VA Secretary Comes Under Fire At House And Senate Data Theft Hearings - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


VA Secretary Comes Under Fire At House And Senate Data Theft Hearings

The data breach will cost taxpayers $100 million to notify veterans that their information might be compromised and to offer credit protection services.

Veterans Affairs Department Secretary James Nicholson endured a barrage of questioning and criticism from two different Congressional hearings Thursday morning regarding the theft of a VA laptop and hard drive containing sensitive data for up to 26.5 million veterans and their spouses.

Over the course of back-to-back grillings by the House Committee on Veterans Affairs and then the Senate Committee on Veterans Affairs, Nicholson was forced to endure repeated reminders of his department's poor IT security track record, much political grandstanding by Congressional leaders, and a call for his resignation.

The hearings focused on the fallout of the May 3 data theft, after a VA analyst took his laptop home to do some after-hours work. The analyst was authorized to access sensitive information about veterans, including Social Security numbers and dates of birth, which were required for a policy-related project he had been assigned. The analyst wasn't, however, authorized to remove VA data from the VA's offices, even though he admitted to having done so as part of his work routine since 2003. His home was burglarized, and the laptop and an external hard drive went missing.

To make the situation worse, the stolen data wasn't encrypted, even though Nicholson claimed Thursday that the VA has a policy of encrypting sensitive data to mitigate the damage of a data breach. And the VA Inspector General's subsequent investigation indicates that the analyst's supervisors weren't aware that the analyst had removed the data from VA offices.

Nicholson's responses to questions vacillated between taking responsibility for the data breach and expressing anger that he wasn't informed of the breach until two weeks after it occurred. "As a veteran myself, I have to tell you I'm outraged. Frankly, I'm mad as hell," Nicholson testified before the House Committee on Veterans Affairs. He won't be the only one when taxpayers find out that the data breach is expected to cost them at least $100 million to notify affected veterans and provide them with credit-checking services.

Nicholson also stated that his department has begun a "relentless investigation of its policies on information security." Still, it was revealed during the House hearing that the department doesn't even know how many of its employees telecommute.

The VA's Inspector General and the Government Accountability Office have for years criticized the VA regarding its IT security policies and practices. "We are also reviewing how policies are disseminated to VA employees, whether VA employees are aware of the policies, and whether VA procedures for identifying, reporting and taking action when data has been improperly accessed or improperly used are adequate," George Opfer, inspector general for the Veterans Affairs Department testified Thursday before a joint hearing held by the Senate Committee on Veterans Affairs and the Senate Committee on Homeland Security and Governmental Affairs.

The VA Inspector General's office issued a fiscal 2001 report indicating weaknesses in VA information security controls. "Our Federal Information Security Management Act reviews have identified significant information security vulnerabilities since FY 2001 that place VA at risk of denial of service attacks, disruption of mission-critical systems, and unauthorized access to sensitive data," Opfer testified Thursday.

An inspector general's report from fiscal 2004 included 16 recommendations for the VA to improve the security of its IT operations, including centralizing IT security programs, implementing an effective patch management program, and addressing unauthorized access and misuse of sensitive information and data that the IG's office discovered during its evaluation. To date, none of the 16 recommendations have been addressed, Opfer testified.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll