Expert: Chris Wagoner - 11/9/2008

Question
My friend and I have been discussing a recent incident involving theft of personal data of millions of U.S. veterans from the residence of an employee of U.S. Department of Veteran Affairs (VA).
My question is this "Was the employee justified in taking home official data? What are the possible consequences associated with the data loss? What action can the company take against the concerned employee?  

Answer
Hi John,

I think your talking about the laptop that was stolen and recovered?

Stolen VA Laptop and Hard Drive Recovered
Officials Say Data Were Not Accessed

By Christopher Lee and Zachary A. Goldfarb
Washington Post Staff Writers
Friday, June 30, 2006; A01



Federal officials yesterday announced the recovery of computer equipment stolen from an employee of the Department of Veterans Affairs. They said that sensitive personal information of 26.5 million veterans and military personnel apparently had not been accessed.

The laptop and external hard drive, stolen May 3 from a VA data analyst's home in Aspen Hill, contained the names, birth dates and Social Security numbers of millions of current and former service members. The theft was the largest information security breach in government history and raised fears of potential mass identity theft.

VA Secretary Jim Nicholson announced the recovery yesterday during a hearing of the House Committee on Veterans Affairs.

"Law enforcement has in their possession the laptop and hard drive," Nicholson said. "The serial numbers match. They are diligently conducting forensic analysis on it to see if they can tell whether it's been duplicated or utilized or entered in any way, and that work is not complete. However, they did say to me that there is reason to be optimistic."

FBI officials and local authorities said at a news conference that a person who had the laptop contacted U.S. Park Police on Wednesday after seeing news accounts and notices of a $50,000 reward offered by Montgomery County police. The devices were recovered in the "general vicinity" of Aspen Hill, said Chief Dwight E. Pettiford of the Park Police.

FBI Special Agent in Charge William D. Chase, of the agency's Baltimore office, said it is "way too early" to say whether the person will get the reward or whether criminal charges will be filed soon. FBI spokeswoman Michelle Crnkovich said the tipster is not a suspect.

"A preliminary review of the equipment by computer forensic teams has determined that the data base remains intact and has not been accessed since it was stolen," the FBI said in a statement. "A thorough forensic examination is underway, and the results will be shared as soon as possible."

Lawmakers hailed the investigative work but said VA still has much to do to improve data security.

"[T]he basic deficiencies leading to this data loss must be corrected," Rep. Steve Buyer (R-Ind.), chairman of the Veterans Affairs Committee, said in a statement. "The history of lenient policies and lack of accountability within VA management must be rectified."

Rep. Lane Evans (Ill.), the committee's ranking Democrat, said in a statement: "Today's announcement does not relieve the Department of Veterans Affairs from fixing its broken data security system and failed leadership."

The theft has proved to be an embarrassing and expensive management failure for VA. In a series of hearings, lawmakers have criticized Nicholson for the department's lax security practices and sluggish response, noting that the secretary was not told of the burglary for 13 days. The incident also has cast light on the department's consistent ranking near the bottom among federal agencies in an annual congressional scorecard of computer security.

Pedro Cadenas Jr., the VA official in charge of information security, resigned yesterday for personal reasons, VA officials said. Earlier, a high-ranking political appointee was dismissed and a longtime career manager was forced to retire.

The Bush administration this week asked Congress for $160.5 million to pay for free credit monitoring for veterans and military personnel. VA already has budgeted $25 million to create a call center to handle veterans' questions and to send letters alerting veterans about the theft. Several veterans groups have filed class-action lawsuits locally and in Kentucky against the government, seeking $1,000 in damages per affected veteran.

Initially, VA thought that all of the 26.5 million people affected were veterans. But a database comparison revealed that the stolen equipment also contained Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel, including 1.1 million active-duty military personnel, 430,000 National Guard members and 645,000 reserve members.

Nicholson said it is too early to tell whether free-credit monitoring for veterans is now unnecessary. VA still plans to hire a data analysis company to monitor whether veterans' identities are being stolen, he said.

Rep. Bob Filner (D-Calif.) said yesterday that three VA documents obtained by the Veterans Affairs Committee indicate that the data analyst was authorized to take a laptop home and use a software package to access the data. That contradicted Nicholson's previous testimony that the employee was not authorized to have the information at home.

"He got all the approvals that he was supposed to have," Filner said. "I don't know of a policy that he violated, if you'll tell me one. And that's the real negligence -- that there were no policies."

Nicholson said he had not seen the documents, and declined to comment because the career analyst is challenging Nicholson's decision to fire him.

Tim S. McClain, VA's general counsel, told the panel that one of the documents did not apply to the laptop that was stolen. He acknowledged that the other documents granted the analyst access to Social Security numbers and permitted him to have software at home.

Jim Mueller, commander-in-chief of the national Veterans of Foreign Wars, applauded the equipment's recovery, but said in a statement that Nicholson still has much to do to repair the agency's reputation.

"The longer Secretary Nicholson waits to hold people accountable, the more confidence he will lose in the eyes of America's veterans, their families, and those who wear the uniform today," he said.

Then this on it also:

V.A. Laptop Is Recovered, Its Data Intact
By JOHN FILES
WASHINGTON, June 29 — The government has recovered a stolen laptop computer and external hard drive that contains the birthdates and Social Security numbers for millions of veterans and military personnel, the Department of Veterans Affairs said Thursday.

The Federal Bureau of Investigation said in a statement from its Baltimore field office that it appeared that the data had not been copied or misused.

"A preliminary review of the equipment by computer forensic teams has determined that the database remains intact and has not been accessed since it was stolen," the statement said.

Michelle Crnkovich, a spokeswoman for the F.B.I. in Baltimore, said the computer was turned over to agents there on Wednesday. The person who delivered the laptop has not been charged, Ms. Crnkovich said. A $50,000 reward had been offered for information related to the computer.

Ms. Crnkovich said the United States Park Service had helped in the recovery of the equipment, which will be further tested by F.B.I. officials in Washington.

Veterans Affairs Secretary Jim Nicholson said on Capitol Hill on Thursday that there were no reports that the stolen data had been used for identity theft. But he acknowledged that the situation had "brought to the light of day some real deficiencies in the manner we handled personal data."

The laptop computer and a detachable hard drive were stolen in a burglary on May 3 from the home of an agency employee in Aspen Hill, Md. Some officials at the Department of Veterans Affairs learned of the theft almost immediately, but Mr. Nicholson said he was not notified until May 16.

Because of the delay, the F.B.I. did not find out about the theft until about two weeks after the burglary, which was under investigation by the police in Montgomery County, Md.

Officials at the veterans agency have said the employee violated department procedure by taking the information home. But The Associated Press reported on Wednesday that agency documents showed that the employee had approval to work on his laptop from home.

A spokesman for the agency, Matt Burns, said the employee had been put on administrative leave while the agency sought his dismissal. Mr. Burns declined to comment on the report by The A.P. "because it is an ongoing personnel matter."

Mr. Nicholson has said he wanted to dismiss the employee outright but was told he could not because of federal job-protection rights.

The records included names, dates of birth and Social Security numbers for millions of people, although the exact number has not been clear. At first, the department said information on 26.5 million veterans was affected. Later, it said the number included forces on active duty, as well as veterans.

Last week, the agency lowered the number of people at risk to 17.5 million, saying the earlier estimate had not taken into account deaths and duplication of records.

The data theft and the confusion about the scope of the breach have caused the agency to be sharply criticized by veterans' groups, and several have joined a class-action lawsuit. Federal lawmakers have also been critical.

Representative Steve Buyer, the Indiana Republican who is chairman of the House Veterans Affairs Committee, said he hoped that the recovery of the computer would allow veterans to "breathe a sigh of relief." But he added that it would not diminish concerns over the department's handling of personal information.

"We will hold the V.A. responsible and accountable," Mr. Buyer said.

The chairman of the Senate Veterans Affairs Committee, Larry E. Craig, Republican of Idaho, said in a statement that the recovery of the equipment was "wonderful for veterans and active duty personnel," adding, "We have all learned, as well, that serious changes are needed in data protection governmentwide."

The department offered to pay for a year of free credit monitoring for the veterans, which it said would cost about $160.5 million. The director of the White House Office of Management, Rob Portman, suggested Wednesday that the department pay for such monitoring with about $130 million from a food stamp employment and training program, a farmers' assistance program, student loans and a program for young people released from prison.

Asked whether the department would carry out its plan for credit monitoring now that the data has been recovered, the V.A. spokesman, Mr. Burns, said the "next steps are going to be determined after receiving additional information on law enforcement's analysis of the recovered equipment."


Employees should not remove any data storage devices (laptops, USB drives, external drives and any other data storage devices)from their work. Unless its encrypted in such a way as to be 100% secure.

Possible consequences? ID Theft in the millions, and millions of dollars in personal money loss, and other things related to ID theft.

Any employee that removes data like that, without taking the proper safety precautions, and has permission, should be fired.

Hope that all helps and answers your questions. Be well...