Search This Blog

Thursday, June 14, 2007

VAgaries of wandering data

Network World

Security Strategies




Network World's Security Strategies Newsletter, 06/14/07

VAgaries of wandering data

By M. E. Kabay

On May 3, 2006, a career civil servant at the Department of Veterans Affairs (VA) violated official policy by taking computer disks containing personally identifiable information (PII) about 26.5 million veterans home with him. The disks were stolen from his home. Two weeks after officials learned of the theft, the VA disclosed the incident to the public and set up a Web site and an 800-number to provide veterans with information and a channel for reporting possible identity theft.

The USA.gov Web site put up a page called "Latest Information on Veterans Affairs Data Security" with answers to FAQs; the VA itself also continued issuing press releases (using keyword “data” in the search field here provides a reasonable chronology).

In early June 2006, the VA announced that the stolen data might include PII about up to 1.1M active-duty troops, 430,000 members of the National Guard and 645,000 members of the reserves. Reactions from a coalition of veterans groups was immediate: they launched a class-action lawsuit demanding full disclosure of exactly who was affected by the theft and seeking $1000 in damages for each victim.

Explore the Business of Security in the Only Collaborative Summit for Senior Executives

September 10-11, 2007 | The Fairmont Hotel Chicago
How do you communicate to fellow executives the business value of allocating resources to drive security initiatives? At The Security Standard, you'll explore issues like these from a strategic viewpoint. It's the only event that fosters peer collaboration on the latest business, planning and best practices in security management. Click here for more details. Click here for more details

The VA struggled to cope with the bad publicity and potential legal liability resulting from the May theft. On May 26, 2006, Secretary of VA R. James Nicholson issued a Directive to all VA supervisors in which he wrote, “Having access to such sensitive information brings with it a grave responsibility. It requires that we protect Federal property and information, and that it shall not be used for other than authorized activities and only in authorized locations. As managers, supervisors, and team leaders it is your responsibility to ensure that your staff is aware of and adheres to all Federal and VA policies and guidelines governing privacy protected material. I also expect each and every one of you to know what sensitive and confidential data your subordinates, including contractors, have access to and how, when and where that data is used, especially in those cases where it is used or accessed off-site.”

On May 30, 2006, the VA fired the analyst “response for data loss” and announced changes in the administration of information security in the organization. The press release made no mention of who was responsible for allowing anybody to store unencrypted PII on VA computers or media.

Coincidentally, at the end of May, the Government Accountability Office issued a report: “GAO-06-612: Homeland Security: Guidance and Standards are Needed for Measuring the Effectiveness of Agencies' Facility Protection Efforts.” The report specifically named the VA as requiring “guidance and standards for measuring performance in federal government facility protection.”

On June 21, 2006, the VA announced that it would provide free credit monitoring for everyone affected by the data theft in May.

But worse was yet to come. More in the saga next time.


  What do you think?
Post a comment on this newsletter

TODAY'S MOST-READ STORIES:

1. Who are the 3 faces of Vista?
2. FBI finds over 1M botnet victims
3. Juniper feels growing pains
4. Wireless networks: The burning questions
5. Xen: Moving beyond VMware
6. How DOE lab secured campus with wireless
7. Top 15 USB geek gadgets
8. Marriott's converged network 'horror story'
9. Bill Gates' Harvard commencement speech
10. Vista not playing well with IPv6

MOST E-MAILED STORY:
Bill Gates' Harvard commencement speech


Contact the author:

M. E. Kabay, Ph.D., CISSP-ISSMP, is Associate Professor of Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site.



ARCHIVE

Archive of the Security Strategies Newsletter.


BONUS FEATURE

IT PRODUCT RESEARCH AT YOUR FINGERTIPS

Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details.


PRINT SUBSCRIPTIONS AVAILABLE
You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today.

International subscribers, click here.


SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here.

This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription.


Advertising information: Write to Associate Publisher Online Susan Cardoza

Network World, Inc., 118 Turnpike Road, Southborough, MA 01772

Copyright Network World, Inc., 2007

No comments: