Verified Identity Pass loses PC with Registered Traveler data
- By Alice Lipowicz
- Aug 05, 2008
The Transportation Security Administration has suspended new enrollments for the largest vendor in the Registered Traveler program following the company's loss of a laptop PC that contained unencrypted personal information on 33,000 participants in the program.
The TSA said the vendor, Verified Identity Pass Inc., was found to be "not in compliance" with the agency's requirement to encrypt sensitive personal information submitted by applicants and enrollees, according to TSA spokeswoman Ann Davis. Although the agency has authority to suspend the program overall and impose civil penalties, Davis said today neither additional action is now being considered.
The laptop was stolen from a locked office at San Francisco International Airport, Verified Identity Pass said in a statement. The personal information the laptop contained is protected by two levels of password protection and does not include Social Security numbers, biometric data or credit card information, the company said. The individuals affected were mostly new applicants along with a few members seeking re-enrollment.
"We don't believe the security or privacy of these would-be members will be
compromised in any way," Steven Brill, chief executive of the company, said in a statement.
The Registered Traveler program operates as a partnership between TSA, private vendors, and airport authorities. The enrollees pay a fee, supply personal information and undergo a background check, and then receive expedited service through security checkpoints at 17 participating airports. The enrollees verify their identities at airports through use of a biometric identification card. Verified Identity Pass said it has about 200,000 enrollees in the program.
The TSA said it started the suspension following the loss of the computer on July 26. The agency said it has instructed Verified Identity Pass to notify all the individuals whose data was stored in the computer, and to cease use of unencrypted computers until encryption can be installed. The agency also notified airport authorities to ensure their cooperation.
The company will be required to submit an independent audit showing that encryption is in place, and TSA will check the audits, before enrollment can resume. The actions do not affect current operations or current enrollees of Registered Traveler, TSA officials said.
The information on the missing laptop includes applicants' names, addresses, birth dates and, for some applicants, driver's license number, passport numbers or alien registration card numbers, the company said. The company said it provides identity theft warranty protection to cover damages from the loss of data.
Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.