Afterthought Security

What happens when a data breach affects 26 million veterans? Plenty.

In one sense, the case of the Department of Veterans Affairs laptop, stolen from an employee's home and later found, was just one more entry in a list of 224 data breaches since February 2005, according to Privacy Rights Clearinghouse. One could even say the VA joins an eminent list of entities—banks, brokerages, retailers, manufacturers, universities, butchers, bakers and candlestick makers—who have made the Clearinghouse's list (at since data aggregator ChoicePoint disclosed fraudsters had compromised 145,000 customers' private data.

The VA case had a bigger number—26.5 million veterans, including some active-duty soldiers—and so it sang out for special scrutiny. And so heads rolled. Congress held hearings (at which two smaller VA breaches came to light). Potential victims filed lawsuits.

And, five weeks after the VA warned veterans to watch out for credit card fraud, the Office of Management and Budget ordered all federal agencies to adopt stricter security rules for mobile data, such as encrypting data on mobile computers and mandating two-factor authentication for remote access devices.

Amid the indignation and concerted action, there was a sympathetic sadness to some reports of the VA incident. After all, the employee who brought his laptop home was trying to be productive. And he had permission to work with data from home, The Associated Press reported. He just didn't appear to have security measures in place.

"Isn't that sad," says George Skaff, marketing VP at Digital Persona, a maker of fingerprint readers for computers. CSOs won't be surprised to learn that Skaff's company has fielded many calls recently from state and local government clients that want to comply with federal authentication standards. "Some are spreading the word" about the technology's value, he adds.

Copyright © 2006 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)