Recently in News Category

It's getting really scary out there: another organization has lost documentation containing Personally Identifiable Information.

The Federal Energy Regulatory Commission (FERC) reported the loss of a binder containing the Personally Identifiable Information (PII) of over 2,800 former employees.  The binder was last used in late February and was reported missing in early March - presumed to be lost during an office move while Human Resources employees cleaned out and disposed of old files from a locked office.

An investigation revealed that the binder was most likely thrown out, therefore a low probability exists that the information within was compromised.  Officials are taking steps to protect the identities and credit information of the people listed within the binder.

So why does this matter to us property people?  Though a binder with paperwork is not normally something we would track in our property control systems, (see FAR 45.101), certainly the fact that the binder contained PII makes it worth keeping special tabs on.  It was in a locked office - great - but it seems like it was a little too easy to just throw away.

In reading this article, I kept thinking about Brandon Kriner's presentation at the recent NOVA chapter seminar.  Though his presentation focused on the importance of having property people work with IT people to track Sensitive Data Storage Devices (e.g. thumb drives), this is essentially the same thing.  In this case, however, it was a binder not an IT device; and it would be the property people working with the HR people to track.  Several questions come to mind here: 

• Who was ultimately responsible for this binder?
• Who had access to this locked office?
• Who made decisions about what got thrown away and what didn't?
• Was there a policy in place whereby people normally had to check out this binder and check it back in?

If I could guess, I would say no one had good answers to these questions.  Had there been a property person who knew what kind of information was kept in that office and what should have happened with that binder, this could have possibly been averted.  I talk to groups of property people often about keeping themselves out of the newspapers by taking pains to track the stuff they care about - surely this binder, with all its PII, fell under that category.

The Associated Press is reporting that the week-old ban forbidding IBM from getting new Federal contracts has been rescinded as of Thursday, April 3, 2008. 

IBM had been placed on the government-wide roster temporarily suspending all of the company's business units from engaging in new business with the Federal Government following an allegation that IBM employees improperly obtained privileged information in the firm's protest of an $84 million Environmental Protection Agency contract it lost in 2007.

An IBM press release on March 31, 2008 announced that "the U.S. Attorney's Office for the Eastern District of Virginia has served IBM and certain employees with grand jury subpoenas requesting testimony and documents regarding interactions between employees of the EPA and certain IBM employees."

IBM later announced that the government's decision to reinstate IBM's eligibility for Federal contracting is contingent upon an agreement to "continue to cooperate with the EPA's ongoing investigation of possible violations of the Procurement Integrity provisions of the Office of Federal Procurement Policy Act" and cooperate with the ongoing investigation by the U.S. Attorney's Office.  The company will also refund the EPA attorney fees and other costs that the agency incurred in dealing with IBM's protest.

According to the AP story, IBM has placed five employees on administrative leave pending its own internal investigation of the incident. 

InformationWeek reports that IBM's revenue from the government totaled about $1.3 billion, or 2% of the company's total sales.  Analysts have speculated that the decision to lift the ban was made in part because the incident appeared to be isolated and thus did not warrant the punishment of an entire large multinational firm.  Sources with knowledge of the situation also indicated that the EPA took action without consulting other agencies, thus compromising many other pending IBM government contracts unrelated to the EPA incident.

As an employee of a very small company that often competes with giants like IBM for government contracts, I salute the EPA for blowing the whistle on this alleged ethical violation.  Ensuring competitive fairness in contracting opportunities is a critical element of a free market society and the public trust that the taxpayers place in our government.  I hope that this incident will serve as a warning to others who may be tempted to sacrifice their reputations for revenue.

From the DCMA Public Website, information on the DoD Property Manual (http://guidebook.dcma.mil/34/dc08-170.htm): 

 

Information Memorandum No. 08-170
Subject:  Rescission of Instruction DoD 4161.2-M DoD Manual for the Performance of Contract Property Administration (INFORMATION)
Date:  February 22, 2008
Target Audience:  Property Administrators (PA) and Administrative Contracting Officers.

New Information/Guidance/Tools:

• The subject Instruction designated the Defense Logistics Agency (Defense Contract Management Command) with responsibility for the developing, publishing, and maintaining the DoD 4161.2-M.  This responsibility has continued under the Defense Contract Management Agency (DCMA).
• The manual, last published in 1991, is now obsolete.  Its utility as a policy-making tool has largely been superseded by DoD Procedures, Guidance and Information (PGI).  With that in mind, OSD is in the process of cancelling DoDI 4161.2-M, DoD Manual for the Performance of Contract Property Administration.
• Information and direction for DCMA Property Administrators and Plant Clearance Officers will be provided in the DCMA guidebook for Property Management on Government Contracts.
• We will be updating the Guidebook on an incremental basis with the System Analysis Section projected for completion by May 1, 2008.
• This information is applicable to the Property Management on Government Contracts Guidebook process.

Point of Contact for Further Information

Signature:
Deputy Executive Director, Contracts Directorate

The Washington Post reported today that a government laptop belonging to the National Institutes of Health (NIH) was stolen last month while in the possession of an NIH employee. The laptop apparently contains sensitive medical data on 2,500 patients who were enrolled in a confidential NIH study, which was not encrypted. This incident highlights the necessity that organizations take steps necessary to ensure the security of highly sensitive or confidential information, or Personally Identifiable Information (PII.) IT security is an issue that is becoming more and more relevant as cases of identity theft continue to increase.

In 2006, after a laptop containing PII of veterans and active-duty service members was stolen belonging to the Department of Veteran's Affairs (VA), the Office of Management and Budget issued a recommendation that all portable IT devices be loaded with encryption software. One year later, this recommendation became a requirement for any portable device that may contain sensitive information.

The article also states that a recent study conducted by The Government Accountability Office (GAO) found that this month alone, at least 19 of 24 government agencies reviewed had experienced at least one breach that could potentially expose PII to identity theft. These findings illustrate the need for organizations, public or private, to place the highest priority on accounting for sensitive data, which now more than ever reside on portable, even hand-held devices. The theft of a desktop computer is not likely....the theft or loss of a laptop, a PDA, or a Blackberry is almost an inevitability. Organizations must ensure that property management procedures are in place to prevent PII falling into the wrong hands not only by encrypting sensitive data, but more importantly, by placing a much higher priority of accountability on devices that are portable or that may contain sensitive data. Equally as important, they must ensure that staff is knowledgeable about and fully compliant with those procedures.

The following was distributed to introduce the new leader of DCMA's new Property Division!

From: Director, DCMA
Sent: Friday, January 18, 2008 4:00 PM
To: DCMA All Personnel
Subject: New Property Division Director

I am pleased to announce the selection of Cynthia Thrailkill as Director of the new Property Division within the Business Operations Center. Cindy has 34 years of contract management experience. For the last 12 years she has been a supervisor leading a Property and Plant Clearance Team, a Technical Assistance Team and, most recently, a multi-functional Operations Team. Cindy has an extensive background in Property and Plant Clearance and has led Agency level policy development efforts such as the Property Modification Team. She holds a Bachelor of Science in Business Administration from the College of Mount St. Joseph and a Masters of Science in Management from Indiana Wesleyan University. She is DAWIA certified in Industrial Property Management; Contracting; and Manufacturing, Production and Quality Assurance. She is also an active member of the National Property Management Association. Cindy will assume her new duties on 20 January 2008. Please join me in congratulating Cindy.

 

Keith D. Ernst
Acting Director