A group of current and former contractors at NASA's Jet Propulsion Laboratory (JPL) may file a lawsuit due to the possible exposure of personal information stored on an agency laptop stolen last month from a locked car, their lawyer said Wednesday.
The laptop, stolen on Oct. 31, stored the personal data of some10,000 NASA employees and contractors.
Some members of the group were part of a lawsuit filed against NASA five years ago over what they claimed were overly intrusive background checks the agency was conducting in connection with a mandatory federal smart card credentialing program.
At that time, the group contended that the data being collected by NASA was highly personal. They had expressed concern over NASA's ability to protect their private data.
The case went all the way to the Supreme Court, which last year ruled that NASA was within its rights to conduct such checks as a condition of employment.
All of those involved that suit were contractors working as senior scientists and engineers at JPL in Pasadena, Calif. The facilty is staffed and managed for NASA by the California Institute of Technology.
The Oct. 31 theft of an unencrypted agency laptop from the locked car of a teleworking NASA employee validates the privacy concerns raised in the earlier lawsuit, said Dan Stormer, a lawyer with Hadsell, Stormer, Richardson & Renick, LLC, the firm representing the group.
According to NASA, the stolen laptop contained unencrypted Social Security Numbers, dates of birth, birthplace information and other data. The laptop also stored "sensitive information" gathered as part of background investigations, NASA acknowledged.
"NASA's handling of the data was in direct violation of the Privacy Act," Stormer said. "They violated the right to privacy by releasing confidential information."
The Supreme Court's ruling in favor of NASA last year noted the private data being collected by NASA would be adequately protected under the provisions of the Privacy Act, Stormer said.
"Clearly in light of NASA's cavalier disregard for the privacy right of others," Stormer said, that did not happen.
Stormer said the group is considering whether to file a class-action suit against NASA over the recent breach, alleging negligence and violations of the Privacy Act.
Former NASA scientist Robert Nelson, who worked as a NASA astronomer for 34 years and was a senior member of the Cassini Orbiter team, said his data was compromised in the recent breach.
"The issue is how did this happen?" Nelson said in an interview with Computerworld. "When we sued them five years ago, one of the arguments we made was that we didn't believe NASA was capable enough to protect our data. When we lost our lawsuit they went ahead and completed those investigations." he said.
"What would be useful to figure out is how NASA, after all this scrutiny, was so incredibly incompetent to allow this to happen," said Nelson, who left NASA earlier this year.
In a press conference on Wednesday, Nelson and other JPL workers called on Congress to investigate the computer theft and NASA's data collection practices.
"Six years ago I and my colleagues at JPL were ordered by NASA to submit to background investigations of unlimited scope into the most intimate details of our private lives," Nelson noted in a statement. He said the data was collected from schools, residential management agents, retail businesses, employers and others .
"We warned of this possibility five years ago when we filed our lawsuit. We were ignored by the courts. Now, unfortunately, by virtue of the cavalier behavior of a NASA bureaucrat our argument has been proven," Nelson said.
In a letter addressed to several lawmakers, Nelson reiterated the concerns he had raised in the 2007 lawsuit, and asked Congress to intervene.
Rep. Adam Schiff (D-Calif.), one of lawmakers to whom the letter was addressed, today expressed concern over the breach.
"During hearings before the House Science Committee last spring, there was testimony on the slow pace of IT security upgrades at NASA," Schiff said in a statement.
"As a member of the Appropriations subcommittee that oversees and funds NASA, I will be calling on the agency to report on and accelerate its efforts to maintain data security. The low-tech theft of a laptop is troubling enough, but it only scratches the surface of potentially far greater data vulnerabilities,'" Schiff noted.
NASA spokesman Bob Jacobs today said the agency understand the concerns employee concerns and regrets the inconvenience the theft has caused. "We regret that it happened and we are taking steps to ensure that it never happens again," he said.
An agency-wide full disk encryption initiative that NASA launched in the immediate aftermath of the October 31 is making solid progress, Jacobs said.
So far about 80% of NASA computers containing sensitive data have been encrypted, he said. All affected NASA computers should be encrypted by the Dec. 21 deadline, Jacobs added.
Teleworkers will no longer be allowed to take unencrypted laptops outside NASA facilities, he said.
Jacobs noted that the stolen laptop was not supposed to be taken from the JPL facilities. "That is one of the things we regret the most. That laptop was not supposed to leave the building," he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is [email protected].
Read more about security in Computerworld's Security Topic Center.