 Security StrategiesNetwork World's Security Strategies Newsletter, 06/12/07PIIssed off yet?By M. E. KabayIn March 2007, Network World writer Jon Brodkin wrote an excellent analysis of 10 letters informing victims of data theft or loss of control of personally identifiable information (PII) that their data might be compromised. He pointed out that almost all of the letters failed to express any responsibility for the loss of control over data stored on unencrypted disks that were lost or stolen, or for poorly secured Web sites that posted PII without protection or with poor protection. My guess is that staff attorneys warned the public relations officials to avoid any implication of responsibility to avoid contributing anything that would exacerbate their liability in potential lawsuits. Passive voice is great for shifting responsibility from specific agents to the great gaseous cloud of the unnamable and unblamable. “Mistakes were made,” indeed.
My wife is a neuropsychiatrist; she recently received a letter from the Veterans Affairs (VA) office in Austin, Texas, informing her of loss of control over her PII. I am starting this series of articles about the VA’s handing of PII with a verbatim transcript of the letter she received. I think readers will be interested in seeing the contents in detail - and there is actually some generally useful information that everyone can store away in case it’s needed. In particular, I recommend that all of us save the contact information for the three credit bureaus and the phone number for the FTC service. So here’s part one of the series. In the following parts, I’ll go back to the theft of computer disks containing unauthorized copies of PII on May 3, 2006. Then I’ll continue the series with summaries of later cases of data theft and loss from the VA, U.S. government reports and congressional testimony about these problems, VA assurances of planned improvement, and the status of VA assurances. I’ll wind up with analysis of the underlying issues and provide recommendations for improvement. * * * DEPARTMENT OF VETERANS AFFAIRS -----, MD Dear -----, MD: I am writing to you, as the Director of the Veterans Integrated Service Network (VISN) 7 in Atlanta, Georgia, to inform you that I have been notified that a portable computer hard drive used by an employee of the Birmingham Veterans Affairs (VA) Medical Center is missing. This portable hard drive was used to back-up information contained on a VA employee’s office computer, related to research projects with which the employee was involved. A file on the portable hard drive included information from the Unique Physician Identification Number (UPIN) Directory dated 2004, which includes demographic information and identifiers, such as the UPIN, dates of birth, state license numbers, business addresses, and employer identification numbers (EIN). In the case of your information, we believe the EIN was your Social Security Number. This file was obtained by VA from the Centers for Medicare & Medicaid Services (CMS) for the purpose of conducting research on veterans’ health care. The Birmingham VA Medical Center has conducted extensive physical searches and has involved local police and Federal investigative resources, and a reward is being offered; however, the hard drive remains missing. To prevent further security breaches or losses, we have taken immediate measures to protect the integrity and security of all personally identifiable information including prohibition of the use of external drives and the required encryption of personally identifiable information when authorized distribution is required. An independent risk analysis was conducted as required by law, and risk mitigation recommendations are being implemented immediately. VA will contact you shortly by mail to offer a credit monitoring service at no cost to you. In the mean time, one precaution we recommend is for you to request a free credit report from one or more of the three national credit bureaus by calling the toll free number 1-877-322-8228. The credit bureaus may also be contacted at: Equifax Experian TransUnion More information about credit protection, including placing a “fraud alert” on your accounts, is available by calling the Federal Trade Commission at its toll free number, 1-877-438-4338, or by visiting its Web site. If you have questions concerning this letter, the Birmingham VA Medical Center has established a dedicated call center to answer your questions. Please contact us toll free at 1-877-xxx-xxxx from 6:00 am to 9:00 pm CT, or e-mail us at < address suppressed > . We at VA take information security and privacy very seriously. We apologize for any inconvenience or concern this situation may cause, but we believe it is important for you to be fully informed of any potential risk to you. Sincerely, [digitized signature] Lawrence A. Biro
|
| Contact the author: M. E. Kabay, Ph.D., CISSP-ISSMP, is Associate Professor of Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. ARCHIVEArchive of the Security Strategies Newsletter. BONUS FEATUREIT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE International subscribers, click here. SUBSCRIPTION SERVICESTo subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007 |
No comments:
Post a Comment