Six years ago, the Department of Veterans Affairs was at the center of one of the biggest data breaches in government history when an employee lost a laptop containing 26 million veterans’ records. But as of this year, VA officials say data is safe even when computers go missing.
In an organization as big as VA, quite a few laptop and even desktop computers still wind up stolen or otherwise missing every month even after the firestorm of controversy the department endured several years ago. In the department’s monthly data breach report to Congress for June, VA reported 13 laptops disappeared. But the difference between now and 2006: all 13 of them had their hard drives completely encrypted. As of March 31, VA required all laptops to be protected by hard drive encryption, and the department has verified that 99 percent of them indeed are, said Roger Baker, VA’s assistant secretary in the Office of Information and Technology and the chief information officer.
“On the report that goes to the secretary every morning, we see missing laptops on a regular basis. You can imagine the level of relief that a CIO has when every one of them says, ‘but the laptop was encrypted,'” he said during his monthly briefing with reporters Thursday. “Because in our world that means it’s not the CIO’s problem anymore. And from a cost standpoint, we’re now talking about the loss of something that costs about $1,000 versus something that’s going to cost us a lot of money to identify any information that might have been on it and anybody who might have been affected.”
Laptops are verified
In the 2006 case, more than 26 million veterans were affected. The department eventually agreed to pay $20 million to compensate victims of identity theft.
Baker said almost as important as the fact that VA requires laptops to be encrypted by policy is the fact that the department also put tools in place to verify that they actually are.
“That enables us to see exactly what software is running and what’s going on in every laptop and desktop in our organization,” he said. “With those visibility tools, you can get a lot closer to absolute statements than you can by doing data calls and having to trust what you get out of 210 organizations.”
But VA still is coming across some cases of laptops that have slipped through the cracks and are escaping the encryption rules. Baker offered one example of what the department refers to as a “near-miss.”
No data was actually breached, but it very well could have been when an unencrypted laptop recently fell out of a vehicle’s trunk that a VA clinician had failed to properly close.
“We knew there would be veterans’ information on that laptop. Luckily, and I mean luckily, a military service member happened to be driving along right after that and picked it up and turned it in,” he said. “That created a lot of excitement, and that’s the reason we’ve focused on encrypting those laptops. We know they’re going to be travelling and we know things are going to be happening to them. There’s just no way of making an absolute assertion that nothing has happened to the information unless they’re encrypted.”
In the end, VA wound up not reporting that missing laptop in its monthly disclosure to Congress because its Data Breach Core Team, an independent, cross-functional review panel that reviews every potential breach incident, determined there was no serious likelihood that the laptop was ever in the hands of anyone besides VA and Defense Department personnel.
“It was a near-miss, and we learn from our near misses. To me, it’s a great example of why that core team is a best practice that VA has frankly had to stand up as a result of our history. But we’ve learned an awful lot from that history,” he said.