IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Data Not at Risk from Lost Devices, CalPERS Says

The devices allow members, several of whom live far from Sacramento, to access confidential closed-meeting materials through portals using personal logins. Closed-session materials can include investment strategies and personnel matters. They are not downloaded onto the devices, and documents cannot be printed from them.

CalPERS board member Margaret Brown has reported losing two state-issued iPhones and an iPad since she was elected to her seat overseeing the $380 billion pension fund two years ago, according to device records.

Brown’s losses of the devices, while representing relatively minor security risks for the California Public Employees’ Retirement System, stands out compared to other board members’ handling of their devices, according to records CalPERS provided under the Public Records Act.

In the last five years, three other board members among the 20 officials listed in the records reported losing one iPad each. 

Former Board President Priya Mathur reported losing an iPad Air 2 in 2018, and the device wasn’t found, according to the records.

Board members Theresa Taylor and Ramón Rubalcava each lost one iPad, neither of which appears to have been returned, according to the records.

The devices allow members, several of whom live far from Sacramento, to access confidential closed-meeting materials through portals using personal logins. Closed-session materials can include investment strategies and personnel matters. They are not downloaded onto the devices, and documents cannot be printed from them.

The fund’s staff often prepares as much as 1,000 pages of documents before monthly board meetings. Board members receive iPads to prepare for the meetings, CalPERS spokesman Wayne Davis said. The devices are particularly helpful for members who live outside Sacramento, for whom it wouldn’t be feasible to travel to the capital to view closed-session materials before meetings, Davis said.

Members of the pension board from time to time debate whether they should have access to more confidential records at home, balancing their need to prepare for meetings with security precautions meant to protect investments from potentially damaging leaks or hacks.

In an email, Brown said the records reflect her diligence in promptly reporting the devices lost. She said she found all three of the devices after reporting them lost.

“I am very neurotic about reporting as lost any item (credit cards, for example) that I misplace even for a few minutes,” she said in the email. “This seems to me to be the safe thing to do, even though I almost always find the missing item a few hours later.”

She reported the iPad Air 2 lost on Sept. 4 of this year, according to the records. The records, provided to The Bee on Oct. 11, showed that the device was still lost. When Brown was reached by a reporter on Oct. 21, she said the device had been found. She said the device had been at her home for the duration of the time it was lost. She didn’t respond to a question about when she reported to CalPERS that she had found the iPad.

CalPERS began to follow its standard security procedure after Brown reported the iPad missing, starting by attempting to locate the device using location tracking software and then wiping it of its contents, Davis said. That feature didn’t work, Davis said.

“Location tracking had been turned off,” he said. “Had that been turned on, we could have located it when it was reported lost.”

Brown said the tracking feature didn’t work because the device had died from lack of power. Davis said that if that were the case, CalPERS would have been able to identify the device’s last known position. But it couldn’t.

CalPERS then worked directly with AT&T to wipe the device of its contents, Davis said.

Brown won election to the 13-member board in December 2017 after pledging to serve as a watchdog over CalPERS.

In an email, Brown, who lives in Southern California, said CalPERS’ restrictions on confidential material make it difficult for her to hold the fund’s staff accountable.

“It prevents board members from being able to maintain a permanent archive of closed session materials,” she said. “This is a real problem as it prevents board members from being able to review what happened previously or hold accountable the staff.”

After her election and before her second meeting, Brown was reprimanded by former board president Mathur for allowing a guest into a restricted area of the CalPERS headquarters. The guest used CalPERS equipment for what appeared to be political activity.

Last year, Brown expressed support for an informal board proposal to allow members to access the more confidential material at home, including transcripts from closed meetings.

Board President Henry Jones, who also lives in Southern California, was interested in the idea of accessing the materials from a computer at his home. The conversation centered on security after inadvertent device losses as well as intentional leaks by board members. The proposal never went anywhere, leaving board members with access to certain material only in Sacramento.

Three cybersecurity experts said only an extremely sophisticated hacker could access information on the iPads with the protections CalPERS has in place.

Given the relatively strong protections on iPads, most attacks on them target user behavior, “such as having a weak passcode for the device and for any accounts and disclosing information on phishing websites,” said Candid Wueest, a Symantec threat researcher.

Wi-Fi connections and services with which iPads interact also could be potential targets, Wueest said.

If the meeting materials were downloaded onto the devices, they could be compromised more easily, said Clifford Neuman, an associate professor of computer science practice at the University of Southern California.

But even then, the iPad Air 2 devices have a special encryption system known as whole disc encryption providing strong protection for downloaded materials, Neuman said.

“I’d say this is relatively minor,” he said of the risk from the lost CalPERS devices. “It’s much less of a risk than the kinds of things that occur when someone has a laptop that has sensitive information on it and are not using whole disc encryption.”

The records show Brown lost an iPhone 6s on May 1, 2018, three months after it was issued to her, and then found it three days later.

She reported an iPhone 7 lost on or after Sept. 19, 2018. The records say the device was returned, but it’s not clear when. The device was returned without its case, screen protector or a sticker that assigns a number to each CalPERS device.

Brown returned another iPhone 7 to CalPERS in July of this year due to lack of use, the records show.

(c)2019 The Sacramento Bee. Distributed by Tribune Content Agency, LLC.