Agencies take steps to safeguard data.

The Office of Management and Budget (OMB) has ordered all federal agencies to eliminate the unnecessary collection and use of Social Security numbers by 2009.

That order and several other new security measures to combat data breaches and identity theft were outlined in a memo to all department and agency heads from Clay Johnson III, deputy director for management of the OMB.

According to an Associated Press (AP) report, Johnson gave the agencies 120 days to review all their files for instances in which the use of Social Security numbers is superfluous and "establish a plan in which the agency will eliminate the unnecessary collection and use of Social Security numbers within 18 months."

In addition, he directed agencies to review all information they have that could be used to identify an individual citizen or employee, to ensure such records are accurate, and "to reduce them to the minimum necessary for the proper performance" of their duties.

The order is based on the principle that "the federal government should not unnecessarily collect or maintain personally identifiable information," OMB spokesman Sean Kevelighan told the AP. By requiring agencies to reduce such data to a minimum, the agency hopes the risk of harm from identity theft will decline, he added.

The order stems from several high-profile data breaches that occurred over the past few years. Last year, for example, the Veterans Affairs Department reported that a laptop computer with information for more than 26.5 million military personnel, including data on 2.2 million active-duty military, Guard, and Reserve members, had been stolen from a department employee.

After that breach, a House Government Reform Committee investigation revealed that 19 agencies had lost personal information about thousands of employees and the public in 788 separate incidents since January 2003.

And it didn't end with the VA breach. In April, an Illinois farmer alerted the government that the Social Security numbers of 38,700 recipients of Agriculture Department grants had been available on a government website since 1996.

In May, the Transportation Security Administration (TSA) lost an external computer hard drive containing Social Security numbers, bank data, and payroll information for about 100,000 employees. In a civil lawsuit filed after the TSA drive was lost, four airport security screeners and their union, the American Federation of Government Employees, asked a federal court in Washington to order TSA to encrypt personnel data and install electronic monitoring on any mobile equipment that stores personnel information, according to the AR

Among the other measures ordered by Johnson was a requirement that agencies encrypt all data on mobile computers or storage devices, unless the department's deputy secretary certifies in writing that it is not sensitive. The AP said Johnson also ordered each agency to establish a policy within 120 days for notifying security officials, potential victims, and the public about the loss or exposure of personally identifiable information based on risk principles he defined.

Johnson also said agencies must implement a secure method for granting remote access to data, automatic time-out of remote access unless the user re-authenticates before 30 minutes of inactivity, and logs of all extracts of information from databases with sensitive data.

Johnson's memo also called for better training of employees in security rules and written descriptions of potential discipline for violations.