Beware of overreaction to the recent spate of federal data theft incidents.
All indications are that this is shaping up to be the Summer of Data Theft in the federal government.
It got started with a bang just before Memorial Day, when the Veterans Affairs Department announced that personal information on more than 26 million veterans and military service members had been stolen along with a laptop computer from an employee's home. The ensuing scandal was amplified when other agencies began logging reports of their own data thefts:
- The Health and Human Services Department announced that information on more than 17,000 Medicare beneficiaries might have been compromised because a contractor had failed to properly secure the data.
- Energy Department officials acknowledged that last September, they discovered that a hacker had accessed personnel records for 1,500 contract workers and employees at the National Nuclear Security Administration.
- The Agriculture Department reported that a hacker broke into one of its computer systems and might have stolen the names, Social Security numbers and photos of 26,000 Washington-area employees and contractors. The information was used to create staff and contractor ID badges.
- The Federal Trade Commission revealed that two of its laptops were stolen from a car. (A "locked vehicle," the agency took pains to note.) FTC notified 110 people that some of their personal information was contained on the computers.
- In an ironic twist, the Government Accountability Office, which has sharply criticized agencies' information security policies, was forced to acknowledge that it had posted records on its Web site with some personal identifying information on a group of federal employees.
All of this is just what the government needed: another excuse for Americans to believe that agencies can't be trusted with basic tasks. And, unfortunately, the incidents provoked a typically Washingtonian response: political grandstanding and panicked overreaction.
VA Secretary James Nicholson was hauled to Capitol Hill to explain how the data theft could have occurred and why it took almost three weeks for the department to make it public. His testimony boiled down to the following: Everybody but me screwed up. Nicholson said he was "outraged" and "mad as hell" about the "lapses of judgment on the behalf of my people." He insisted that "directives were issued," but "they were paid no attention to."
Congress demanded action, and Nicholson gave it to them. Within days, Veterans Affairs took immediate steps to notify those whose data was stolen. Later, the agency began soliciting bids from contractors to provide a year's worth of free credit reporting to people whose personal information was compromised.
But the steps Nicholson took with respect to his own workforce could have an even more long-lasting effect. Nicholson started the process of firing the employee who brought the data home, and replaced the leaders of the division where he worked. In early June, he declared that the agency would limit telework at one of its divisions and eliminate employees' access to department networks from their home PCs.
That action sent a strong message to employees not only at VA, but across government: Punch in and punch out at the office, and never take work home. Why take the risk that you'll end up bringing home data that will be deemed sensitive?
Unfortunately, we in the media will end up reinforcing this message, because we'll continue to be on watch for the next story in the ongoing data theft scandal. Just look at the number of stories that emerged in the weeks after the VA incident.
But as you read them, remember this: The VA employee whose data was stolen brought it home on disks, not by accessing the department's network remotely. And it turned out he had received permission to bring a laptop and the data home-presumably because of his dedication to his job. From now on, fewer employees will make that mistake. Is that what the government-and the country-really wants?