The United States Department of Veterans Affairs is reporting that it has recovered the stolen laptop computer believed to be carrying the personal records of 26.5 million former and current servicemen that touched off a firestorm of debate over the governments data handling policies.
A Veterans Affair spokesman confirmed to eWEEK on June 29 that the agency had somehow gotten its hands back on the stolen machine and an external hard drive that was also taken, while not offering any details as to how the devices were returned. Veterans Affairs Secretary Jim Nicholson also confirmed the recovery to reporters in Washington.
"The department and the secretary are encouraged by this development, and it is certainly good news for veterans," the VA spokesman said. "The secretary is still committed to moving the VA forward and putting policies and procedures in place to ensure that this doesnt happen again."
The government had been offering a $50,000 reward for the laptops return, but the spokesman could not confirm if the sum would be paid out as a result of the laptop recovery.
The situation began when a contractor working for the VA had his Maryland home robbed after taking the computer and an external hard drive out of the office to do work. The employee reported the loss of the laptop and accompanying hard disk to police and to his supervisor as soon as the theft was discovered, but that fact was not made available to higher levels of management until weeks later, at which time it was first reported publicly.
According to documents submitted as part of a class-action suit filed as a result of the data breach, it became known that the VA employee had been taking the personal information home routinely for at least three years, and that he had at some point been given permission to do so.
As a result of the fallout from the laptop theft, Nicholson announced several major initiatives to be undertaken by the VA in the name of preventing similar incidents. As part of the effort, every laptop computer in the Department of Veterans Affairs will be required to be returned to IT security personnel for a review to ensure that all security and virus software is current. At that time, personnel will remove all unauthorized information or software.
In addition, Nicholson ordered that no personal laptops or other computers would be allowed to be connected to the VAs VPN or to perform any sort of official business. In addition to recalling all laptops for their security audits, every VA facility will have a "security stand down" the week of June 26.
During previous tests conducted by auditors seeking government agency compliance with the Federal Information Security Management Act, the VA repeatedly earned a grade of F for its security policies security. However, the U.S. Department of Agriculture, Internal Revenue Service and Social Security Administration have also recently reported missing or stolen laptops, but the data losses in those incidents were much smaller than the VAs massive data breach.
Claiming that the Veterans Affairs Department had "flagrantly disregarded the privacy rights of essentially every man or woman to have worn a United States military uniform," two separate veterans groups filed a massive class-action lawsuits againt the agency. One of those suits asked that the courts prohibit the VA from handling any personal, privacy-protected data except under court supervision, and requested that the court create a set of "consensus minimal security standards" under which the VA can operate. The suit also asks for damages of $1,000 for every person listed in the missing database files.
The suit goes on to say that the "VA arrogantly compounded its disregard for veterans privacy rights by recklessly failing to make even the most rudimentary effort to safeguard this trove of personally identifiable information from unauthorized disclosure."
Douglas Rosinski, the plaintiffs attorney in one of the two cases being brought against the VA, said that the laptop theft and potential data breach were the result of a system of negligence at the VA where workers ignored existing policies put in place to protect veterans personal data.
"Even though the federal government has been after the VA to do something about this for years, its clear they felt they could thumb their noses at the existing regulations," said Rosinski. "This wasnt an issue of ignorance; it was an issue of people who refused to improve data security policies even when told to do so."