In fiscal 2004, an inspector general report made 16 recommendations on ways the VA could improve the security of its IT operations, including centralizing IT security programs, implementing an effective patch management program, and addressing unauthorized access and misuse of sensitive information (see box). None of the recommendations has been addressed, Opfer testified.

In response to the breach, the VA is requiring all employees to complete cybersecurity-awareness and privacy-awareness courses by June 30. It's also conducting a review of what sensitive data employees need access to and putting them through background checks depending on their access levels.

Data Moves, So Protect It
There are many steps organizations can take to prevent data loss of the kind the VA suffered. Foremost is encryption, which VA policy requires but wasn't done in this case. Encryption can take place on PCs and memory sticks, within back-end databases, and even as data passes through a network. M-Systems offers encryption for data stored on its USB-pluggable storage devices and memory sticks. Ingrian Networks' i110 DataSecure Platform centrally manages encryption keys from a network appliance. Microsoft's Exchange Hosted Services include encryption for securing data sent in E-mail.

There's a risk with encryption: improperly managing the keys used to decrypt data. "If you don't manage encryption properly, it's a good way to lose your data forever," warns Burton Group analyst Trent Henry. Most encryption software offers an administrative interface that IT pros can use to safely store and retrieve keys.

Encryption is embraced by companies in financial services, health care, and other tightly regulated industries. But most companies still find excuses (it's overkill, or too expensive, or too hard to use) for not deploying it widely or not enforcing encryption policies. Yet it costs much less to encrypt data than to respond to a breach, Gartner analyst Avivah Litan testified last week. A reasonable up-front cost for the systems, services, processes, and procedures to encrypt 100,000 or more customer records is about $500,000, she said.

Encryption isn't the only way for companies to ensure that data doesn't disappear with a lost or stolen mobile device. Another is never to put data on the device in the first place. If employees must work remotely, Secure Sockets Layer VPN software can give them network access to sensitive data. Companies also can deploy software and network appliances that block data from being copied to external devices or E-mailed outside the network. Technology exists for real-time analysis of outbound data content. Workshare, one of dozens of vendors that offer this sort of software and appliances, last week launched a risk assessment appliance and PC-based software to prevent data leakage.

It doesn't seem like data security is getting better, but it has improved over the past several years, Burton's Henry contends. State disclosure laws make it embarrassing and expensive for companies that don't protect their data. "It's just that it's still easy to make mistakes, and those mistakes are broadcast loudly," he says. "Even though there's been a flurry of data-breach activity, this has brought about a conversation about this topic, which is the precursor to further improvement."

That's a conversation more government agencies must have. Within companies, the risk of having to issue a security breach notice has helped IT managers get a bigger budget, says Ohio State University law professor Peter Swire. "Now there needs to be a continued pressure to upgrade security in federal agencies," he says.

Might the legal environment change to turn up that pressure? A high-profile data breach that affects the nation's veterans could be just the thing to shake Congress out of its foot-dragging on data privacy and breach-notification legislation. Last week, the House Energy and Commerce Committee and the House Financial Services Committee each proposed data privacy and protection legislation to the speaker of the House, who will decide which version the House moves forward. It's not clear what the timeframe is for a full House vote, however, and this proposed legislation, as well as bills in the Senate, has been around for months. Fewer than one in five of 1,150 U.S. adults surveyed by the Cyber Security Industry Alliance say they think existing laws can protect them from fraud, identity theft, and other Internet crimes. More than two-thirds want Congress to pass stronger legislation.

Agencies and businesses shouldn't need new laws or more embarrassing breaches to realize what's at stake. Like the VA analyst, thousands of employees are carting their work home with them every night. IT teams must address that risk--and their organizations must give them the support to create the systems and policies to reduce it.