Veterans Administration Now Known As Ministry For Data Leaks

from the leak-rinse-repeat dept

In the middle of last year, a laptop and hard drive containing personal information on 26.5 million US veterans were stolen from an employee's home. While the equipment was recovered, and the government claimed the data had not been accessed, the theft highlighted the lax security procedures of the VA -- and another theft a few months later reinforced it. Now, try not to be surprised, but it's happened again, as portable hard drive containing personal information on 48,000 vets has gone missing from an Alabama facility. Despite the VA saying it was beefing up data security after the first theft by taking measures including putting encryption software on all its laptops and desktop PCs, apparently as many as 20,000 records on this latest hard drive weren't encrypted. While encryption is by no means a cure-all, it's pretty ridiculous that even after the previous high-profile events, the VA still can't be bothered to even take this first step with all its data. There's a total lack of accountability and responsibility here: while there's been talk of mandating stiffer penalties for individuals who are negligent with personal data, that's nothing more than smoke and mirrors. It hides the real problem, which is an environment that, from the top down, accepts and excuses this sort of behavior. Until that changes, expect more data leaks.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Ray Trygstad, 6 Feb 2007 @ 8:12pm

    It's a Policy Issue!

    This is not a failure of technology: it's a failure of policy, which is the core management tool for information security. There has to be a policy governing data on portable devices, the policy has to be enforced, and there has to be consequences for failure to comply. The policy might prescribe a technological control (i.e. encryption), but there has to be policy. This certainly does not seem to be the case in the Department of Veteran's Affairs.

    BTW the government is NOT exempt from HIPAA; on top of that, as a Federal agency, the DVA is also subject to FISMA, the Federal Information Security Management Act, which is much tougher than any IT security standards legislatively required of any commercial entities.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.