GovernmentExecutive.com

The committee that gave the Veterans Administration an "F" for its computer security practices plans a hearing June 8 to ask for an update on the department's reforms.

House Government Reform Committee Staff Director Dave Marin said the focus of the hearing will be whether tighter laws are needed to prevent another incident like the security breach in which personal data on 26.5 million veterans was stolen from a department employee's home.

"It's one thing to have regulations on paper and another to police them," Marin said.

Since another hearing last week in the House Judiciary Committee, Congress has updated a data protection bill, H.R. 4127, to include federal agencies, not just private companies. The provision would require written notification of security breaches, but would not subject the feds to same regulations companies could face.

This week, Veterans Affairs Secretary Jim Nicholson announced Deputy Assistant Secretary Michael McLendon would step down. The data analyst whose laptop and disks were stolen in a home burglary has been dismissed. His acting department head, Dennis Duffy, has been placed on administrative leave.

On Wednesday, Nicholson named attorney Richard Romley as his new special adviser for information security.

Nicholson said he was angry that employees did not tell him of the May 3 burglary until May 16. The public, and veterans, found out about the security problem May 22. Pending legislation would carry fines for companies for every day the public is not notified.

The veterans' department said data containing Social Security numbers was not encrypted.

The hearing will ask whether it should be.

"The cost and speed of encryption need to be considered, but we need to err on the side of protection," Marin said.

"The technology exists today to secure this information," said Paul Kurtz, executive director of the Cyber Security Industry Alliance. He said encryption is much more user friendly than it was three years ago.

Chris Parkerson, a data security manager at RSA Security, said encrypting the personal data on the 26.5 million veterans in such a case would have taken "a matter of seconds."

He said encrypting becomes more complicated and slower when the system is complicated like in a financial transaction. Parkerson said often companies try to encrypt too much, like an entire hard drive, rather than just the personal data. He said that could cause encryption to slow down a process ten times.

But he said solving the problem in the veterans' department security breach is easy -- and cheap.

"There are tons of products on the market than can do that that are very inexpensive. We're talking a few hundred bucks to lock down a few laptops," Parkerson said.

That may be good news, as Nicholson has told Congress the cost of fixing the data theft could be "way north of $100 million."

CSIA said the hope is this latest security breach will motivate Congress to clean up current loopholes in existing federal law about requirements to secure information and notify people of breaches.

"We need clarity on Capitol Hill sooner rather than later," Kurtz said.

COMMENTS

• More sanctimonious sniping from Capitol Hill! And I love these security vendors who claim it only takes "a matter of seconds" (your mileage may vary) and that "solving the problem in the veterans' department security breach is easy -- and cheap." (Trust us!) Any time a vendor tells you something is easy and cheap, hide your wallet and expect to be paying through the nose while this blood-sucker reads you the fine print of their "easy and cheap" solution, and the yearly maintenance of their product. GovExec.com reader Posted June 1, 2006 9:25 AM
• You fix the data problem by eliminating the data at every agency and placing it all in a single agency where that agency also is responsible for all government payments and receipts of taxes and other fees. Take the IRS and Social Security and combine them with the park service fees, patent fees, and all other fees and have a single point agency for all collections and payments. That agency would house the database for all recipients and payers and it should be housed in an off-line database so that it is not accessible from outside the agency. Rather, the agency would put data in another database and physically transfer the data to the secure database once it is cleaned of errors. Creating a panel at VA is not going to improve the process because the same data for all those vets still exists in the DoD databases, social security databases, IRS databases, maybe in SBA databases, agricultural databases, passport databases, pension databases, etc. Get it all in a single database where it can be secured and corrected one time for all uses! This might save me tax money and give a greater degree of security to the data itself! Taxpayer Posted June 1, 2006 7:27 AM