The Veteran Affairs (VA) data breach in 2006 was not so much an attack as it violated access controls and mishandled of private and personal information. A VA employee who was a data analyst reported a laptop stolen from his home with approximately 26.5 million Veteran’s data that included names, date of births, social security numbers, and disability ratings (Stout, 2006). The majority of the data in the hard drive was linked to the veterans and their spouses.
At present, there are numerous federal requirements to protect personal information and respond to data breaches. First, it is a federal requirement that all private and personal data have to be encrypted at all stages from storage, transfer, processing, and data being discarded. Second, all personal identification data should not leave the company premises without proper safeguards and authorization. Finally, there should be an effective and timely notification procedure when a data breach has been detected or reported. Millions of veterans were potentially vulnerable to identity theft because of the VA data breach, hence the VA settling out of court without admitting they broke any laws. The VA inspector general’s (IG) report faulted both the data analyst and his supervisors for the data breach. The unencrypted data included names, birthdates, and social security numbers. The 2006 incident was the second occurrence since 2004 that the VA was found in violation of the Federal Information Security Management Act and the notification requirements outlined in the GLBA.
In the VA case, there are some information security and privacy issues that made the organization and its assets more susceptible to attacks. First, the personal and private data on the laptop hard drive was required by VA Information Security procedures to be encrypted, but it was not encrypted (Stout, 2006). Second, the VA employee, a data analyst, did not have the proper authorities or permissions to remove the laptop, much less one having unencrypted data from the VA server or facility. Finally, the VA Supervisors delayed notifications of the data breach to the Veterans Affairs’ Secretary for almost three weeks after the employee reported the laptop stolen from his home leaving the company even more vulnerable.
Since the 2006 VA data breach, significant progress has been made in implementing improved security and privacy controls. First, the organization has invested heavily in information technology systems, IT specialists, and information security training to mitigate data loss, such as those experienced in 2006 (Mosquera, 2012). Second, an IT and security policy procedure, as well as notification and reporting methods and timelines, have been put in place.
The VA leadership could have played a critical role in minimizing organizational risk and impact by taking immediate and decisive actions. For instance, the VA supervisors failed to report the stolen employee’s laptop on time, which indicates that there were no laid down procedures on how data breaches were to be reported (Vijayan, 2007). The VA IG report indicated the VA lacked a data breach plan and lacked an acceptable (if any) data breach training program for their employees. This is surprising as the VA had a similar data breach just a few years earlier. Luck for VA, there was no evidence that the person responsible for the laptop’s theft had gained unauthorized access to the personal information as reported by the FBI. While the computer was eventually recovered almost a month after it was stolen, the VA paid a $20 million settlement without admitting any guilt, any violations of the privacy act, or any other legal basis for liability (Conn, 2009).
References
Conn, J. (2009). VA to pay $20 million for 2006 laptop data breach. Modern Healthcare.
Mosquera, M. (2012). 6 lasting effects of 2006 VA data breach on privacy, security. Healthcare IT News.
Stout, D. (2006). Personal Data of 26.5 Million Veterans Stolen (Published 2006). The New York Times.
Vijayan, J. (2007). One year later: Five lessons learned from the VA data breach. Computerworld.