VAgaries of wandering data

* A look at the VA data theft saga

On May 3, 2006, a career civil servant at the Department of Veterans Affairs (VA) violated official policy by taking computer disks containing personally identifiable information (PII) about 26.5 million veterans home with him. The disks were stolen from his home. Two weeks after officials learned of the theft, the VA disclosed the incident to the public and set up a Web site and an 800-number to provide veterans with information and a channel for reporting possible identity theft.

The Web site put up a page called "Latest Information on Veterans Affairs Data Security" with answers to FAQs; the VA itself also continued issuing press releases (using keyword “data” in the search field here provides a reasonable chronology).

In early June 2006, the VA announced that the stolen data might include PII about up to 1.1M active-duty troops, 430,000 members of the National Guard and 645,000 members of the reserves. Reactions from a coalition of veterans groups was immediate: they launched a class-action lawsuit demanding full disclosure of exactly who was affected by the theft and seeking $1000 in damages for each victim.

The VA struggled to cope with the bad publicity and potential legal liability resulting from the May theft. On May 26, 2006, Secretary of VA R. James Nicholson issued a Directive to all VA supervisors in which he wrote, “Having access to such sensitive information brings with it a grave responsibility. It requires that we protect Federal property and information, and that it shall not be used for other than authorized activities and only in authorized locations. As managers, supervisors, and team leaders it is your responsibility to ensure that your staff is aware of and adheres to all Federal and VA policies and guidelines governing privacy protected material. I also expect each and every one of you to know what sensitive and confidential data your subordinates, including contractors, have access to and how, when and where that data is used, especially in those cases where it is used or accessed off-site.”

On May 30, 2006, the VA fired the analyst “response for data loss” and announced changes in the administration of information security in the organization. The press release made no mention of who was responsible for allowing anybody to store unencrypted PII on VA computers or media.

Coincidentally, at the end of May, the Government Accountability Office issued a report: “GAO-06-612: Homeland Security: Guidance and Standards are Needed for Measuring the Effectiveness of Agencies' Facility Protection Efforts.” The report specifically named the VA as requiring “guidance and standards for measuring performance in federal government facility protection.”

On June 21, 2006, the VA announced that it would provide free credit monitoring for everyone affected by the data theft in May.

But worse was yet to come. More in the saga next time.


Copyright © 2007 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022