[Infowarrior] - Veterans Affairs chief calls for stronger data laws

Thu Jun 8 16:28:40 EDT 2006

Veterans Affairs chief calls for stronger data laws

By Anne Broache
http://news.com.com/Veterans+Affairs+chief+calls+for+stronger+data+laws/2100
-1028_3-6081705.html

Story last modified Thu Jun 08 12:57:36 PDT 2006

WASHINGTON--The head of the U.S. Veterans Affairs Department told Congress
on Thursday that the massive theft of personal data at his agency signals
the need for more "teeth" in federal data security laws.

"While we have a system in the government of doing background investigations
(on those to) whom we will give access to classified information, we do not
have a similar screen (for) those to whom we will give enormous amounts of
(personal) data," VA Secretary R. James Nicholson told the U.S. House of
Representatives Committee on Government Reform.

Nicholson's appearance before politicians came as his agency deals with
continued revelations over news that the personal data of as many as 26.5
million veterans and nearly 2 million active-duty military, National Guard,
and Reserve personnel was stolen. That information resided on a
government-owned laptop computer and hard drive pilfered from a VA analyst's
home in a Maryland suburb of Washington, D.C. A 34-year employee of the
agency, he had been toting the gear home for the past three years in
violation of agency policy.

The theft didn't come to Nicholson's attention until 13 days after the data
analyst reported the incident to superiors, the secretary said. The analyst
was fired but has been protected by not being publicly named. Two of his
bosses have since been fired, Nicholson said.

"It's an emergency at the VA, and it should be an emergency in our society,"
he said.

Rep. Tom Davis, the Virginia Republican who heads the committee, said the
incident had prompted him to weigh changes to a law called the Federal
Information Security Management Act of 2002, which outlines procedures
federal agencies must undertake in order to protect their data and systems.

That law requires agencies to notify law enforcement and internal inspectors
general when a breach occurs, but it does not require notification of
potential victims or the public. It must be updated to include penalties,
incentives and "proactive notification requirements," Davis said, adding
that he is "troubled as the number and scope of losses continues to expand."

Nicholson said he and investigators on the theft case "remain hopeful that
this was a common, random theft and that no use will be made of this data.
However, we certainly cannot count on that." He assured the politicians that
every person whose information has been compromised has been notified, and
the VA has established call centers and a dedicated Web site to respond to
inquiries.

But the specter of identity theft prompted stern words from some of the
committee members. "My hope, Mr. Secretary is...that in case there is
identity theft taking place, you will do everything you can to protect our
veterans financially and legally and you will come before the Congress to do
that," said Rep. Bernard Sanders, a Vermont Independent.

David Walker, comptroller general for the Government Accountability Office,
which serves as the government's watchdog, said he agreed the law must be
expanded to require federal agencies to alert of individuals affected by a
breach--and perhaps the general public as well. "Public disclosure of major
data breaches is a key step to ensuring that organizations are held
accountable for the protection of personal information," he said.

With or without new legislative action, Walker urged all agencies to limit
collection of and access to personal information, to curb the amount of time
such records are retained and to consider using encryption and other
technological controls, particularly when data is stored on mobile devices.

Change won't happen overnight, Nicholson said. "Ultimately our success in
changing this is going to depend on changing the culture, ant that depends
on our ability to change the attitudes of our people."

To that end, the agency is reviewing its security practices and beefing up
employee training. Nicholson has also ordered that every VA laptop undergo a
review designed to ensure that all security and virus software is current,
and he prohibited future use of personal laptops or computers for official
business.