On July 11, 2006, the Department of Veterans Affairs Office of Inspector General released a much anticipated report concerning the theft and loss of Veterans Administration data involving more than twenty-six million veterans. According to the Inspector General, on May 3, 2006, the home of a Veterans Affairs employee was burglarized resulting in the theft of a laptop computer and external hard drive containing personal confidential information including full names, birth dates, social security numbers and other information for millions of veterans. Neither the laptop nor the external hard drive contained encryption or password protection which the report characterizes as a “serious error of judgment . . . for which the employee is personally accountable.” The VA Secretary did not receive notification of this theft of confidential information until two weeks later on May 16 and Congress and veterans were not informed until May 22. The inquiry did not stop here however. The fundamental questions before the Inspector General related to whether notification of theft occurred promptly, and whether the Veterans Administration has taken steps to adequately protect confidential information in this day and age where identity thefts have been a regular occurrence.
Describing data security procedures at the Veterans Administration, the Inspector General concluded:
We found a patchwork of policies that were difficult to locate and fragmented. None of the policies prohibited the removal of protected information from the worksite or storing protected information on a personally-owned computer, and did not provide safeguards for electronic data stored on portable media or a personal computer.
The report continues:
We determined that VA needs to enhance its policies for identifying and reporting incidents involving information violations and information security violations to ensure that incidents are promptly and thoroughly investigated; the magnitude of the potential loss is properly evaluated; and that VA management, appropriate law enforcement entities, and individuals and entities potentially affected by the incident are notified in a timely manner.
The report concludes by indicating that data and information security vulnerabilities have been reported for years to the Veterans Administration. Apparently, information security has not been a priority which led to the May 3, 2006 breach.
Unfortunately, the Veterans Administration Inspector General Report probably describes the attitudes and problems which exist concerning data security not only throughout our government, but also throughout the private sector. The Inspector General report highlights that for government and private business accessing sensitive information, risk assessment and data protection should be a major priority.
The Legal Examiner and our Affiliate Network strive to be the place you look to for news, context, and more, wherever your life intersects with the law.
Comments for this article are closed.