VA tech chief says another major data breach is unlikely

The Veterans Affairs Department, site of a major data breach earlier this year, has taken steps to better protect personal information but still has work to do, the agency's chief information officer said Monday.

Robert Howard, confirmed by the Senate as the VA's chief information officer and assistant secretary for information and technology on Sept. 30, said the agency likely will avoid another incident on the scale of the May 6, 2006, data breach that left 26.5 million people at risk for identity theft, because employees have improved the way they handle data.

"They're treating information as they would want their information treated," Howard said at an event hosted by the American Council for Technology and the Industry Advisory Council. "It's not perfect. It's a very large organization, and we still have a lot of work to do in that area, but we've clearly improved the awareness of the folks."

Department laptops have been encrypted, but not all electronic devices that could potentially store personal information have had the software installed, Howard said. Medical devices containing personal information are difficult to encrypt due to federal medical regulations, and shutting them down is not an option, he noted.

A top priority for 2007 is to address risks to personal information stored on non-VA computers, Howard said.

A proposal from the House Veterans Affairs Committee to elevate the department's CIO from an assistant secretary to an undersecretary is unnecessary because the office has all the authority it needs, Howard said.

"We know what we need to do," Howard said. "The main thing we really need is time."

The position of chief information security officer, vacated abruptly by Pedro Cadenas in June, has not been filled, Howard said. Carol Williams, the office's deputy, is filling the position on an acting basis while the process of finding a replacement proceeds.

Howard said the VA also has been engaged in an ongoing effort to centralize its IT staff since March, and decided more recently to place application development personnel under the CIO. The reorganization involves moving more than 4,000 IT employees from the VA's program offices to the direct authority of the CIO.

"Obviously there is a degree of unease with respect to the IT folks coming over to the [Office of Information and Technology]," Howard said.

Sorting out which employees from the program side should move has been a challenge, a House source familiar with the matter said. Howard is going to have to "roll boulders up a hill" if he is going to be successful in fully implementing the centralization plan, the source said.

Legislative language in a VA bill (S. 3421) that passed both chambers of Congress early Saturday morning contains additional security requirements. Under the measure, VA would need to issue fraud alerts and complete an analysis if another data breach occurs, according to House sources.

The bill also would require VA Secretary James Nicholson to issue interim regulations within 180 days of enactment that would establish the legal framework for the IT centralization. He also would need to brief Congress, the House source said.

The legislation would not elevate the CIO to an undersecretary, as a measure from outgoing House Veterans' Affairs Committee Chairman Steve Buyer, R-Ind., had proposed.

Buyer's bill also would have amended the 2002 Federal Information Security Management Act. A spokesman for Rep. Tom Davis, R-Va. -- who wrote the language -- said it will be among the first pieces of legislation he introduces in the next Congress.