The public was already worried about data security before 26.5 million U.S. veterans were put at risk for identity theft following a recent burglary.
Security experts say this latest incident shows that public and private organizations must do more to protect the information they keep and that Congress must offer stronger guidance.
"This should be a major wake-up call that one small event can have a potentially dramatic impact on millions of lives," said Paul Kurtz, executive director of the Arlington, Va.-based Cyber Security Industry Alliance. "I would think this should raise more awareness in the public consciousnesses."
The U.S. Department of Veterans Affairs confirmed May 22 that records for every veteran discharged from the military since 1975 were stolen from the home of an agency employee. The records contained the names, Social Security numbers and dates of birth of the veterans and some spouses.
Mounting pressure on Congress
It remains to be seen if the Veterans Affairs data theft will push the issue of data security any further into the mainstream than earlier incidents at companies like ChoicePoint Inc. and CardSystems Solutions Inc., said Gerry Gebel, senior analyst for Midvale, Utah-based research firm Burton Group.
He said the incident shows that industry and government entities continue to struggle with data security and that pressure for congressional action will only intensify.
Several data loss notification bills similar to those that have been passed in a number of states are floating through the halls of Congress. Those interviewed said the Veterans Affairs data theft incident may be the catalyst that forces Capitol Hill to pass a law this year.
"This will certainly add fuel to the fire calling for more federal legislation," Gebel said in an email exchange. "In situations like the VA data spill, it's not a single jurisdiction issue, since veterans from all 50 states are represented in the stolen data file. So I think the argument could be made for federal legislation that covers this scenario."
There were signs on Capitol Hill Thursday that fuel had indeed been added to the fire. The House Judiciary Committee approved a bill mandating that companies notify customers when there's a security breach. Critics though are already complaining, according to media reports, that the so-called (.pdf) Data Accountability and Trust Act (DATA) isn't as tough on government agencies as it is on private businesses.
Poll shows shaken confidence
Whatever comes of the DATA bill, Kurtz said Congress will face increasing public pressure to pass something. He said his organization's latest semiannual poll of 1,150 adults measuring the country's security confidence showed that people were already preoccupied with data fraud before the VA incident. Respondents also suggested for the first time that the mounting data thefts are shaking their confidence in the Internet and that there may be political consequences, he said.
Among the survey results:
"The significance of this survey is simple: There are consequences to continued inaction," Kurtz said. "Half of Americans are too afraid to shop online because they just aren't confident that they are protected."
Was the VA too lax?
As security experts ponder the future ramifications of the Veterans Affairs data theft, some are still trying to make sense of what went wrong at the agency. Glenn Hill, IT security manager for Northeastern University in Boston, said it's too soon to pass judgment on the agency.
"While we'd like to think that removal of sensitive information from workplaces is tightly controlled, the fact is that information can be moved using a variety of methods and media where successful detection may come down to implementation of costly, intrusive and time-consuming [measures] that are impractical and unacceptable to both organizations and their employees," he said in an e-mail exchange.
Asked if the VA employee should have been allowed to take such sensitive data home, Hill said that in today's fast-paced workplaces, "these interests often take their place in a context of expediency, which can imply that some parts of the work may need to be undertaken offsite; often at home."
He said Northeastern's practices reflect this reality. "What becomes essential in these situations," Hill said, "is to ensure that temporary custodians of sensitive information understand the value and sensitivity of the data they carry, and that they are well-informed of the options and recommendations for safeguarding information in their custody, be it at the office or offsite."
All the interviewees agreed that it remains to be seen if the VA employee had that understanding.