Slow news is good news, at least for the Veterans Affairs Department.
More than four years after a massive data breach that put the personal information of 26 million veterans at risk, VA seems to have learned its IT lesson. VA’s assistant secretary for the Office of Information and Technology and chief information officer Roger Baker described his latest data breach report to Congress as “fairly boring.”
Congress passed a law in 2006 mandating VA make weekly reports on all data breaches organization-wide. The law followed the burglary of a laptop that contained private information about millions of veterans. Lawmakers have since changed the reporting requirement to monthly.
“I like the fact that VA is setting the pace on this,” said Baker in a phone press conference Friday. “I like the fact that it helps us with our transparency and our trust with veterans and with the Hill. And I think it would be good if we can remain on this path so that, down the road, when we do have bad things to report, there’s not a question of ‘What are you hiding?’ We’re reporting everything.”
Baker credited the reporting requirement with changing the security environment at VA. He said the organization now has a culture of reporting privacy issues, an emphasis on transparency and an independent data breach quarantine to assess security risks.
The latest report to Congress detailed 10 incidents, including mishandled meal tickets, accounts without passwords and stolen computers.
In one case, the stolen computer was recovered using tracing technology called Computrace. VA tracked the disk that had been reimaged and identified the individual who possessed laptop.
Baker said tracking software comes standard on most equipment but VA has not implemented a policy of activating the software. He said in cases where no veteran information is compromised, it becomes a matter of cost of the equipment.
“It is an asset we’ve got if we have a persistent problem,” Baker said. “But in lot of instances, it probably costs more to license software to track down than device is worth.”
Baker said even though the reports show a decline in data breaches, he would rather VA continue to over-report than under-report.