Stolen VA laptop caught in safety net

Department’s mobile data security policies and practices prevented information breach

Agencies lag on security

Some agencies have not yet established security policies as the Office of Management and Budget directed them to do after a well-publicized security incident at the Veterans Affairs Department in 2006. VA computer equipment and data on 25.6 million veterans and their families was stolen. Government auditors released these figures in February to show the actions that agencies have taken to implement the security policies that OMB mandated after the 2006 laptop PC theft.

Encrypt mobile data:

Done: 22 agencies

Not done: 2 agencies

Add two-factor authentication:

Done: 14 agencies

Not done: 10 agencies

Add time-out function:

Done: 15 agencies

Not done: 9 agencies

Log computer extracts:

Done: 11 agencies

Not done: 13 agencies

Source: Government Accountability Office

The Veterans Affairs Department lost another laptop PC, but the department was better prepared this time.

When an employee at VA’s Austin Corporate Data Center in Texas had his laptop stolen from his apartment last month, the department’s revamped security policies and new security technologies were put to the test. Unlike what happened when a VA laptop was stolen in 2006, data on the newly missing laptop was protected by encryption, and VA officials knew exactly what equipment was missing.

“The safety net held,” said Adair Martinez, VA’s deputy assistant secretary for information protection and risk management. “Even though it can be hard to carry out some of the controls we require, the reward is that government information can’t be violated.”

In May 2006, when another employee had a laptop stolen that contained millions of veterans’ records, VA quickly established new policies, procedures and technology fixes to tighten data security. Experts say this latest VA incident shows that the department learned from its experience.    

VA protected the laptop with GuardianEdge full-disk encryption. No one lacking proper authentication could do more than turn on the computer. The encryption software would block unauthorized users from accessing the data, Martinez said.    

In the latest incident, the employee immediately reported the theft to VA and the Austin police department. Because VA followed information technology security policies and procedures, officials could determine that no sensitive data resided on the laptop.

VA had maintained its asset management inventory processes, so officials knew what equipment was missing. Employees are required to bring their laptops into their office’s IT shop at least every 30 days to receive software updates. Technicians upgrade Microsoft Windows, antivirus, intrusion-detection and encryption software during those updates, Martinez said.

On the evening of the theft, Austin police recovered the laptop in a raid on a convenience store suspected of involvement in drug activity. Police noticed the VA insignia flashing on a laptop running in the back of the store. Believing it might be stolen government property, the police took possession of it and notified the Homeland Security Department, which contacted VA and returned it. The only damage was a broken lock. The employee whose laptop was stolen had permission to bring the laptop home, where he had locked it down to furniture.

After the 2006 incident, OMB directed agencies to encrypt mobile data, implement a timeout function that requires reauthentication, and establish policies for logging computer-readable extracts from databases holding sensitive information.   

“Agencies are encrypting all data — data at rest, data that is mobile,” said Karen Evans, OMB’s administrator for e-government and IT. “We also are using two-factor authentication, which makes sure only authorized people are on your network.”

Data security policies and procedures are needed, but encrypting the data is what protected VA, said Alan Paller, research director at the SANS Institute. VA should be commended for having accomplished that, he said. “Encrypting data is the only defense against attacks right now.” 

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Government Innovation Awards
    Government Innovation Awards -

    Congratulations to the 2020 Rising Stars

    These early-career leaders already are having an outsized impact on government IT.

  • Cybersecurity
    cybersecurity (Rawpixel/

    CMMC clears key regulatory hurdle

    The White House approved an interim rule to mandate defense contractors prove they adhere to existing cybersecurity standards from the National Institute of Standards and Technology.

Stay Connected