Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Ohio University: An Example of How A Security Incident Can Negatively Impact An Organization | Main | The Business Leader Data Retention and E-Discovery Primer »

Another VA Computer Missing Containing Personal Data on 38,000 Vets...Are We Surprised?

It was disappointing, but not really surprising, to read in Computerworld today that another VA computer was missing.  What is a bit unusual was that it was a desktop computer, as opposed to the typical missing/lost laptop, notebook, or handheld computer.  This time it was a Unisys contractor who was using the computer.

"VA officials are also working with Unisys regarding an offer of credit monitoring and individual notifications to those who may be affected."

Gee...this is kinda "deja vu all over again," isn't it?  The veterans were initially offered credit monitoring with their last incident but then the government cancelled that offer when the computer and disk were found months later.  IF a credit monitoring offer is made, you think they will retract the offer...again...as soon as, and if, the computer is found...even though someone intentionally stole the computers?

"The loss of this computer comes just two days after Montgomery County Police in Maryland announced the arrests of two men accused of stealing a VA laptop and hard drive that contained identifying information on 26.5 million of veterans and active-duty military personnel in May. That laptop was recovered in June and the VA does not believe that any of the personal information contained on it was compromised."

Yah...right...there is no way that you can tell for certain that data has or has not been copied.  If these two men stole the computer and hard drive they very well could have made a copy, or several copies, of the data to use for years into the future.  Sensitive data on 26.5 million people is a pretty good retirement plan.

""[The] VA is making progress in efforts to reform its information technology and cyber security procedures, but this report of a missing computer at a subcontractor's secure building underscores the complexity of the work ahead as we establish VA as a leader in data and information security," said Nicholson in the statement."

Organizations of every size need to be diligent about information security practices. Small and medium sized businesses often do not have dedicated information security personnel on staff to comprehensively address security issues.  Some organizations are such behemoths that a centralized information security office with too few employees cannot effectively address security throughout the entire organization.  Veterans Affairs is such a behemoth, with 235,974 employees...not to mention thousands of contractors...at the beginning of the year; with around 500 information security officers.  So, significantly less than 1% of the staff...around 0.2%...are responsible for securing a vast amount of sensitive data on "approximately 70 million people" that is scattered among potentially thousands of locations. 

I believe many more organizations lose laptops, notebooks, handhelds, storage media and so on than are ever reported...even with today's breach notification laws.  I know in speaking with several organizations that many of these losses and thefts are reported to physical security and the insurance claimed on the hardware value, and the information security department often does not find out until days, weeks, or even months later, if ever at all, and then there is often no idea of the types of data that were on the devices.

This situation points out some important lessons for organizations.

  • You need to have enough people responsible for information security to have effective information security.
  • You need to have policies and procedures in place to ensure the security of laptops, storage devices, and end-user computers, and enforce them consistently.
  • You need to have a comprehensive inventory of data and computing devices so you don't misplace important information.
  • You need to perform consistent and effective security program reviews of the organizations to whom you entrust your information and processing of sensitive information so that their sloppy and/or insecure practices do not end up putting your organization at risk, or result in significant negative impact to your organization.
  • The more distributed data is, and the more mobile data is, the more at risk data is. 
  • The more you depend upon end-users for securing information, the more information security and privacy education, training and awareness, must be provided on an ongoing basis.

Technorati Tags








 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on August 8, 2006 5:39 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/153

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.