Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« VA Secretary Reports Stolen VA Computer and Disk Found | Main | Insider Threat Example: Bank Employee Gives Customer Data to Fraudsters Who Then Took Funds From Accounts »

On Day Stolen VA Laptop and Disk Recovered, VA Announces They Also Lost a Backup Tape In A Different Location

Well...Jim Nicholson, the VA Secretary, must be relieved the much publicized stolen laptop and disk were recovered (more on that later), but then it he announced a backup tape "with more than 16,000 case records is missing from the Veterans Affairs regional office in Indianapolis."

Actually the backup tape was discovered missing on May 5, two days after the laptop and disk were stolen.  Why did they wait to announce this additional incident along with the news of the recovered laptop and disk?  Did the VA think that it would be just too overwhelming for the public to learn that the records of 26.5 million veterans and individuals in active service AND that a backup tape was missing?  Likely they didn't want to look even more sloppy with information security practices...with incidents occurring at virtually the same time in different locations.  I guess yesterday they saw a good opportunity for a "we have some good news, and bad news" moment.

Or, did they plan not to report the lost backup tape at all, but then decided it would lessen the impact of that incident if they announced it WITH the news that the laptop and disk were recovered?  Both took way too long to be reported to those whose personal information were stored on the devices.

And the statements downplaying the likelihood that the data on the recovered laptop and disk wasn't accessed are meant to be positive spin, but c'mon!  In this day and age a significant portion of th population know that complete disks and files can be copied without leaving any evidence of such activity.  Regarding the recovered laptop and disk...

"The FBI, in a statement from its Baltimore field office, said a preliminary review of the equipment by its computer forensic teams “has determined that the (Maryland) data base remains intact and has not been accessed since it was stolen.” More tests were planned, however."

Who knows...or will ever know?  It's very possible the data was not copied.  But it's also possible it was.  Why can't the agencies involved with investigations be upfront with their statements and just admit that there is no way they can determine whether or not the data was copied?

Organizations who have incidents, thefts and losses need to realize there are tens of thousands of information security professionals who know better than to believe their spin...they should not release such downplaying comfort statements to the public in the same way a parent talks to their preschool child.  Not only will info sec pros see right through the spin, but those with no info sec savvy will gullibly believe that they have nothing to worry about.  People need to realize there are many more bad things that can be done with personal information than just commit identity theft...and the bad things can occur for a very long time after the incident. 

Technorati Tags








 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on June 30, 2006 8:35 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/117

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.