Management structure contributed to VA data breach, observers say

As the scope of the Veterans Affairs Department's data breach continues to expand, former agency information technology officials say the catastrophe possibly could have been avoided with a better IT management structure.

Robert McFarland, who stepped down as the VA's chief information officer before the May 3 theft of sensitive records from a VA career IT specialist's home, said the database containing the personal information on veterans and active duty military personnel fell outside the direct control of the CIO office.

This setup, in which the department's IT systems and databases are dispersed across its three divisions, is on schedule to be changed, McFarland said, though that won't happen overnight.

"You have these databases out there without any access controls or notifications for when duplications are made … access is free and open," he said. "As bad a hit as the agency is taking right now, it is moving in the right direction."

Technology management at the VA has been a source of contention on Capitol Hill and within the department.

The department's "federated" IT management model, adopted last year, gives the CIO office line-item budget control, but critics, including House Veterans Affairs Committee Chairman Steve Buyer, R-Ind., argue that the department needs to move toward a "centralized model."

Bruce Brody, vice president for information security at the Reston, Va-based market research firm INPUT and associate deputy assistant secretary for cyber and information security at the VA from 2001 to 2004, said during his time, the CIO office could issue agencywide policies but lacked enforcement power.

"He had no authority," Brody said. "He could not shut down systems or cut off funds. If you centralize authority, at least for security, there is a better chance you will get a handle on this stuff."

But Brody said the data breach is being treated more as a physical security issue than a cybersecurity problem, because the employee walked out of the agency's offices with the data. According to the VA, the employee had been taking sensitive records home unauthorized for three years.

The House Government Reform Committee is scheduled to hear testimony from VA Secretary James Nicholson and other government officials Thursday regarding the security of personal data in the government.

Committee Staff Director Dave Marin said Rep. Tom Davis, R-Va., chairman of the panel, is troubled that information from the VA on the content of the data continues to evolve.

A chronology of the data breach obtained by Government Executive shows that Michael H. McLendon, deputy assistant secretary for policy, who resigned last week, knew of the incident less than an hour after the GS-14 employee discovered the break-in. The employee immediately notified his office of the possible data loss, which then notified McLendon.

Nicholson was not notified until nearly two weeks later, on May 16. Veterans and lawmakers were informed of the breach on May 22.

While the VA has received approval to shift $25 million from its fiscal 2006 funding to support a toll-free number for veterans to call for information, the overall cost of the breach is likely to rise.

Vietnam Veterans of America, along with four other national veteran organizations and several individual veterans, has filed a class-action lawsuit that seeks a $1,000 award for each veteran who can show harm due to the breach. VA officials said Tuesday there are no indications that the stolen information has been used to commit identity theft.

The suit, filed in the U.S. District Court for the District of Columbia, seeks an injunction that would prevent VA from altering any data storage system and prohibit use of any such system until a court-appointed panel of experts determines how to implement adequate safeguards.