There's No Security Like Reactive Security

from the a-little-late dept

After a laptop with the personal information of millions of veterans and military personnel was stolen from a Department of Veterans Affairs employee, the agency’s decided it would be a good idea to go ahead and recall all its laptops so their security software can be reviewed. The recall will be part of a “Security Awareness Week” announced by the department’s secretary in the wake of the event, along with his call for strengthened federal penalties for individuals found to be negligent in their handling of personal information, adding that the department is in the process of firing the employee whose laptop was stolen from their home. While trying to make employees take more personal responsibility and making them realize they have a vital role in security would be beneficial, it seems a little misguided to make employees accept so much responsibility when their employers don’t really have to worry about the repercussions of poor security. While the head of the VA’s call for increased security and his intention to beef up are laudable, it’s of little comfort to the 26.5 million people whose personal information was stolen. The guy calls this theft “the hundred-year storm” of data leaks, but the scale really isn’t important, particularly to the people whose info gets lifted. It’s almost as if he’s saying if only 100 or 1,000 people’s data were leaked, it wouldn’t really matter, which is a completely irresponsible attitude — or perhaps a lesson to thieves. Keep it small, and nobody will care. There have been enough previous data leaks that companies and government agencies should be well aware of the problem, and not waiting for it to break some random threshold before they decide to improve their security.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “There's No Security Like Reactive Security”

Subscribe: RSS Leave a comment
drkkgt says:

as a vet myself

I think the management at the VA who were given the security report from the oversight commitee last year should also be fired and fined, along with any middle mangement who reviewed and did the same thing. This one employee, while screwing up big time, was still just following the lead of his bosses in not worrying about security and should be following them out the door via the Seargent Boot Express.

Ninja12 says:

Re: as a vet myself

That is Right! Why fire just one employee? Sure, He was wrong and deserves the punishment YOUR leader is responsible for your ludicrous actions!

There needs to be a cleaning of the house for VA IT Department and get some people in there who know what they are doing! THIS PUNISHMENT WILL NOT STOP STUPIDITY!

Scott says:


The employee was not supposed to have that data in the first place, therefore firing the employee is perfectly justifiable.

Not saying the VA processes need work, just that “it seems a little misguided to make employees accept so much responsibility” is not fair in this context. If I am not supposed to have data and it is stolen that seriously compounds the first problem.

Carlo (user link) says:

Re: Employee

Scott, I agree that employees should absolutely be held responsible for stupid personal decisions — I think you’re talking what I said a little out of context. That whole thought was “it seems a little misguided to make employees accept so much responsibility when their employers don’t really have to worry about the repercussions of poor security.”

There’s currently little incentive for businesses or governmental bodies to tighten up security, because the standard of what’s responsible action is so low, and the punishment they receive should they leak data is nothing more than a slap on the wrist. Given that, I think that putting all of the onus on employees, instead of also forcing their employers to beef up policies and security measures, is a half-cocked solution.

Anonymous Coward says:

Re: Ugh...

“Does anyone know of a list I can check to see if I’m included in this nonsense?”

I’m afraid your best bet is to ask the VA directly. Although the position implied by their FAQs is “watch your credit report, and if your identity is ever stolen, then you’ll know.”

FAQ pages:

What a Crock of Poo says:

The Va Really Is

I have two brothers, one who is still active duty US Army, the other who just got out of the Army after serving 2 tours in Iraq. They had no clue about this until I forwared this story to them. I wonder how many other soldiers who are laying their lives on the line are getting their IDs jacked while the VA twiddles their thumbs.

Nicholas G says:

Identity Theft Responsibility

then again, if we [the voting population of america] placed the responsibility of preventing identity theft on the financial institutions (i.e. if you allow a thief to acquire a credit card on someone elses credit, you [the institution] are financialy responsible for repairing the damage) there would be little to no identy theft.

Con Parant says:

VA employee clearances

I am even more surprised that the VA is just now considering an NACI/MBI background check a requirement for employees accessing sensitive data. Only an NACI/MBI? That is about as thorough as applying for a grocery store checkcard. Relative to trusting a low-paying worker, they should require a higher level of background checks for any employee handling sensitive or personal data.

Ninja12 says:

Get Real & Take Ownership People

The cost of encrypting the hard disk on the laptops the VA has, would have been much less than the current cost of trying to recover from this fiasco!

I am a reservist as well and I receive the notification letter from the regarding theft of the information and since I also work for a Bank as an Information Security Analyst, I hope that I have taken the corrective measures to protect myself from ID theft.

All I know is that there is no use in B*tching about this subject anymore, however I do not feel that punishing the ONE guy for his obviously stupid act is going to solve anything! This person was allowed to do what he did because of poor leadership and that leadership’s inability to understand information security as a serious matter. Nevertheless, as with most people I have met in the corporate world, there is nothing wrong with a poor information security policy until there is a major problem. It is just a matter of time before poor security measures are exploited or violated so instead of standing there waiting for that disaster to happen, get some proactive solutions in place. ING just learned that lesson as well with the theft of a laptop. Starts asking your bank and credit unions how safe their laptops are and be demanding about it, because it is so easy to steal information that it is not even funny.

I have found that if your job is office or business concern and not information technology related, your knowledge of data theft is going to be minimal, so in that situation the responsibility to make your data safe is totally up to your Information Technology department and information security policies. Read your companies Information Security Policies and obey them! They are there for a reason, to protect your customers, who just happen to be the reason you even got a job and get a paycheck!

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...