Data Dump

Beware of overreaction to the recent spate of federal data theft incidents.

All indications are that this is shaping up to be the Summer of Data Theft in the federal government.

It got started with a bang just before Memorial Day, when the Veterans Affairs Department announced that personal information on more than 26 million veterans and military service members had been stolen along with a laptop computer from an employee's home. The ensuing scandal was amplified when other agencies began logging reports of their own data thefts:

  • The Health and Human Services Department announced that information on more than 17,000 Medicare beneficiaries might have been compromised because a contractor had failed to properly secure the data.
  • Energy Department officials acknowledged that last September, they discovered that a hacker had accessed personnel records for 1,500 contract workers and employees at the National Nuclear Security Administration.
  • The Agriculture Department reported that a hacker broke into one of its computer systems and might have stolen the names, Social Security numbers and photos of 26,000 Washington-area employees and contractors. The information was used to create staff and contractor ID badges.
  • The Federal Trade Commission revealed that two of its laptops were stolen from a car. (A "locked vehicle," the agency took pains to note.) FTC notified 110 people that some of their personal information was contained on the computers.
  • In an ironic twist, the Government Accountability Office, which has sharply criticized agencies' information security policies, was forced to acknowledge that it had posted records on its Web site with some personal identifying information on a group of federal employees.

All of this is just what the government needed: another excuse for Americans to believe that agencies can't be trusted with basic tasks. And, unfortunately, the incidents provoked a typically Washingtonian response: political grandstanding and panicked overreaction.

VA Secretary James Nicholson was hauled to Capitol Hill to explain how the data theft could have occurred and why it took almost three weeks for the department to make it public. His testimony boiled down to the following: Everybody but me screwed up. Nicholson said he was "outraged" and "mad as hell" about the "lapses of judgment on the behalf of my people." He insisted that "directives were issued," but "they were paid no attention to."

Congress demanded action, and Nicholson gave it to them. Within days, Veterans Affairs took immediate steps to notify those whose data was stolen. Later, the agency began soliciting bids from contractors to provide a year's worth of free credit reporting to people whose personal information was compromised.

But the steps Nicholson took with respect to his own workforce could have an even more long-lasting effect. Nicholson started the process of firing the employee who brought the data home, and replaced the leaders of the division where he worked. In early June, he declared that the agency would limit telework at one of its divisions and eliminate employees' access to department networks from their home PCs.

That action sent a strong message to employees not only at VA, but across government: Punch in and punch out at the office, and never take work home. Why take the risk that you'll end up bringing home data that will be deemed sensitive?

Unfortunately, we in the media will end up reinforcing this message, because we'll continue to be on watch for the next story in the ongoing data theft scandal. Just look at the number of stories that emerged in the weeks after the VA incident.

But as you read them, remember this: The VA employee whose data was stolen brought it home on disks, not by accessing the department's network remotely. And it turned out he had received permission to bring a laptop and the data home-presumably because of his dedication to his job. From now on, fewer employees will make that mistake. Is that what the government-and the country-really wants?

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Federal IT Applications: Assessing Government's Core Drivers

    In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.