WASHINGTON—Secretary of Veterans Affairs R. James Nicholson on June 8 called for criminal penalties for VA personnel who fail to secure protected personal information.
Nicholson called for the heavier sanctions in an impromptu press conference in the Rayburn House Office building. He was speaking to reporters following a hearing before the House Government Reform Committee where he was questioned about the theft of records containing personal information on over 26 million current or former members of the U.S. military.
In his testimony before the committee, Nicholson recapped the events leading up to the data loss, and explained what he had done once he learned of the problem nearly a month after it was originally reported to police.
"I am outraged at the theft of this data and the fact an employee would put it at risk by taking it home in violation of VA policies," Nicholson said in his statement to the committee.
He also said that he was greatly concerned about the slow response by VA management when the data loss became known.
Nicholson also announced several major initiatives that would be undertaken by the VA this month. The major effort will take place during the week of June 26, 2006, when every laptop computer in the Department of Veterans Affairs will be required to be returned to IT security personnel for a review to ensure that all security and virus software is current.
At that time, personnel will remove all unauthorized information or software. In addition, Nicholson has ordered that no personal laptops or other computers will be allowed to connect to the VAs VPN or to perform any sort of official business.
In addition to recalling all laptops for their security audits, every VA facility will have a "security stand down" the week of June 26 for Security Awareness Week.
"Managers throughout VA will review information security and reinforce privacy obligations and responsibilities with their staff," Nicholson said.
When asked about his actions following the theft of the VA laptop computer, Nicholson said that he has fired the employee who had the computer stolen.
He said that other personnel actions were also taken. "The acting assistant secretary was let go," Nicholson said, "and the deputy assistant secretary has been let go."
In addition to the firings, he said that he plans to implement even tougher policies. He noted that he expected to see criminal prosecutions stem from the VA data loss.
Committee Chairman Tom Davis (R-Va) expressed concern that the VA data security problems would be used by managers as an excuse to cut back or eliminate the current federal telework programs that let government employees work from home or telework centers in an effort reduce costs and commuting impact.
Davis also said he hoped Nicholson would be able to accomplish what hes set out to do.
"This has been a very dysfunctional agency for a long time," Davis told eWEEK in an interview following the committee hearing. "Were going to continue to hold their feet to the fire."
He pointed out that the VA gets a new FISMA (Federal Information Security Management Act) report card out next spring, and he looks forward to seeing that.
Previous FISMA reports have always given the VA a grade of F in security. Davis also said that he just learned that the VA wasnt employing encryption as a part of its security. "Its routine in the private sector," he said.
Nicholson said that he has created a task force to review access by all employees to sensitive data by June 30, and to determine who actually needs access.
He also noted that he expects all agency employees to have completed training in information security and proper handling of sensitive information by that date.
"We are accountable not only to Congress, but also to our nations veterans and our men and women who are wearing the uniform today," Nicholson said.
"It is my pledge to you that I am, and will remain, guided in my leadership of VA by what is best for our veterans."
Also testifying at the June 8 hearing were representatives of the IRS and the Social Security Administration.
Both of those agencies had also reported missing or stolen laptops recently, but the data losses were much smaller.