Telework blamed in recent VA data loss

Proponents of policies allowing federal employees to work away from the office are fighting recent claims that teleworking puts sensitive agency data at an unnecessary risk for theft or loss.

In an attempt to avert future security breaches and to assuage lawmakers' concerns, Veterans Affairs officials have said they are reviewing the department's guidelines on remote use and access to agency information, following the theft of personal data on more than 26 million veterans from an employee's home.

VA Secretary James Nicholson told House lawmakers Thursday that he is attempting to determine how many agency employees telecommute because of the potential damage they could do, not mischievously, but because "they are negligent."

"This is an enormously troubling situation," Nicholson said. "We have people telecommuting all over this country, and we need to get our arms around who these people are and what they're like."

Nicholson said he has directed the VA Office of Information and Technology to publish revisions to the document governing security guidelines for remote access. He has also said the agency is reviewing employee access to sensitive data, which includes telework, and requiring new background checks.

But government officials and telework advocates say the data breach is not a telework issue. Rather, it stems from the mishandling of sensitive materials and the failure of an employee to follow basic security procedures, they say.

Agency officials acknowledged that the employee had been taking sensitive data home for work purposes since 2003 even though he was not authorized to do so. The data also was not encrypted per agency policy. The agency has since announced that it has started the process of dismissing the employee, and is replacing the leadership of the division in which he worked.

Chris Mihm, managing director of strategic issues at the Government Accountability Office, said if agencies have not established solid policies and procedures for data security and access, employees should not be allowed to telework.

"I think it's a wake-up call in the sense that it underscores the importance of the security of government information," Mihm said.

But Paul Kurtz, executive director of the Cyber Security Industry Alliance, said agencies should not respond to this incident by "hunkering down into a brick and mortar mentality."

"Data by its essence is portable," Kurtz said. "We don't want to have data resting within four walls and nobody can take it out."

Kurtz said sensitive data can easily be encrypted, but a better option is requiring employees to access that data over secure Internet connections.

Data access and security policies long have been listed among the best practices for agency telework policies. A 2003 report from the Office of Personnel Management cited information security as the most frequently identified problem related to telework.

In response to questions regarding the security of teleworking in the aftermath of the VA breach, the Office of Management and Budget asked the General Services Administration to post a link on the GSA telework Web page to National Institute of Standards and Technology recommendations published in August 2002 on the special security needs for teleworking.

A July 2003 GAO report (GAO-03-679) on teleworking in federal agencies found that the VA had fully addressed issues relating to remote access to agency systems and data.

But the basic violation of agency policies, such as taking sensitive data out of the office and failing to encrypt the information, goes beyond telework policies and into the realm of fundamental security practices, said William Mularie, chief executive officer of the Telework Consortium of Herndon, Va.

Placing the blame on teleworking "smells like an excuse for a lack of strong policies," Mularie said. "They're linking portability with security and it's not linked."

If the data on the stolen VA computer had been encrypted, it would have been no "more useful than a brick," Mularie said.

Chuck Wilsker, president and CEO of the Telework Coalition, said the incident helps emphasize the need for agencies to establish a formal telework program and oversee and ensure adherence to policies, particularly dealing with data security.

"How stupid can you be to take all that stuff home?" Wilsker said. "But do I think this is bad for telework? Not really."