Laptop Liabilities

6:00 PM -- R. James Nicholson, the U.S. Secretary of Veterans Affairs, is tiptoeing on banana peels these days, as criticism mounts about poor data management at his agency, the Department of Veterans Affairs.

On Wednesday, Nicholson hired ID Analytics of San Diego to monitor multiple industries for signs of illegal activity related to the agency's May laptop theft that put 26.5 million veterans and family members at risk of identity theft and fraud. (See VA Reports Massive Data Theft.)

The monitoring plan comes as a welcome alternative for Nicholson, who originally thought the VA would have to fork over millions to compensate veterans. The stolen laptop, however, was recovered by police in June, apparently untouched. The culprits were two teenagers who seemed to have no intention of using the data for identity fraud.

But relief for Nicholson is momentary these days. Another VA data theft in Pennsylvania last week has angry politicians calling for his resignation. Broadcast news sources quote Senate Minority Leader Harry Reid (D-Nevada) as stating: "Less than a month after promising to make the VA the 'gold standard' in data security, Secretary Nicholson has again presided over loss of the personal information of thousands more veterans."

Here's what happened: On August 3, VA subcontractor Unisys Corp. notified the VA that a desktop computer was missing from Unisys's offices in Reston, Va. The computer contained information on approximately 18,000 VA patients in VA medical facilities in Philadelphia and Pittsburgh, including their names, addresses, Social Security numbers, dates of birth, insurance information, dates of military service, and "insurance claims data that may include some medical information." Unisys, which has its own enterprise security practice, had been hired to collect outstanding medical fees for the VA.All this would be bad enough, but it's apparently the tip of an iceberg. Nicholson recently came clean on other data compromises: On May 5, just two days after the notorious Maryland theft, a VA regional office in Indianapolis was robbed of a computer containing 16,538 legal case records. And in 2005, a VA employee in Minneapolis locked a laptop containing sensitive data on 66 veterans into the trunk of a car, which was stolen.

Legislators are planning to revamp the VA's IT organization with an eye to putting in a CIO who can implement some security policies. Meanwhile, Nicholson is one hurtin' dude. "The world of information technology at the VA, and across the entire Executive Branch, will never be the same," writes Bruce Brody, a former government agency CIO who is now an analyst with Input. (See Portable Problems Prompt IT Spending.) Brody presented his suggestions for remedying the VA's data problems before the House Committee on Veterans Affairs this past June.

Hopefully, R. James Nicholson will listen. He's surely is someone who could use a good storage/security consultant.

Mary Jander, Site Editor, Byte and Switch