There's No Security Like Reactive Security
from the a-little-late dept
After a laptop with the personal information of millions of veterans and military personnel was stolen from a Department of Veterans Affairs employee, the agency's decided it would be a good idea to go ahead and recall all its laptops so their security software can be reviewed. The recall will be part of a "Security Awareness Week" announced by the department's secretary in the wake of the event, along with his call for strengthened federal penalties for individuals found to be negligent in their handling of personal information, adding that the department is in the process of firing the employee whose laptop was stolen from their home. While trying to make employees take more personal responsibility and making them realize they have a vital role in security would be beneficial, it seems a little misguided to make employees accept so much responsibility when their employers don't really have to worry about the repercussions of poor security. While the head of the VA's call for increased security and his intention to beef up are laudable, it's of little comfort to the 26.5 million people whose personal information was stolen. The guy calls this theft "the hundred-year storm" of data leaks, but the scale really isn't important, particularly to the people whose info gets lifted. It's almost as if he's saying if only 100 or 1,000 people's data were leaked, it wouldn't really matter, which is a completely irresponsible attitude -- or perhaps a lesson to thieves. Keep it small, and nobody will care. There have been enough previous data leaks that companies and government agencies should be well aware of the problem, and not waiting for it to break some random threshold before they decide to improve their security.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Theft?
[ link to this | view in chronology ]
slightly more then you think...
How nice to have reactive security.
[ link to this | view in chronology ]
as a vet myself
[ link to this | view in chronology ]
Re: as a vet myself
There needs to be a cleaning of the house for VA IT Department and get some people in there who know what they are doing! THIS PUNISHMENT WILL NOT STOP STUPIDITY!
[ link to this | view in chronology ]
Employee
Not saying the VA processes need work, just that "it seems a little misguided to make employees accept so much responsibility" is not fair in this context. If I am not supposed to have data and it is stolen that seriously compounds the first problem.
[ link to this | view in chronology ]
Re: Employee
There's currently little incentive for businesses or governmental bodies to tighten up security, because the standard of what's responsible action is so low, and the punishment they receive should they leak data is nothing more than a slap on the wrist. Given that, I think that putting all of the onus on employees, instead of also forcing their employers to beef up policies and security measures, is a half-cocked solution.
[ link to this | view in chronology ]
I have a briliant security idea!!
[ link to this | view in chronology ]
Ugh...
[ link to this | view in chronology ]
Re: Ugh...
I'm afraid your best bet is to ask the VA directly. Although the position implied by their FAQs is "watch your credit report, and if your identity is ever stolen, then you'll know."
FAQ pages:
http://www.firstgov.gov/veteransinfo.shtml
http://www1.va.gov/opa/data/data.asp
[ link to this | view in chronology ]
Missing links
[ link to this | view in chronology ]
The Va Really Is
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Identity Theft Responsibility
[ link to this | view in chronology ]
VA employee clearances
[ link to this | view in chronology ]
Get Real & Take Ownership People
I am a reservist as well and I receive the notification letter from the regarding theft of the information and since I also work for a Bank as an Information Security Analyst, I hope that I have taken the corrective measures to protect myself from ID theft.
All I know is that there is no use in B*tching about this subject anymore, however I do not feel that punishing the ONE guy for his obviously stupid act is going to solve anything! This person was allowed to do what he did because of poor leadership and that leadership’s inability to understand information security as a serious matter. Nevertheless, as with most people I have met in the corporate world, there is nothing wrong with a poor information security policy until there is a major problem. It is just a matter of time before poor security measures are exploited or violated so instead of standing there waiting for that disaster to happen, get some proactive solutions in place. ING just learned that lesson as well with the theft of a laptop. Starts asking your bank and credit unions how safe their laptops are and be demanding about it, because it is so easy to steal information that it is not even funny.
I have found that if your job is office or business concern and not information technology related, your knowledge of data theft is going to be minimal, so in that situation the responsibility to make your data safe is totally up to your Information Technology department and information security policies. Read your companies Information Security Policies and obey them! They are there for a reason, to protect your customers, who just happen to be the reason you even got a job and get a paycheck!
[ link to this | view in chronology ]