washingtonpost.com
NEWS | POLITICS | OPINIONS | BUSINESS | LOCAL | SPORTS | ARTS & LIVING | GOING OUT GUIDE | JOBS | CARS | REAL ESTATE |SHOPPING
'); } //-->
Report Breaks Down VA Security Lapse

By Stephen Barr
Friday, July 14, 2006; D04

Bad judgment. Poor communication. Office politics.

Those are key themes in a report by George J. Opfer , the inspector general at the Veterans Affairs Department, recounting what went wrong in the recent theft of sensitive personal data on 26.5 million veterans.

Opfer's report, released this week, serves as a powerful reminder that common sense and clear policies can help avert damaging mistakes.

The VA case began on May 3, when the Maryland home of a technology specialist was burglarized. The employee's personal laptop computer and an external hard drive were stolen. The employee quickly reported the theft and indicated that the hard drive contained files on living military veterans.

Thirteen days later, VA Secretary Jim Nicholson was told of the theft. Six days after that, Congress and veterans learned that personal records might have been compromised -- setting off a huge uproar about identity theft and feeding fears that the government can't be trusted to do the right thing.

Fortunately, police recovered the laptop and hard drive last month, and the VA and FBI said tests show that the thieves did not access the data.

Here are snapshots from Opfer's account:

· The employee was not authorized to take VA data to his home.

The employee -- who is not named in the report -- told investigators that most of the data was for a "fascination project" that "he self-initiated and worked on at home during his own time."

He had started the project in response to criticism about the reliability of the 2001 National Survey of Veterans and was trying to identify 7,000 veterans who participated in the survey to compare the accuracy of their responses with information in VA files. He started his effort in 2003 but could not recall spending time on it in 2006.

The employee acknowledged that he took the data's security for granted and did not protect the files with encryption or with passwords.

Opfer's report concluded that "the employee used extremely poor judgment." But it also pointed out that VA managers knew little about the employee's work. "It was not clear who actually supervised him," the report said.

· The VA failed to quickly determine the scope of the problem.

Two days after the theft, a VA information security officer interviewed the employee. He found the employee "flustered" and "going in so many directions he could not take good notes." The officer told the employee to provide an account in writing.

When later questioned about the case, the officer said, "I'm not an investigator. I'm a computer tech guy that has a job."

Once the officer got the employee's statement, he drafted a "white paper on lost data" that he e-mailed to Dennis Duffy , a career federal manager, and Michael McLendon , a political appointee. McLendon rewrote the employee's report and, without consulting the employee or a programming expert, incorrectly said that a statistical software program would make it difficult to access the data.

No one on the senior staff ever followed up and interviewed the employee.

· Office politics probably got in the way of an orderly response.

McLendon did not inform Duffy, his supervisor, when he learned of the theft. "Mr. Duffy said that Mr. McLendon had a very strong belief that, as a political appointee, he reported in some fashion to the secretary and that there was no need for a 'careerist' to supervise him. Mr. McLendon characterized the office as one of the most dysfunctional organizations in VA, and that it was one of the most hostile work environments he ever worked in."

Duffy told investigators that he knew the VA had a responsibility to mitigate any harm to veterans but also knew how the VA operated: "They do not do crisis management." He expressed regret that he "failed to recognize the magnitude of the whole thing."

In the wake of the data loss, Duffy has retired and McLendon has resigned, according to the VA.

Talk Shows

Darryl Perkinson , president of the Federal Managers Association, and Mike Causey , columnist for Federal News Radio, will be among the guests on "FEDtalk" at 11 a.m. today on federalnewsradio.com and WFED radio (1050 AM).

James F. Sloan , assistant commandant at the U.S. Coast Guard for intelligence and criminal investigations, will be the guest on "The IBM Business of Government Hour" at 9 a.m. Saturday on WJFK radio (106.7 FM).

Stephen Barr's e-mail address isbarrs@washpost.com.

Post a Comment

Comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions. You are fully responsible for the content that you post.

© 2007 The Washington Post Company