VA Admins -- Hold Your Fire!

I am certain the U.S. Department of Veteran Affairs will investigate the circumstances surrounding the VA analyst who lost personal data on 26.5 million veterans, correlate the facts, and then fire that employee.

If this analyst was acting with malicious intent, the VA would be right to cut him loose. But assuming all the facts we have to date are accurate, firing him would be shortsighted and wrong. Average employees do not take work home with them; only motivated employees--an organization's best employees--do that. Firing this worker will send a message that will ripple through both the public and private sectors: "Take work home with you, and we will fire you."

Instead, the VA must confront the system that let this volume of data leave the building. The analyst was not authorized to take this data home, according to the reports we've seen, but he'd been doing so for three years, which means the VA can't--or doesn't--enforce its own security policies.

The VA should reprimand this analyst, then undertake some serious work to deploy mechanisms such as extrusion prevention to ensure that no other well-meaning employee can unwittingly put veterans' identities at risk.