Executive Summary on Veteran’s Affairs (VA) and Loss of Private Information
Problem 1: The VA employee had authorization to access and use the VA databases for performance of official duties. He was not, however, authorized to take it home as he had no official need to have the data at home. The private data was not properly safeguarded. He failed to password protect and encrypt it.
Problem 2: The response of managers and senior executives regarding the notification of stolen data was inappropriate and not timely. They failed to determine the magnitude of the data loss. There was a failure to notify appropriate law enforcement entities of the potential impact on VA programs and operations.
Problem 3: There was a lack of urgency in notifying the Secretary of Veterans Affairs by his immediate staff. They did not notify the Secretary until 16 May 2006 – a full 13 days after the theft of data. This was not clearly identified as a high priority incident and there was a failure to follow up on the incident until after they received a call from the Inspector General.
Problem 4: Information Security officials failed to effectively trigger appropriate notifications and begin an investigation of the stolen data. The information security official’s incident report contained omissions and significant errors. This resulted in missed opportunity to re-create the contents of the laptop and external drive and to recognize the severity of the potential loss of data. The cybersecurity operations officials failed to ensure a timely investigation and notifications were made regarding the severity of the lost data.
Problem 5: VA Policies, procedures and practices were not easy to identify, were not current, nor were they complete. The VA policies and procedures for safeguarding against disclosure of private information were inadequate with regard to preventing the data loss incident. The policies and procedures for reporting and investigating lost or stolen private data not...