GovernmentExecutive.com

Senior Veterans Affairs officials failed to understand the significance of the department's early May data breach and responded with "indifference and little sense of urgency," according to an inspector general report released Tuesday.

The report from VA Inspector General George Opfer reviews the circumstances surrounding the May 3 theft of a laptop computer and external hard drive from the home of a GS-14 data analyst who had worked at the department for 34 years. The equipment, which contained personal information on more than 26 million veterans, has since been recovered.

The IG found that while the data analyst was authorized to access and use the database, he did not have permission to take the data home and failed to encrypt it or protect it with a password. The employee's supervisors told the inspectors they were not aware he was working on the project at all, and said if they had been, they would not have allowed him to take the information home.

Department policies and procedures for protecting personal and proprietary data were not followed, though none of the policies prohibited the removal of protected information from the worksite, the report said. Information security weaknesses remain uncorrected, the IG added.

The report recommended that VA Secretary James Nicholson take whatever administrative action he deems appropriate against employees involved, establish a clear and concise policy on protecting sensitive information on and off agency systems and modify mandatory cybersecurity and privacy awareness training.

In response to the report, Nicholson said he has initiated four administrative investigations of the offices involved in both the breach and the response. He also said the agency has "embarked on a course of action to wholly improve its cyber and information security programs. The IG's report confirms that we must continue with our aggressive efforts to reform the current system."

House Veterans' Affairs Committee Chairman Steve Buyer, R-Ind., said in a statement that the report reiterates what was learned in a series of committee hearings, specifically that "weak information security policies and a lack of central authority over information management left the department vulnerable to massive breaches."

Rep. Lane Evans, D-Ill., ranking member of the committee, said that "utterly dysfunctional leadership" was one of a series of failures resulting in the data breach and Nicholson's next steps must include a review of why his managers and advisers "botched it and failed to report the matter to him."

In response to the data breach, House Government Reform Committee Chairman Tom Davis, R-Va., and the committee's ranking member, Rep. Henry Waxman, D-Calif., sent letters this week to all Cabinet agencies as well as the Office of Personnel Management and the Social Security Administration, asking for information on any "loss or compromise of sensitive personal information" since Jan. 1, 2003.

COMMENTS

• Such nonsense and scapegoating of what I consider an eagle employee. We should only have more federal employees who take work home and work on self-initiated projects. Let’s take the guy behind the shed and beat the living tar out of him so every VA and federal employee becomes even more fearful of ever doing something to improve government processes and procedures! And has anyone even asked the question of what someone would do with a database of 26 million Social security numbers? Any one of those numbers is easily obtained on the Internet. I'm more concerned with the banks losing my credit card number. HR Specialist GovExec.com reader Posted July 13, 2006 8:37 AM
• Everyone really needs to read the IG report that is linked in the article. First it was not an assigned project but a fascination project the analyst initiated on his own, then the fighting between the political appointee and his civil service boss that the political appointee did not like. There is enough in the report that the secretary needs to clean house, top to bottom. Ted Posted July 14, 2006 8:49 AM
• So, according to the VA Inspector General, it turns out the VA employee did not have permission to have 26 million SSNs at his home, after all. "The IG found that while the data analyst was authorized to access and use the database, he did not have permission to take the data home..." It's nice to see the truth finally came to the light of day here, after all the false media reports on this employee and his supposed "permission" to violate the privacy of veterans. VA Posted July 12, 2006 2:56 PM