Other

An Expert's Perspective on the VA Data Theft

Government security expert Bruce Brody shares his thoughts on the data theft from the VA.

By Paul Kerstein

June 02, 2006 — CSO —

By Paul Kerstein

After data on 26.5 million veterans was stolen from an analyst’s laptop, there has been a continuous uproar among government and law enforcement officials and veterans organizations that is reverberating down to the individual soldier, sailor, airman and marine.

What does the theft mean for veterans? What’s being done to recover the data, and what can victims do to protect themselves? What can businesses learn from this event?

CSOonline’s Paul Kerstein recently caught up with Bruce Brody, vice president of information security at INPUT, an authority on government business providing market intelligence, analysis, consulting, sales management tools, and events and training. He answered our questions about what has happened.

 
CSOonline: A number of media outlets are calling this the largest data breach in American history. Is it?

Bruce Brody: It’s huge, and this incident was discovered almost by accident. But what makes you think this is the only one? Do you really think we have the necessary controls in place to prevent this from occurring in other government agencies? What assurances do we have that our critical data is being protected by the government? After all, even as woefully flawed as the FISMA legislation is, the government received an overall grade of D+.

 
Many would consider it unfathomable for an employee to take that much sensitive data home. Is there any justification for doing this? Could the data analyst responsible suffer more dire consequences than just his job, such as lawsuits?

It is unfathomable, to be sure, but the VA has a long history of providing slaps on the wrists and not holding senior officials accountable. The VA culture is the root cause of this incident--decentralized authority, failure to observe security policies, operating administrations wielding more power and authority than the Department HQ--and unless the culture can be changed, no amount of punishment for a single incident will mean anything.

 
What does this mean for American veterans?

American veterans are at risk for identity theft, which means that false records can be created in their names, false accounts can be created to defraud them, and existing accounts can be drained. 

The VA and other organizations are really only suggesting setting up fraud alerts, being vigilant, monitoring bank statements, credit card records and any statements relating to recent financial transactions. Can you suggest some other basic steps of action that veterans should be taking?

The burden shouldn’t be on the veteran. It should be on the VA. The VA should bear the entire brunt of this, and any financial consequences because of decades of neglect and inattention to its collective information security responsibilities.

• Email
• Print
• Comments
• Digg This
• SlashDot