The public was already worried about data security before 26.5 million U.S. veterans were put at risk for identity theft following a recent burglary.
Security experts say this latest incident shows that public and private organizations must do more to protect the information they keep and that Congress must offer stronger guidance.
"This should be a major wake-up call that one small event can have a potentially dramatic impact on millions of lives," said Paul Kurtz, executive director of the Arlington, Va.-based Cyber Security Industry Alliance. "I would think this should raise more awareness in the public consciousnesses."
The U.S. Department of Veterans Affairs confirmed May 22 that records for every veteran discharged from the military since 1975 were stolen from the home of an agency employee. The records contained the names, Social Security numbers and dates of birth of the veterans and some spouses.
Thursday, VA Secretary Jim Nicholson told the House Committee on Veterans Affairs that it could cost taxpayers up to $500 million to prevent and cover potential losses. "As a veteran myself...I am mad as hell," the Reuters news agency quoted him as saying. He also said that the stolen records were not encrypted.
Mounting pressure on Congress
It remains to be seen if the Veterans Affairs data theft will push the issue of data security any further into the mainstream than earlier incidents at companies like ChoicePoint Inc. and CardSystems Solutions Inc., said Gerry Gebel, senior analyst for Midvale, Utah-based research firm Burton Group.
He said the incident shows that industry and government entities continue to struggle with data security and that pressure for congressional action will only intensify.
Several data loss notification bills similar to those that have been passed in a number of states are floating through the halls of Congress. Those interviewed said the Veterans Affairs data theft incident may be the catalyst that forces Capitol Hill to pass a law this year.
"This will certainly add fuel to the fire calling for more federal legislation," Gebel said in an email exchange. "In situations like the VA data spill, it's not a single jurisdiction issue, since veterans from all 50 states are represented in the stolen data file. So I think the argument could be made for federal legislation that covers this scenario."
There were signs on Capitol Hill Thursday that fuel had indeed been added to the fire. The House Judiciary Committee approved a bill mandating that companies notify customers when there's a security breach. Critics though are already complaining, according to media reports, that the so-called (.pdf) Data Accountability and Trust Act (DATA) isn't as tough on government agencies as it is on private businesses.
Poll shows shaken confidence
Whatever comes of the DATA bill, Kurtz said Congress will face increasing public pressure to pass something. He said his organization's latest semiannual poll of 1,150 adults measuring the country's security confidence showed that people were already preoccupied with data fraud before the VA incident. Respondents also suggested for the first time that the mounting data thefts are shaking their confidence in the Internet and that there may be political consequences, he said.
Among the survey results:
- Only 44% of respondents feel their information is safe when engaging in e-commerce.
- 50% avoid making purchases online because they are afraid their financial information will be stolen.
- Only a third (34%) say banking online is as safe as banking in person.
- 94% say identity theft is a serious problem.
- Only 24% say businesses are placing the right emphasis on protecting information systems and networks.
"The significance of this survey is simple: There are consequences to continued inaction," Kurtz said. "Half of Americans are too afraid to shop online because they just aren't confident that they are protected."
For more information
He added that a loss of consumer confidence in cyberspace is a billion-dollar problem and that it's time for Congress to move forward with a national data security bill "that assures Americans they are being protected online."
Was the VA too lax?
As security experts ponder the future ramifications of the Veterans Affairs data theft, some are still trying to make sense of what went wrong at the agency. Glenn Hill, IT security manager for Northeastern University in Boston, said it's too soon to pass judgment on the agency.
"While we'd like to think that removal of sensitive information from workplaces is tightly controlled, the fact is that information can be moved using a variety of methods and media where successful detection may come down to implementation of costly, intrusive and time-consuming [measures] that are impractical and unacceptable to both organizations and their employees," he said in an e-mail exchange.
Asked if the VA employee should have been allowed to take such sensitive data home, Hill said that in today's fast-paced workplaces, "these interests often take their place in a context of expediency, which can imply that some parts of the work may need to be undertaken offsite; often at home."
He said Northeastern's practices reflect this reality. "What becomes essential in these situations," Hill said, "is to ensure that temporary custodians of sensitive information understand the value and sensitivity of the data they carry, and that they are well-informed of the options and recommendations for safeguarding information in their custody, be it at the office or offsite."
All the interviewees agreed that it remains to be seen if the VA employee had that understanding.