When California's SB-1386 data breach disclosure law and others like it went into effect, legislators wanted to...
use the hammer of public disclosure and embarrassment to prevent organizations from making silly, preventable errors that result in the disclosure of confidential data.
If IT managers and others with access to sensitive information knew that their names and their employers' names would be splashed across the front pages of the nation's newspapers, then surely they'd take extra precautions with customer data. Or so the theory went.
But as the flood of such incidents continues unabated, it has become painfully clear that this theory has largely failed in practice. Perhaps no incident better illustrates the problem than the recent theft of a laptop and external hard drive belonging to a Department of Veterans Affairs employee and containing personally identifiable information on 26.5 million veterans and active military personnel. The comedy of errors at the VA both before and after the theft was laid out last week in a blistering report (.pdf) by the department's Office of the Inspector General, which recently completed an investigation of the incident.
According to the report, the VA employee -- who has never been publicly identified -- was not authorized to take home the data that was eventually stolen, and was in fact using the data to work on a side project on his own time.
"While the employee had authorization to access and use large VA databases containing veterans' personal identifiers in the performance of his official duties, his supervisors and managers were not aware that he was working on the project, and acknowledged that if they had [known], they would not have authorized him to take such large amounts of VA data home. In fact, one manager could not justify taking such a large amount of data home under any circumstances," the report said.
Once the employee realized the data was lost, he reported the incident to the department's internal security staff, but wasn't interviewed about the kind and scope of the data loss until two days later. Then, thanks in part to a strained relationship between two senior VA officials -- Dennis Duffy, the acting assistant secretary for policy planning and preparedness, and his subordinate, Michael McLendon, deputy assistant secretary for policy -- Duffy did not receive the initial report on the theft until May 8. And even then, Duffy told Inspector General George Opfer that he didn't see the loss of data as a crisis.
"Mr. Duffy did not discuss the matter initially with Mr. McLendon, noting that there had been a long and very strained relationship with him. Both Mr. Duffy and Mr. McLendon bear responsibility for the impact that their strained relationship, which both acknowledged, may have had on the operations of the office in handling the aftermath of the incident," Opfer wrote in the report.
This series of events shows just how little has changed in the past couple of years. Federal lawmakers have been pushing for broader and stronger notification bills, but a bigger stick likely will make little difference in the grand scheme of things. What's really needed is for the government to lead by example. Given the intense scrutiny federal agencies receive from the Government Accountability Office, Congressional committees and the press, they should be at the top of their game when it comes to information security and privacy.
Instead, their policies serve as cautionary tales. VA officials should have used the incident as an opportunity to show other federal agencies and private sector companies how to handle such problems. They had a perfect chance to step forward, admit the mistake and then publicly discuss the improved policies and procedures they would put in place to ensure that a similar incident didn't occur in the future. But, as the inspector general's report makes plain, the officials had better things to do.
"At nearly every step, VA information security officials with responsibility for receiving, assessing, investigating or notifying higher-level officials of the data loss reacted with indifference and little sense of urgency or responsibility," the report said.
So, rather than spending precious time and resources fine-tuning competing data breach notification bills, perhaps our congressmen would be better off walking a few blocks from Capitol Hill to any of the federal agencies around town and having a look at what they're doing to protect Americans' confidential data. If the state of affairs at the VA is any indication, it likely wouldn't take long.