VA Working to Prevent Future Information Loss
By Samantha L. Quigley
American Forces Press Service
WASHINGTON, May 25, 2006 The Department of Veterans Affairs has begun a thorough examination of policies and procedures after the loss of 26.5 million veterans' personal information, the VA's leader told the House Armed Services Committee today.
"I've formed a task force ... to examine comprehensively all of our information security programs and policies to bring about a change in the way we do business," R. James Nicholson said.
His testimony today followed the May 22 announcement that a Veterans Affairs employee had taken electronic data home with him, though he was unauthorized to do so. The information was stolen when his house was burglarized May 3, though Nicholson was not made aware of the loss until May 16.
The employee has been placed on administrative leave pending the outcome of a full-scale investigation, Nicholson said.
To prevent a recurrence, Nicholson told the committee he has initiated an immediate review all current positions requiring access to sensitive data. Those who need that access will be required to undergo updated law enforcement and background checks.
Employees also must complete cybersecurity awareness training and general privacy awareness courses by June 30. Nicholson said they will then be required to sign an annual statement indicating they are aware of the Privacy Act and the proper use of government property.
"I promise you that we will do everything in our power to structure a policy and a regulatory regimen that make clear what is proper use of data by our employees," he said. "We will train employees in these policies and enforce them."
Nicholson has directed the department's information and technology office to revise the security guidelines for single-user remote access developed by the office of cyber and information security. The document, to be completed by June 30, will set the standards for access, use and information security, he said.
The department also has taken extensive steps to notify and protect the affected veterans, he said. They will be notified by individual letter, Nicholson said during the May 22 announcement.
The data stolen from the employees' home contained the names and birth dates of 26.5 million veterans and some spouses, as well as Social Security numbers for 19.6 million veterans, he told the committee today. Also, some data lost could include numerical disability ratings and the diagnostic codes identifying disabilities being compensated.
"It is important to note that the data did not include any of the VA's electronic health records," Nicholson said. "Neither did it contain explicit financial information, although knowing a disability rating could enable one to compute what the implied terms of compensation payments are."
The VA also is working with the three major credit bureaus, and all three -- Equifax, Experian and TransUnion -- have simplified the process for veterans requesting a fraud alert.
Concerned veterans also can get more information by calling 800-333-4636 from 8 a.m. to 9 p.m. EDT, Monday through Saturday to reach the manned call center. They can also visit the www.firstgov.gov.
The Federal Trade Commission is encouraging veterans to report suspected incidents of identity theft via the commission's identity-theft hotline at 877-438-4338. Banks also have received an advisory from the Office of the Comptroller of the Currency.
"It explains what happened and asks the banks to exercise extra diligence in processing veterans' payments," Nicholson said. "The advisory also reminds the banks of their legal obligations to verify the identities of persons seeking to open new accounts."
The secretary added that VA would be working very closely with the president's Identity Theft Task Force on this issue.
"VA's mission to serve and honor our nation's veterans is one we take seriously, and the 235,000 dedicated VA employees are deeply saddened by any concern or anxiety this incident is causing our veterans and their families," he said. "We're working hard to keep this most unfortunate circumstance from causing them undue pain and anxiety."