VAgaries of wandering data

Security Strategies This newsletter is sponsored by Nevis Networks Inside the industry's largest public NAC test Get an independent review of Cisco's CNAC and the Trusted Computing Group's TNC network access control frameworks via Network World's latest Editorial Briefing "Implementing NAC." Get the real scoop and go inside the industry's largest public test of available NAC products. Network World's Security Strategies Newsletter, 06/14/07 VAgaries of wandering data By M. E. Kabay On May 3, 2006, a career civil servant at the Department of Veterans Affairs (VA) violated official policy by taking computer disks containing personally identifiable information (PII) about 26.5 million veterans home with him. The disks were stolen from his home. Two weeks after officials learned of the theft, the VA disclosed the incident to the public and set up a Web site and an 800-number to provide veterans with information and a channel for reporting possible identity theft. The USA.gov Web site put up a page called "Latest Information on Veterans Affairs Data Security" with answers to FAQs; the VA itself also continued issuing press releases (using keyword “data” in the search field here provides a reasonable chronology). In early June 2006, the VA announced that the stolen data might include PII about up to 1.1M active-duty troops, 430,000 members of the National Guard and 645,000 members of the reserves. Reactions from a coalition of veterans groups was immediate: they launched a class-action lawsuit demanding full disclosure of exactly who was affected by the theft and seeking $1000 in damages for each victim. Explore the Business of Security in the Only Collaborative Summit for Senior Executives September 10-11, 2007 | The Fairmont Hotel Chicago How do you communicate to fellow executives the business value of allocating resources to drive security initiatives? At The Security Standard, you'll explore issues like these from a strategic viewpoint. It's the only event that fosters peer collaboration on the latest business, planning and best practices in security management. Click here for more details. Click here for more details The VA struggled to cope with the bad publicity and potential legal liability resulting from the May theft. On May 26, 2006, Secretary of VA R. James Nicholson issued a Directive to all VA supervisors in which he wrote, “Having access to such sensitive information brings with it a grave responsibility. It requires that we protect Federal property and information, and that it shall not be used for other than authorized activities and only in authorized locations. As managers, supervisors, and team leaders it is your responsibility to ensure that your staff is aware of and adheres to all Federal and VA policies and guidelines governing privacy protected material. I also expect each and every one of you to know what sensitive and confidential data your subordinates, including contractors, have access to and how, when and where that data is used, especially in those cases where it is used or accessed off-site.” On May 30, 2006, the VA fired the analyst “response for data loss” and announced changes in the administration of information security in the organization. The press release made no mention of who was responsible for allowing anybody to store unencrypted PII on VA computers or media. Coincidentally, at the end of May, the Government Accountability Office issued a report: “GAO-06-612: Homeland Security: Guidance and Standards are Needed for Measuring the Effectiveness of Agencies' Facility Protection Efforts.” The report specifically named the VA as requiring “guidance and standards for measuring performance in federal government facility protection.” On June 21, 2006, the VA announced that it would provide free credit monitoring for everyone affected by the data theft in May. But worse was yet to come. More in the saga next time.   What do you think? Post a comment on this newsletter

TODAY'S MOST-READ STORIES: 1. Who are the 3 faces of Vista? 2. FBI finds over 1M botnet victims 3. Juniper feels growing pains 4. Wireless networks: The burning questions 5. Xen: Moving beyond VMware 6. How DOE lab secured campus with wireless 7. Top 15 USB geek gadgets 8. Marriott's converged network 'horror story' 9. Bill Gates' Harvard commencement speech 10. Vista not playing well with IPv6 MOST E-MAILED STORY: Bill Gates' Harvard commencement speech

Contact the author: M. E. Kabay, Ph.D., CISSP-ISSMP, is Associate Professor of Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. This newsletter is sponsored by Nevis Networks Inside the industry's largest public NAC test Get an independent review of Cisco's CNAC and the Trusted Computing Group's TNC network access control frameworks via Network World's latest Editorial Briefing "Implementing NAC." Get the real scoop and go inside the industry's largest public test of available NAC products. ARCHIVE Archive of the Security Strategies Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007