountability Office issued a report, titled âNASA Needs to Remedy Vulnerabilities in Key Networks,â which urged the agency to institute whole-disk encryption for all of its laptops. Unlike simple computer login passwords â" which can often be guessed or bypassed to get to readable files â" disk encryption scrambles files so they canât be read without the correct key.
NASA eventually required the Jet Propulsion Laboratory to encrypt its laptops. But at the time of the Halloween theft, not all laptops at agency headquarters itself had been encrypted. Susan Landau, a Guggenheim fellow in cyber security, privacy and public policy, says companies and agencies are unlikely to improve data security without the threat of penalty.
âWhat are the personal consequences for employees who allow data breaches to happenâ Ms. Landau asks. âUntil people lose their jobs, nothing is going to change.â
Mr. Jacobs declined to comment about whether NASA had disciplined the employee who left the laptop in the car, saying the issue was âcovered by privacy.â
DR. NELSON did not emerge from his data rights battle unscathed. Caltech issued disciplinary citations to five employees of the Jet Propulsion Laboratory, including Dr. Nelson, who had used their nasa.gov e-mail addresses to send messages to thousands of colleagues about the Supreme Court decision. An employee who commits a second offense after receiving such a warning could be fired, Dr. Nelson says.
Lawren B. Markle, a spokesman for Caltech, says the employees used government resources, paid for by taxpayers, âto spam thousands of individuals, government officials and agencies, other businesses, and colleges and universitiesâ with their political views.
âAs a federal contractor,â Mr. Markle wrote in an e-mail, âwe cannot allow the government resources entrusted to us to be used in this manner and particularly not to lobby for political positions.â
He added that a second warning would not automatically lead to dismissal. âThe outcome would depend on the severity of the conduct and the history of the employeeâs service,â he said.
The five employees have filed cases with the National Labor Relations Board, saying that they were unfairly disciplined because the e-mails were work-related.
âIn the short time since the Supreme Court decision, tens of thousands of people have had their data compromised,â Dr. Nelson says. âFor warning about what would eventually become true, we received disciplinary citations.â
An administrative judge is to rule on the matter in the coming months, but a Los Angeles office of the labor relations agency found merit in the scientistsâ cases, concluding that Caltech unlawfully issued disciplinary warnings for the e-mails, says Mori Rubin, the regional director of the office. Her office also concluded that Caltech had disciplined the scientists for practices that other employees routinely undertook without penalty.
Such are the risks of taking a public stance on privacy.
E-mail: slipstream@nytimes.com.
A version of this article appeared in print on February 17, 2013, on page BU4 of the New York edition with the headline: If Youâre Collecting Our Data, You Ought to Protect It.