VA to issue new directive on employees’ responsibility for data

The Veterans Affairs Department is close to issuing a new directive spelling out employees' responsibility for handling sensitive information, Secretary James Nicholson told congressional appropriators Tuesday.

Meanwhile, a class action lawsuit against the VA is blocking another security directive's implementation. That directive would have required reviews of all agency laptop computers to ensure that virus software is updated and appropriate encryption programs are installed.

But a temporary restraining order from the Federal District Court of Eastern Kentucky issued Friday as part of the lawsuit prevents VA from conducting the reviews, and also bars the department from publicizing its free credit-monitoring offer to veterans whose personal data was stolen.

Nicholson told lawmakers at a hearing Tuesday he was frustrated by how long it took for him to fire the employee who compromised the personal information for 26.5 million individuals. He said the new policy -- a revision to VA Directive 6500, which establishes department policies for information security -- will "make a big difference" at the VA by creating "enforcement mechanisms."

"It is not so easy to roll a head in a federal agency," Nicholson told the House Appropriations Subcommittee on Military Quality of Life and Veterans Affairs. "There's a lot of protection [for employees]."

The VA did not offer a specific timetable for when the new directive will be issued, but a spokesman said it is being developed as expeditiously as possible.

"I am convinced that, coming out of a very bad situation, we can make the VA a model for data security," Nicholson said. "I believe we can craft a structure that will be the gold standard for the government."

The VA has not had the right policies in place for managing IT and information security, Nicholson said. The data breach early last month served as a wake-up call for the agency, and the new guidance will make all employees aware of security guidelines and the consequences for failing to follow the policies, he said.

Nicholson has instructed Deputy Secretary Gordon Mansfield to establish a three-phase program to survey existing information security procedures, improve internal controls and establish enforcement mechanisms.

The department also is evaluating security procedures for its telecommuters, he said. While "it is a governmentwide practice to encourage telework ... we must ensure that our policies and procedures implementing this are such that sensitive data ... is properly protected," he said.

Nicholson said the VA's decentralized IT security management structure has been abysmal and that it is about to change with the reorganization of the department's IT management model, which includes moving more than 5,000 IT employees under the direction of the department's chief information officer.

Testifying before the subcommittee, Dennis Hoffman, vice president for information security at EMC Corp., said terminating an employee who notified his supervisors immediately about a data breach could drive employees in similar situations underground.

A VA chronology of the data breach shows that the employee, a GS-14 IT specialist, immediately notified the agency's security office by telephone.

Nicholson said $131.5 million of the request for $160.5 million to fund the VA's plan to purchase one year of free credit monitoring for affected veterans will be reallocated from other areas of fiscal 2006 funds and that about $29 million will come out of a Veterans Benefits Administration's fund for personnel costs that otherwise would have gone unspent in fiscal 2006.

"It will not result in the diminution of services," Nicholson said. "It'll take some belt tightening in that area. It will not come out of veterans' benefits."

He did not rule out the possibility that the department might end up offering more than a year of free credit monitoring and said he anticipates that about half of all veterans will request the service.

Nicholson urged the committee to get tough on identity thieves and recommended that Congress enact a data-protection law with stiff penalties and fines for violations. He pointed to federal health privacy rules as an example of tough criminal penalties -- up to 20 years in prison and a $250,000 fine.

Danielle Belopotosky of National Journal's Technology Daily contributed to this report.