From the APWU Industrial Relations web site:

(Oct. 25, 2006) The APWU initiated a national dispute over the Postal Service’s announcement of revisions to the AS-805 handbook governing Information Security. The revised handbook restricts employees from bringing personal information resources (e.g. laptops, notebooks, PDAs, handheld computers and USB port devices such as flash memory sticks) into postal facilities. The union is concerned that the new restrictions may adversely impact the union’s ability to perform its duties.

click here to read the APWU letter outlining the dispute.

Yesterday’s Postal Bulletin contains new rules on the use of postal computers, as well as more restrictions on the use of personal electronic devices on postal property. Here are some excerpts:

“The removal and storage of sensitive and business- controlled sensitive Postal Service electronic information from Postal Service premises must be approved in writing by the functional vice president (data steward) and the Chief Information Officer (CIO). ”

“Do not bring personal information resources (e.g., laptops, notebooks, personal digital assistants [PDAs], handheld computers, or storage media including universal serial bus [USB] port devices) into Postal Service facilities. Do not connect personal information resources to the Postal Service Intranet (Blue).”

In order to protect Postal Service information from disclosure or compromise, non-Postal Service portable devices (e.g., laptops, notebooks, personal digital assistants [PDAs], handheld computers, cameras, watches with cameras, or storage media including universal serial bus [USB] port devices or thumb drives) should not be used on Postal Service facilities without written approval from the user’s vice president or his or her designee. Under no circumstances will such devices connect to the Postal Service Intranet (Blue) or store Postal Service information.”

“Visitors to Postal Service facilities are required to present non-Postal Service portable devices to the installation head or his or her designee upon entry to the facility. The installation head or his or her designee will determine if such devices must be surrendered for the duration of the visit. Under no circumstances will such devices connect to the Postal Service Intranet (Blue) or store Postal Service information.”

Handbook AS-805 Revision

The postal service published an article on information security in its Link employee newsletter on Friday, apparently in response to the Veterans Affairs Department case we mentioned here Thursday. The Link article reminds employees that they should avoid downloading sensitive information, and if they need to download it for legitimate purposes, they shouldn’t store it carelessly, or bring it home with them.

It’s all good advice. The only problem is that the VA told its employees the same things.

Keep in mind that the VA case became public because of the amount of information that was compromised, and the fact that it involved the theft of an expensive laptop computer. The same information on every postal employee would fit comfortably on a USB drive- something easily lost or stolen. An employee whose laptop is stolen is going to have to tell his boss, and the police. An employee who misplaces a twenty-five dollar USB drive is probably going to buy a replacement and hope for the best.

Remember also that the VA employee was simply careless- suppose he had actually been unscrupulous? When you’ve got personal data on 26 million veterans (or 700 thousand postal employees), you don’t need to unload it all at once- you might just sell, or use, a little of the information at a time.

One postal employee who responded to Thursday’s article told us he had been the victim of identity thieves who ran up $17,000 in bogus charges on credit card accounts opened in his name. There’s no proof that the information came from the postal service database, but everything the crooks used, including Social Security number, date of birth, etc., is in there, and can be downloaded by anyone with the right access.

Reminders like the Link article are good first steps, but until employee’s Social Security numbers and other personal data is securely locked down, what happened at the VA could happen at the USPS- and for all we know, already has.

USPS News Link | May 26, 2006

The recent scandal involving the theft of personal information on 26.5 million veterans from a VA employee’s laptop should be a wake up call for the Postal Service and other agencies which have similar holes in their computer security practices.

The most glaring problem is the continued use of Social Security numbers as identifiers in employee files that are accessible to large numbers of agency employees. While agencies may have policies prohibiting downloading the type of data involved in the VA case, most don’t have the kind of safeguards that would actually prevent someone from doing just that.

FederalNewsRadio - WFED: VA Chief Vows Accountability for ID Theft