VA Beefs Up Data Security Procedures, Top Official Tells Congress
By Steven Donald Smith
American Forces Press Service
WASHINGTON, June 8, 2006 The Department of Veterans Affairs is revamping its data security procedures following last month's theft of a VA laptop computer that contained personal information of veterans and military personnel still in uniform, the secretary of the VA told a congressional committee today.
"We will stay focused on these problems until they are fixed," said R. James Nicholson during hearings before the House Committee on Government Reform. "We will take direct and immediate action to address and alleviate affected people's concerns. We are accountable to our nations veterans and servicemembers."
On May 3, the Montgomery County, Md., home of a 34-year VA employee was burglarized and a laptop and hard drive containing personal data of 26.5 million veterans and more than 2 million active-duty, Guard and Reserve members, was stolen. The laptop also contained some spousal and dependent information. The data included birth dates and Social Security numbers, VA officials said.
The stolen laptop did not contain any health records, Nicholson said.
Clay Johnson, the White House's Office of Management and Budget deputy director for management, referred to the incident as an "unprecedented security breach."
The concern is that the information could be used for nefarious acts such as identity theft. There have been no reports of ill-use thus far.
The area where the robbery occurred has witnessed a recent spate of home burglaries and officials do not think the data on the laptop was the target. "We remain hopeful that this was a common, random theft and that no use will be made of this data," Nicholson said.
The VA employee, who worked as a data analyst, was not authorized to bring the information home.
"I am totally outraged at the loss of this data and the fact that an employee would put so many people at risk by taking it home in violation of existing VA policies," Nicholson said. "I've never been so disappointed and angry at people."
Nicholson outlined various ways the VA is working to prevent such an incident from happening again.
"I have initiated several actions to strengthen our privacy and data security programs," he said. "On May 24, we launched the data security, assessment and strengthening program, a high-priority focus plan to strengthen our data privacy and security procedures."
Also, all VA employees must complete privacy and cyber security training by June 30. A task force of senior VA leadership was put together to review all aspects of information security and assess which employees need access to certain data, and the agency has suspended the practice of allowing veterans benefits employees from removing claimant files from agency work areas.
During the week of June 26, VA facilities across the country and in Guam and Puerto Rico will take part in security awareness training. "Every hospital, clinic, regional office, national cemetery, field office, and our central office will stand down for security awareness week," Nicholson said.
The VA is also going through a security review to make sure its anti-virus software is updated and current, and will remove all unauthorized programs and software from employee computers.
Another issue raised by Nicholson during today's hearing was the difficulty in punishing misconduct.
"I believe the policies we have and the legislation under which they are promulgated is generally adequate. But it is too hard in my opinion to discipline people in the civil service," he said. "I think we should consider putting ... teeth into an enforcement mechanism for careless and negligent handling of personal information."
Another issue he raised was the lack of repeated background checks. He said the employee who had his laptop stolen had not had a background check in 32 years.
"This has been a painful lesson for us as the VA," Nicholson said. "Ultimately our success in changing this is going to depend on changing the culture. And that depends on our ability to change the attitudes of our people. It's our duty to do this."
The VA has set up a manned call center that veterans and active-duty personnel can call to get information about the situation and learn more about consumer identity protections. The toll-free number is 1-800-FED-INFO (333-4636).