There's No Security Like Reactive Security

from the a-little-late dept

After a laptop with the personal information of millions of veterans and military personnel was stolen from a Department of Veterans Affairs employee, the agency's decided it would be a good idea to go ahead and recall all its laptops so their security software can be reviewed. The recall will be part of a "Security Awareness Week" announced by the department's secretary in the wake of the event, along with his call for strengthened federal penalties for individuals found to be negligent in their handling of personal information, adding that the department is in the process of firing the employee whose laptop was stolen from their home. While trying to make employees take more personal responsibility and making them realize they have a vital role in security would be beneficial, it seems a little misguided to make employees accept so much responsibility when their employers don't really have to worry about the repercussions of poor security. While the head of the VA's call for increased security and his intention to beef up are laudable, it's of little comfort to the 26.5 million people whose personal information was stolen. The guy calls this theft "the hundred-year storm" of data leaks, but the scale really isn't important, particularly to the people whose info gets lifted. It's almost as if he's saying if only 100 or 1,000 people's data were leaked, it wouldn't really matter, which is a completely irresponsible attitude -- or perhaps a lesson to thieves. Keep it small, and nobody will care. There have been enough previous data leaks that companies and government agencies should be well aware of the problem, and not waiting for it to break some random threshold before they decide to improve their security.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Some IT Bastard, 9 Jun 2006 @ 10:41am

    Theft?

    I think this employee discovered that they could make more money selling the information they were so cheaply paid to take care of.

    link to this | view in chronology ]

  • identicon
    Nicholas G, 9 Jun 2006 @ 11:06am

    slightly more then you think...

    26.5 million veterans, and 2.2 million active duty... including those currently getting 7.62mm rounds and RPG's hurled at them.

    How nice to have reactive security.

    link to this | view in chronology ]

  • identicon
    drkkgt, 9 Jun 2006 @ 11:28am

    as a vet myself

    I think the management at the VA who were given the security report from the oversight commitee last year should also be fired and fined, along with any middle mangement who reviewed and did the same thing. This one employee, while screwing up big time, was still just following the lead of his bosses in not worrying about security and should be following them out the door via the Seargent Boot Express.

    link to this | view in chronology ]

    • identicon
      Ninja12, 19 Jun 2006 @ 7:59am

      Re: as a vet myself

      That is Right! Why fire just one employee? Sure, He was wrong and deserves the punishment YOUR leader is responsible for your ludicrous actions!

      There needs to be a cleaning of the house for VA IT Department and get some people in there who know what they are doing! THIS PUNISHMENT WILL NOT STOP STUPIDITY!

      link to this | view in chronology ]

  • identicon
    Scott, 9 Jun 2006 @ 11:48am

    Employee

    The employee was not supposed to have that data in the first place, therefore firing the employee is perfectly justifiable.

    Not saying the VA processes need work, just that "it seems a little misguided to make employees accept so much responsibility" is not fair in this context. If I am not supposed to have data and it is stolen that seriously compounds the first problem.

    link to this | view in chronology ]

    • identicon
      Carlo, 9 Jun 2006 @ 12:02pm

      Re: Employee

      Scott, I agree that employees should absolutely be held responsible for stupid personal decisions -- I think you're talking what I said a little out of context. That whole thought was "it seems a little misguided to make employees accept so much responsibility when their employers don't really have to worry about the repercussions of poor security."

      There's currently little incentive for businesses or governmental bodies to tighten up security, because the standard of what's responsible action is so low, and the punishment they receive should they leak data is nothing more than a slap on the wrist. Given that, I think that putting all of the onus on employees, instead of also forcing their employers to beef up policies and security measures, is a half-cocked solution.

      link to this | view in chronology ]

  • identicon
    Comboman, 9 Jun 2006 @ 11:49am

    I have a briliant security idea!!

    I have a briliant security idea, how about letting your employees have a home life instead of forcing them to take work home with them? Leave the computers locked up at work where it's nice a safe.

    link to this | view in chronology ]

  • identicon
    nb109, 9 Jun 2006 @ 12:12pm

    Ugh...

    I JUST got out of the Marine Corps a few months ago, so I'm assuming that my information was amoung the crap that was stolen. Does anyone know of a list I can check to see if I'm included in this nonsense?

    link to this | view in chronology ]

  • identicon
    Petréa Mitchell, 9 Jun 2006 @ 12:43pm

    Missing links

    I notice that they say they're going to scrub all unauthorized data and software off the laptops, but there's nothing there about adding security measures to keep people from filling up their laptops with inappropriate data again....

    link to this | view in chronology ]

  • identicon
    What a Crock of Poo, 9 Jun 2006 @ 2:08pm

    The Va Really Is

    I have two brothers, one who is still active duty US Army, the other who just got out of the Army after serving 2 tours in Iraq. They had no clue about this until I forwared this story to them. I wonder how many other soldiers who are laying their lives on the line are getting their IDs jacked while the VA twiddles their thumbs.

    link to this | view in chronology ]

  • identicon
    STJ, 9 Jun 2006 @ 2:27pm

    It's sad this keeps happening again and again, (IE citibank, sams club) yet there is no one wanting to change anything. The government needs to step in and say for every SSN you loose you will pay $1000. That should start them doing something productive

    link to this | view in chronology ]

  • identicon
    Nicholas G, 10 Jun 2006 @ 1:13am

    Identity Theft Responsibility

    then again, if we [the voting population of america] placed the responsibility of preventing identity theft on the financial institutions (i.e. if you allow a thief to acquire a credit card on someone elses credit, you [the institution] are financialy responsible for repairing the damage) there would be little to no identy theft.

    link to this | view in chronology ]

  • identicon
    Con Parant, 10 Jun 2006 @ 8:18am

    VA employee clearances

    I am even more surprised that the VA is just now considering an NACI/MBI background check a requirement for employees accessing sensitive data. Only an NACI/MBI? That is about as thorough as applying for a grocery store checkcard. Relative to trusting a low-paying worker, they should require a higher level of background checks for any employee handling sensitive or personal data.

    link to this | view in chronology ]

  • identicon
    Ninja12, 19 Jun 2006 @ 9:29am

    Get Real & Take Ownership People

    The cost of encrypting the hard disk on the laptops the VA has, would have been much less than the current cost of trying to recover from this fiasco!

    I am a reservist as well and I receive the notification letter from the regarding theft of the information and since I also work for a Bank as an Information Security Analyst, I hope that I have taken the corrective measures to protect myself from ID theft.

    All I know is that there is no use in B*tching about this subject anymore, however I do not feel that punishing the ONE guy for his obviously stupid act is going to solve anything! This person was allowed to do what he did because of poor leadership and that leadership’s inability to understand information security as a serious matter. Nevertheless, as with most people I have met in the corporate world, there is nothing wrong with a poor information security policy until there is a major problem. It is just a matter of time before poor security measures are exploited or violated so instead of standing there waiting for that disaster to happen, get some proactive solutions in place. ING just learned that lesson as well with the theft of a laptop. Starts asking your bank and credit unions how safe their laptops are and be demanding about it, because it is so easy to steal information that it is not even funny.

    I have found that if your job is office or business concern and not information technology related, your knowledge of data theft is going to be minimal, so in that situation the responsibility to make your data safe is totally up to your Information Technology department and information security policies. Read your companies Information Security Policies and obey them! They are there for a reason, to protect your customers, who just happen to be the reason you even got a job and get a paycheck!

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.