Federal data security laws need more "teeth," VA Secretary Jim Nicholson told Congress today, News.com reports. "While we have a system in the government of doing background investigations (on those to) whom we will give access to classified information, we do not have a similar screen (for) those to whom we will give enormous amounts of (personal) data," Nicholson told the House Committee on Government Reform.
"It's an emergency at the VA, and it should be an emergency in our society," he said.
Committee chair Rep. Tom Davis (R-Va.) is considering changes to the Federal Information Security Management Act of 2002, which outlines procedures federal agencies must undertake in order to protect their data and systems.
Under the FISMA law, agencies must notify law enforcement and internal inspectors general when a breach occurs, but it does not require notification of potential victims or the public. Davis said the time has come to update the law to include penalties, incentives and "proactive notification requirements," Davis said. Since the FBI wasn't notified until 13 days after the breach, it appears the VA was in violation of FISMA.
Other comments on the issue at the hearing:
Rep. Bernie Sanders (Ind.-Vt.): "My hope, Mr. Secretary is...that in case there is identity theft taking place, you will do everything you can to protect our veterans financially and legally and you will come before the Congress to do that."
David Walker, comptroller general for the Government Accountability Office: "Public disclosure of major data breaches is a key step to ensuring that organizations are held accountable for the protection of personal information," he said. With or without new legislative action, Walker urged all agencies to limit collection of and access to personal information, to curb the amount of time such records are retained and to consider using encryption and other technological controls, particularly when data is stored on mobile devices.
Nicholson has ordered that every VA laptop undergo a review designed to ensure that all security and virus software is current, and he prohibited future use of personal laptops or computers for official business.