"While we have a system in the government of doing background investigations (on those to) whom we will give access to classified information, we do not have a similar screen (for) those to whom we will give enormous amounts of (personal) data," VA Secretary R. James Nicholson told the U.S. House of Representatives Committee on Government Reform.
Nicholson's appearance before politicians came as his agency deals with continued revelations over news that the personal data of as many as 26.5 million veterans--including nearly 2 million active-duty military, National Guard, and Reserve personnel--was stolen. That information resided on a government-owned laptop computer and hard drive pilfered from a VA analyst's home in a Maryland suburb of Washington, D.C. A 34-year employee of the agency, he had been toting the gear home for the past three years in violation of agency policy.
The theft didn't come to Nicholson's attention until 13 days after the data analyst reported the incident to superiors, the secretary said. The analyst was fired but has been protected by not being publicly named. Two of his bosses have since been fired, Nicholson said.
"It's an emergency at the VA, and it should be an emergency in our society," he said.
Rep. Tom Davis, the Virginia Republican who heads the committee, said the incident had prompted him to weigh changes to a law called the Federal Information Security Management Act of 2002, which outlines procedures federal agencies must undertake in order to protect their data and systems.
That law requires agencies to notify law enforcement and internal inspectors general when a breach occurs, but it does not require notification of potential victims or the public. It must be updated to include penalties, incentives and "proactive notification requirements," Davis said, adding that he is "troubled as the number and scope of losses continues to expand."
Nicholson said he and investigators on the theft case "remain hopeful that this was a common, random theft and that no use will be made of this data. However, we certainly cannot count on that." He assured the politicians that every person whose information has been compromised has been notified, and the VA has established call centers and a dedicated Web site to respond to inquiries.
But the specter of identity theft prompted stern words from some of the committee members. "My hope, Mr. Secretary is...that in case there is identity theft taking place, you will do everything you can to protect our veterans financially and legally and you will come before the Congress to do that," said Rep. Bernard Sanders, a Vermont Independent.
David Walker, comptroller general for the Government Accountability Office, which serves as the government's watchdog, said he agreed the law must be expanded to require federal agencies to alert individuals affected by a breach--and perhaps the general public as well. "Public disclosure of major data breaches is a key step to ensuring that organizations are held accountable for the protection of personal information," he said.
With or without new legislative action, Walker urged all agencies to limit collection of and access to personal information; to curb the amount of time such records are retained; and to consider using encryption and other technological controls, particularly when data is stored on mobile devices.
Change won't happen overnight, Nicholson said. "Ultimately our success in changing this is going to depend on changing the culture, and that depends on our ability to change the attitudes of our people."
To that end, the agency is reviewing its security practices and beefing up employee training. Nicholson has also ordered that every VA laptop undergo a review designed to ensure that all security and virus software is current, and he prohibited future use of personal laptops or computers for official business.