VA Secretary Wants Penalties for Mishandling Personal Data

By Stephen Barr
Friday, June 9, 2006

The secretary of veterans affairs, R. James Nicholson , in the spotlight because of a breakdown in data security, called yesterday for tougher penalties on federal employees who mishandle sensitive information.

Nicholson told the House Government Reform Committee that it is "too hard, in my opinion, to discipline people in the civil service -- it's too hard to impose sanctions."

He recommended that the committee look at the 1996 Health Insurance Portability and Accountability Act, or HIPAA, as a model. The law allows the government to levy fines against individuals, doctors and hospitals that violate patient privacy rules and, in cases of intentional violations, permits the Justice Department to pursue criminal penalties.

"I think we should consider putting the same kind of teeth into an enforcement mechanism for the compromising and the careless and negligent handling of personal information," Nicholson said.

In early May, a career employee of the Veterans Affairs Department reported the theft from his Maryland home of a laptop computer and a hard drive containing names, Social Security numbers and dates of birth of at least 26.5 million veterans and active-duty members of the armed forces, including the National Guard and reserves.

The employee was not authorized to work on the files at home, the VA said. Officials have placed the employee on administrative leave and started the process that leads to a firing. Two superiors, including a political appointee, have been "let go," Nicholson testified.

Nicholson said the government conducts background investigations on employees who are given access to classified information but said "we do not have a similar screen for those to whom we will give enormous amounts of data."

The employee who took the data home has worked at the VA for 34 years but had not had a background check in 32, Nicholson said. The employee had signed this year's form on security awareness, he said.

Members of the House Government Reform Committee, chaired by Rep. Thomas M. Davis III (R-Va.), did not directly address Nicholson's suggestion that Congress move to provide additional sanctions against federal employees who compromise personal information and put citizens at risk of identity theft.

"It is beyond stupid to take out sensitive documents," Rep. Christopher Shays (R-Conn.) said. "But I have a sense that this is a common practice."

Clay Johnson III , a deputy director at the Office of Management and Budget, said there are dozens of security breaches involving laptops each year. In the VA case, he said, "the magnitude of it is the alarming thing."

Johnson said he thinks federal laws, policies and standards are sound, "but we can and must do a much, much better job of implementing them." He said federal policy calls for data encryption and the use of passwords to protect data taken out of the office on laptops. The information on the stolen VA laptop was not encrypted, officials have said.

As part of an effort to strengthen data security at the VA, Nicholson said he has instructed the department's 235,000 employees to complete privacy and cybersecurity training by June 30.

During the week of June 26, VA employees across the nation will "stand down" so managers can review information security and reinforce privacy obligations with their staffs, Nicholson said.

He also has banned employees who adjudicate benefit claims from taking files from regular workstations to alternative locations or to their homes for processing. He also has prohibited employees from using personal laptops or computers for VA business, including for access to the department's "virtual private network." About 35,000 VA employees have access to the department's secure network.

Nicholson said the department has an obligation to ensure that employees "have the right training, that they have been instilled with the sense of discipline and the commitment to be careful in their trusteeship of this data."

Talk Shows

Art Gordon , president of the Federal Law Enforcement Officers Association, and Jon Adler , the group's executive vice president, will be on "FEDtalk" at 11 a.m. today on and WFED radio (1050 AM).

Reginald Wells , chief human capital officer at the Social Security Administration, will be the guest on "The IBM Business of Government Hour" at 9 a.m. tomorrow on WJFK radio (106.7 FM).

Stephen Barr's e-mail address

© 2006 The Washington Post Company