Teens arrested in that theft of VA PC with 26.5M vet records on it. Questions remain

Teens arrested in that theft of VA PC with 26.5M vet records on it. Questions remain

Summary: OK, so arrests have been made but some questions remain unanswered if you ask me.  According to a CNN version of an Associated Press story: Two teenagers were arrested Saturday in the theft of a laptop and hard drive containing sensitive data on up to 26.

SHARE:
TOPICS: Big Data
4

OK, so arrests have been made but some questions remain unanswered if you ask me.  According to a CNN version of an Associated Press story:

Two teenagers were arrested Saturday in the theft of a laptop and hard drive containing sensitive data on up to 26.5 million veterans and military personnel, authorities said..... The government-owned equipment was stolen May 3 during a burglary at the Maryland home of a Veterans Affairs employee. The laptop and hard drive were turned into the FBI on June 28 by an unidentified person in response to a $50,000 reward offer.....Authorities said the suspects did not specifically target the VA employee's home in Aspen Hill, Maryland, and did not realize the hard drive contained veterans' information until the case was publicized.

"While this arrest is good news, we were lucky that the data belonging to veterans was not accessed and misused," Steve Buyer, chairman of the House Veterans Affairs Committee, said in a statement...."The vulnerability is real and with the help of Congress, VA must move forward with information security reform," said Buyer, R-Indiana....Congress is investigating the steps leading up to and after the theft.

To me, it's a bit of a placebo that Congress is looking into things.  Given how lawmakers have traditionally handled IT matters (Net Neutrality, SPAM, laws regarding disclosure when there's a data compromise, etc.), I don' t have very high expectations of any Congressional outcome.  If anything, the result may very well be a law that's either watered down or simply unrealistic to put into place.  But, at the very least, a great question is raised -- one that every CIO and IT manager should be asking of their staffs.  What was it about whatever applications were being applied to the data that required or allowed so much sensitive data to be stored on a personal computer?

Topic: Big Data

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • The person who should REALLY be in the dock...

    ... is the idiot who permitted personal data to be stored in its entirety on an unencrypted laptop. He probably thought "It'll never happen to me".

    The sad truth of the matter is that public servants everywhere seem to fail in this respect and laptops full of sensitive data seem to get stolen on a frequent basis.

    A few public "executions" for such gross negligence might wake some people up.
    bportlock
    • It goes well beyond civil servants

      Inept IT security policies and protocols aren't exclusive to 'gummit'.
      flatliner
  • What congress should do.

    I tend to share David's mistrust of any likely legislative solution. I think the best thing they could do is not get into the details of creating policy around how this kind of informatio will be stored. Instead, they should put a law in place that provides restitution to those who are (or may be if unknown exactly) impacted by a loss of sensitive data. I'm not sure of the exact dollar amount, but $500 seems like a good starting point (per lost SS #, for example). I would measure this by what you would feel is fair compensation for just the worry this would cause you if some fool lost your personal information (happened to me recently). Key to this would be not exempting government, and strong laws to discourage cover ups. Then, let industry and government groups decide how they want to make sure they build the right processes to protect [i]themselves[/i].

    If the VA had seen that hard drive as a multi billion dollar asset (which I think it actually is), they would have had the right process in place. If not, the head of the agency would have resigned and the head of security fired.
    enduser_z
    • One more point.

      Part of the solution many agencies and private organizations would adopt is to rethink if they really need this kind of personal information. Right now with no liability assigned it isn't uncommon to get asked for a SS# to rent a movie, etc. This kind of foolishness would end right away under the laws I proposed above.
      enduser_z