The union represents employees throughout the Department of Homeland Security, including the TSA. Its class action lawsuit, filed within a day of the TSA announcing the missing hard drive, calls the loss of data a breach of the Privacy Act.
The hard drive, which the agency announced was missing on May 7, contains names, Social Security numbers, dates of birth, and payroll and bank account information.
In AFGE, et al v. Kip Hawley and TSA, the AFGE claims that by failing to establish safeguards to ensure the security and confidentiality of personnel records, TSA violated both the ATSA (Aviation and Transportation Security Act) and the Privacy Act of 1974.
The ATSA mandates the TSA administrator to “ensure the adequacy of security measures at airports,” and the Privacy Act directs that every federal agency have in place a security system to prevent unauthorized release of personal records.
“TSAs reckless behavior is clearly in violation of the law,” AFGE National President John Gage said in the unions statement. “TSA must be held liable for this wanton disregard for employee privacy.”
The AFGE is seeking for the TSA to create new security procedures consistent with the ATSA and the Privacy Act, specifically by electronically monitoring any mobile equipment that stores personnel data and by encrypting personnel data.
“The maintenance and safeguarding of personnel data is vital to the protection of security at our nations airports,” Gage said in the statement. “If the stolen information were to fall into the wrong hands, false identity badges easily could be created in order to gain access to secure areas. This is the Department of Homeland Security we are talking about. The American people look to DHS for security and protection. A DHS agency that cannot even shield its own employee data is not reassuring.”
The union is also asking that the TSA grant leave to employees—specifically, what it calls transportation security officers—who request it in order to protect against or correct identity theft or financial disruption caused by identity theft.
The TSA discovered that the hard drive was missing on May 3. It contained records of people employed at the agency between January 2002 and August 2005.
The drive was discovered missing from a controlled area at the TSA headquarters Office of Human Capital. As of last week, the agency still hadnt figured out if the drive is still somewhere within headquarters or in the hands of a thief.
TSA has begun to notify the affected individuals and is providing them with information about how to protect against identity fraud. The agency is also working out a process to purchase credit monitoring services for affected employees for one year.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.