VA chief vows "relentless" exam of data protection policies
- By Bob Brewin
- May 25, 2006
Jim Nicholson, the Department of Veterans Affairs’ secretary. testifying in Congress about the theft of personally identifiable data for every living veteran, vowed to enforce existing policies and procedures and institute new ones to ensure the department protects sensitive data.
The VA, Nicholson said, has “begun a relentless examination of its policies and procedures to make sure nothing like this happens ever again.”
Nicholson, testifying today before a joint hearing held by the Senate Veterans’ Affairs and Homeland Security committees, also acknowledged that the culture at the VA in regards to information security needs to change.
The agency has in place policy directives to safeguard sensitive information, but many VA employees view those directives as just guidelines, Nicholson said.
The data analyst who loaded personal information on 26.5 million veterans on a laptop computer at home which was stolen May 3, did so in direct violation of agency policy, Nicholson told the hearing.
Nicholson, an Army veteran who spent eight years on active duty 22 years in the Reserves, said “I’m damn mad about the loss of veteran data, and the fact that one person has put us all at risk.”
To ensure other VA make data protection a key part of their jobs, Nicholson said, every employee will be required to complete a cybersecurity and information privacy course by June 30 and will need to sign a privacy act statement on an annual basis.
The VA also intends to run regular background investigations on department employees who handle sensitive information, Nicholson said. The unidentified data analyst who lost the information has worked for the VA for 32 years and has not been subject to a National Agency Check since he was employed, Nicholson added.
Nicholson said he has started the recruitment process for a “personal information security czar” to ensure that data protection remains in the forefront at the department.
The VA will also work to encrypt sensitive information and plans to have new guidelines by June to govern user access to data, Nicholson told the hearing, but did not provide any details.