Lessons for the Private Sector From Data Theft at the VA

The loss of personal data on an estimated 26.5 million U.S. military veterans, up to 2.2 million current service members and an unquantified number of spouses continues to generate public controversy. It also provides lessons for how the private sector could prevent and respond to the loss of personal information.

The data loss originated from a Veterans Administration (VA) employee who took home a laptop with an external hard drive. Both devices were stolen after the employee’s home was burglarized on May 3. The VA waited for three weeks before publicly disclosing the theft. Then on June 6, it announced that in addition to information on veterans, the lost data included information on an estimated 1.1 million active duty service members, 430,000 members of the National Guard and 645,000 members of the Reserves.

Included in the stolen data were the essential ingredients for identity theft: names, dates of birth and Social Security numbers. It included some disability information, but no medical records. Some spouse information was included, especially if a veteran supplied it in making an application for benefits from the VA.

Finding Affected Persons

The VA case illustrates the challenges involved in finding affected persons to notify them about the loss of their personal data. The process of notifying more than 26 million individuals is complicated by the fact that Americans often move repeatedly, often share the exact same name with other individuals in the same geographical area, and can use different forms of their name at different points in their lives.

Changes in marital status complicate the process of notifying some individuals through the original veteran spouse. Breakdowns in communication caused by death, divorce or separation opens the possibility that many current and former spouses may never be notified that they are now at an increased risk of identity theft and consequently need to regularly monitor their credit status.

Whereas the Web site set up by the U.S. government to provide news about the VA’s data loss has been claiming that individuals whose data was lost have all been notified, the receipt of notification letters has continued beyond the date of that claim. In a notification letter received shortly before press time, the VA explained how mailing addresses were obtained:

“In accordance with current policy, the Internal Revenue Service has agreed to forward this letter because we do not have current addresses for all affected individuals. The IRS has not disclosed your address or any other tax information to us.”

Skip Tracing

A private company seeking to provide similar notifications will not have access to IRS databases. To find addresses, private companies would need to employ skip tracing services, some of which charge US$100 per person located. Skip tracing is particularly useful when seeking people who have moved since their last known address.

Skip tracing often begins with searches of public and proprietary databases, followed by telephone calls to confirm that an individual has been located. Collections companies usually subscribe to multiple databases for skip tracing and have outbound call center agents that specialize in confirming the identity and contact information of individuals being sought.

The VA is not confirming whether they have reached all affected persons. Two class action lawsuits have been filed against the VA over the data loss, leaving open the possibility that the VA may eventually find itself paying for individual confirmations.

GAO Recommendations

Prior to the current incident, the Government Accountability Office (GAO) repeatedly issued warnings about lax data security at the VA. The GAO is an investigative arm of the U.S. Congress.

The GAO reports that the VA’s response to its security warnings has been incomplete and unfocused. Some members of Congress have attributed the VA’s poor response to a lack of leadership at that agency. In testimony before Congress on June 14, GAO staff recommended that the VA implement its earlier recommendations and that Congress establish data-security-reporting requirements for agencies such as the VA.

The GAO document on the VA’s data loss that is the most relevant to the private sector is the written statement of David M. Walker, Comptroller General of the U.S., published by the GAO as: “Preventing and Responding to Improper Disclosures of Personal Information.” The statement contains Walker’s written testimony delivered to the House Committee on Government Reform on June 8. In his statement, Walker recommended that federal agencies undertake two key steps to reduce the possibility that databases with personal information are compromised:

• Develop a privacy impact assessment — an analysis of how personal information is collected, stored, shared and managed — whenever information technology is used to process personal information. These assessments, required by the E-Government Act of 2002, are a tool for agencies to fully consider the privacy implications of planned systems and data collections before implementation, when it may be easier to make critical adjustments.
• Ensure that a robust information security program is in place, as required by the Federal Information Security Management Act of 2002 (FISMA). Such a program includes periodic risk assessments; security awareness training; security policies, procedures, and practices, as well as tests of their effectiveness; and procedures for addressing deficiencies and for detecting, reporting and responding to security incidents.

Walker also recommended that agencies seek to limit the collection of personal information, limit the time that information is retained, limit access to personal information and using technological controls such as encryption when data is stored on mobile devices. He recommended that information security programs be tested and evaluated periodically. He stressed the importance of training in making security programs successful.

Remedies Not Available for Private Sector Data Leaks

The two class action lawsuits that have been brought against the VA have both been brought under the Federal Privacy Act of 1974, which only applies to data losses from the U.S. government. The Act requires federal government agencies to implement procedures to safeguard personal information.

The Privacy Act sets a minimum damage amount of $1,000 per person, which is the amount being sought in the two class action lawsuits. In the event that one of the suits is successful, the amount owed by the VA could exceed $26 billion. The $1,000 per person could be thought of as compensation for individuals who should now be diligently checking their credit reports.

There is no act corresponding to the Privacy Act covering the release of personal information by private companies. The lack of remedies enables companies to externalize the costs of failing to protect personal information.

One lawsuit has been filed against the VA in the U.S. District Court in Washington, D.C. by Citizen Soldier of New York; the National Gulf War Resource Center of Kansas City, Mo.; Radiated Veterans of America of Carson City, Nev.; Veterans for Peace of St. Louis; and Vietnam Veterans of America of Silver Spring, Md. The other lawsuit has been filed by an activist in Cincinnati.

Lessons From the Offshore Outsourcing Industry

The prospect of data leaks has received greater attention in the offshore outsourcing industry since last year’s discovery that Indian call center agents had gained access to account information of some of Citibank’s U.S. customers and were removing funds from U.S. accounts. The incident was detailed here.

In both Indian and Pakistani call centers, it is increasingly common for writing devices to be banned from call center floors. USB ports on the computers of agents handling personal information may be blocked.

Personal data often resides only on U.S.-based computer servers. Personal data on U.S. individuals can be restricted so that it is accessible offshore only for one U.S. individual at a time, rather than for groups of Americans. The types of data queries available for agents offshore can also be limited. In building and testing databases that will hold protected information, dummy data sets can be used until the database is ready to be locked down and converted to actual use.

One of the main obstacles for both data security and general quality assurance (QA) offshore is that many facilities providing either voice or non-voice business process outsourcing (BPO) services do not have separate quality assurance departments. If they do, these departments may not be independent enough from the personnel being monitored.

Dedicated QA departments provide the best monitoring results and security protections. The QA department needs to be located a healthy distance away from the operations being monitored. The QA monitors should report to top management through a separate chain of command. QA activities can still be performed within a team or section, but this should not be a substitute for a separate QA department.

Training is needed to help all personnel understand how confidential information is defined and how it should be protected. Procedures need to be put in place to segregate and physically control access to confidential information. Most importantly, everyone in an organization needs to take personal responsibility for protecting confidential information. It was this lack of personal responsibility that stands out as one of the biggest failures of the chain of command at the VA.