PIIssed off yet?

In March 2007, Network World writer Jon Brodkin wrote an excellent analysis of 10 letters informing victims of data theft or loss of control of personally identifiable information (PII) that their data might be compromised.

He pointed out that almost all of the letters failed to express any responsibility for the loss of control over data stored on unencrypted disks that were lost or stolen, or for poorly secured Web sites that posted PII without protection or with poor protection. My guess is that staff attorneys warned the public relations officials to avoid any implication of responsibility to avoid contributing anything that would exacerbate their liability in potential lawsuits. Passive voice is great for shifting responsibility from specific agents to the great gaseous cloud of the unnamable and unblamable.

“Mistakes were made,” indeed.

My wife is a neuropsychiatrist; she recently received a letter from the Veterans Affairs (VA) office in Austin, Texas, informing her of loss of control over her PII. I am starting this series of articles about the VA’s handing of PII with a verbatim transcript of the letter she received. I think readers will be interested in seeing the contents in detail - and there is actually some generally useful information that everyone can store away in case it’s needed. In particular, I recommend that all of us save the contact information for the three credit bureaus and the phone number for the FTC service.

So here’s part one of the series. In the following parts, I’ll go back to the theft of computer disks containing unauthorized copies of PII on May 3, 2006. Then I’ll continue the series with summaries of later cases of data theft and loss from the VA, U.S. government reports and congressional testimony about these problems, VA assurances of planned improvement, and the status of VA assurances. I’ll wind up with analysis of the underlying issues and provide recommendations for improvement.

* * *

DEPARTMENT OF VETERANS AFFAIRS
1615 Woodward St.
Austin, TX 78772

-----, MD

Dear -----, MD:

I am writing to you, as the Director of the Veterans Integrated Service Network (VISN) 7 in Atlanta, Georgia, to inform you that I have been notified that a portable computer hard drive used by an employee of the Birmingham Veterans Affairs (VA) Medical Center is missing. This portable hard drive was used to back-up information contained on a VA employee’s office computer, related to research projects with which the employee was involved. A file on the portable hard drive included information from the Unique Physician Identification Number (UPIN) Directory dated 2004, which includes demographic information and identifiers, such as the UPIN, dates of birth, state license numbers, business addresses, and employer identification numbers (EIN). In the case of your information, we believe the EIN was your Social Security Number. This file was obtained by VA from the Centers for Medicare & Medicaid Services (CMS) for the purpose of conducting research on veterans’ health care.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.