Stolen VA laptop caught in safety net

Department’s mobile data security policies and practices prevented information breach

Agencies lag on security

Some agencies have not yet established security policies as the Office of Management and Budget directed them to do after a well-publicized security incident at the Veterans Affairs Department in 2006. VA computer equipment and data on 25.6 million veterans and their families was stolen. Government auditors released these figures in February to show the actions that agencies have taken to implement the security policies that OMB mandated after the 2006 laptop PC theft.

Encrypt mobile data:

Done: 22 agencies

Not done: 2 agencies

Add two-factor authentication:

Done: 14 agencies

Not done: 10 agencies

Add time-out function:

Done: 15 agencies

Not done: 9 agencies

Log computer extracts:

Done: 11 agencies

Not done: 13 agencies

Source: Government Accountability Office

The Veterans Affairs Department lost another laptop PC, but the department was better prepared this time.

When an employee at VA’s Austin Corporate Data Center in Texas had his laptop stolen from his apartment last month, the department’s revamped security policies and new security technologies were put to the test. Unlike what happened when a VA laptop was stolen in 2006, data on the newly missing laptop was protected by encryption, and VA officials knew exactly what equipment was missing.

“The safety net held,” said Adair Martinez, VA’s deputy assistant secretary for information protection and risk management. “Even though it can be hard to carry out some of the controls we require, the reward is that government information can’t be violated.”

In May 2006, when another employee had a laptop stolen that contained millions of veterans’ records, VA quickly established new policies, procedures and technology fixes to tighten data security. Experts say this latest VA incident shows that the department learned from its experience.    

VA protected the laptop with GuardianEdge full-disk encryption. No one lacking proper authentication could do more than turn on the computer. The encryption software would block unauthorized users from accessing the data, Martinez said.    

In the latest incident, the employee immediately reported the theft to VA and the Austin police department. Because VA followed information technology security policies and procedures, officials could determine that no sensitive data resided on the laptop.

VA had maintained its asset management inventory processes, so officials knew what equipment was missing. Employees are required to bring their laptops into their office’s IT shop at least every 30 days to receive software updates. Technicians upgrade Microsoft Windows, antivirus, intrusion-detection and encryption software during those updates, Martinez said.

On the evening of the theft, Austin police recovered the laptop in a raid on a convenience store suspected of involvement in drug activity. Police noticed the VA insignia flashing on a laptop running in the back of the store. Believing it might be stolen government property, the police took possession of it and notified the Homeland Security Department, which contacted VA and returned it. The only damage was a broken lock. The employee whose laptop was stolen had permission to bring the laptop home, where he had locked it down to furniture.

After the 2006 incident, OMB directed agencies to encrypt mobile data, implement a timeout function that requires reauthentication, and establish policies for logging computer-readable extracts from databases holding sensitive information.   

“Agencies are encrypting all data — data at rest, data that is mobile,” said Karen Evans, OMB’s administrator for e-government and IT. “We also are using two-factor authentication, which makes sure only authorized people are on your network.”

Data security policies and procedures are needed, but encrypting the data is what protected VA, said Alan Paller, research director at the SANS Institute. VA should be commended for having accomplished that, he said. “Encrypting data is the only defense against attacks right now.” 

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Workforce
    coronavirus molecule (creativeneko/

    OMB urges 'maximum telework flexibilities' for DC-area feds

    A Sunday evening memo ahead of a potentially chaotic commute urges agency heads to pivot to telework as much as possible.

  • Acquisition
    Shutterstock ID: 1993681 By Jurgen Ziewe

    Spinning up telework presents procurement challenges

    As concerns over the coronavirus outbreak drives more agencies towards expanding employee telework, federal acquisition contracts can help ease some of the pain.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.