House panel delves into VA data breach
- By Patience Wait
- Jun 09, 2006
While there are Office of Management and Budget regulations in place requiring sensitive data to be encrypted, those rules are regularly disregarded, according to government officials.
Part of controlling the risk of losing citizens' personal information is to enforce those policies, and it may also involve more training and harsher penalties for government employees.
The House Government Reform Committee held a hearing yesterday on the ongoing ramifications from the theft of a Veterans Affairs Department laptop and hard drive, and the subsequent loss of personal data of millions of Americans last month.
Yesterday VA secretary James Nicholson issued a statement warning that the number of individuals at risk of having their personal information stolen had increased beyond the 26.5 million veterans, spouses and dependents to include an additional 2.2 million military personnel'1.1 million active-duty personnel, 430,00 National Guard members and 645,000 members of the Reserves.
Committee Chairman Rep. Tom Davis (R-Va.) asked the panel of government officials'including representatives of VA, OMB, the Social Security Administration, the IRS and the Government Accountability Office'what assurance the agency could give citizens that their personal information would be secure.
Clay Johnson, deputy director for management at OMB, said that his organization needs to take steps to enforce existing policies, such as the encryption requirement and another requirement that OMB must be notified when a data breach occurs. The agency will be reviewing existing policies to see whether there are some areas where new regulations are required, but mostly it needs to enforce what's already in place, he said.
'We need to put more teeth into enforcement because this is just too laissez-faire,' Nicholson said. Employees have to be held accountable for violating security policies, while agencies have to address who is provided access to sensitive personal information.
Even GAO has not been quite as diligent in its oversight and warnings, said comptroller general David Walker. The watchdog agency hasn't issued a report specifically on this topic, he said, though it has included comments and suggestions in audits of individual agencies.
There are variances in security implementation by agency, Walker said. Chief information officers are supposed to report directly to their department secretaries, for instance, but Walker could not say that this is happening across the board.
Several representatives asked whether the VA would provide credit protection services to those affected by the data loss. Johnson was pressed on whether OMB would support a request for supplemental funding by the veterans' agency to cover any personal injuries suffered by individuals. Johnson did not provide a yes-or-no answer, but said OMB would consider the request.
While there has been no direct evidence that any individual whose information was stored on the laptop or hard drive has been affected, Rep. Steve LaTourette (R-Ohio) said he had been contacted by a veteran from his district whose monthly disability check had been diverted from his bank account into a new account with a bank in another state.
Nicholson said this was the first incident he has heard of since the data loss came to light.
It is not known whether the veteran's information was compromised because of the data breach, or if he is simply joining the ranks of the approximately nine million Americans who suffered identity theft last year.