Minding the Government’s Personal Data Stores

Although the Department of Veterans Affairs may be able to relax slightly now that the laptop containing sensitive information on millions of veterans and military personnel has been recovered, the incident highlights the role government plays in ensuring data security.

“It is a hot political issue because the lawmakers want to be seen as protecting their constituents,” Randy Sabett, a Washington, D.C.-based attorney who serves as special counsel in the Information Security and Cybercrime group at Cooley Godward, told the E-Commerce Times. “The government’s role is to respond to the pressure that’s been building, but it needs to be tempered by [flexibility].”

Breaches like the VA incident and others that have made national headlines recently are not new. However, organizations may not have been compelled to make the thefts public in the past. “It makes you wonder how much personal data has been lost and stolen that we don’t know about,” Simon Robison, industry analyst and sector head of storage at The 451 Group, told the E-Commerce Times. “These disclosure laws are the core drivers of increased media reporting.”

Protecting Personal Information

Regardless of the reason behind the openness, identity theft remains a huge concern, especially when it comes to highly personal information such as names, Social Security numbers and dates of birth. “It’s relatively easy to change your bank account number, but much harder to change your name or Social Security number,” Robinson said.

The perceived threat looming from the May 3 burglary of the laptop from a VA employee’s home serves as an example of why Social Security numbers can no longer be considered reliable proof of individual identity, according to Avivah Litan, vice president and distinguished analyst at Gartner, who testified at the oversight hearings for the Committee on Veterans Affairs regarding this particular incident.

On June 29, Veterans Affairs Secretary Jim Nicholson said there were no reports of identity theft connected with the data in the stolen laptop. Nevertheless, the fact that the information was taken out of a safe place and could have been compromised emphasizes the importance of multiple layers of protection.

“There need to be administrative, technical and physical controls. You can’t have security without all three of these. The question is at what level do you need them,” Sabett said. “What type of information you have and what types of threat you’re exposed to will determine what constitutes reasonable security. On the other hand, any business connected to the Internet is going to have potential exposure and should put particular procedures in place.”

Documentation shows the VA employee blamed for losing the laptop had received permission to work from home with the personal data, according to press reports, so the administrative and physical rules were technically being followed. That’s when the third — and arguably most important — layer of protection comes into play.

“The proper response is not fear, but rather for institutions to implement some basic precautions, including limiting the type and quantity of data that employees can download to laptops and, in all cases, encrypting any sensitive data that is downloaded,” Robert Seliger, the CEO of Sentillion, who also testified before Congress following the VA incident, told the E-Commerce Times.

“Selecting the right information security measures is conceptually no different than selecting the right physical security measures,” he explained. “The amount of security required to protect data depends upon the value of the data and the amount of time that it will be valuable for.”

Weighing Costs

Information like Social Security numbers that could be of value for several years must be protected using mechanisms that would take years to circumvent. “One measure of the strength of encryption algorithms is how long they might take to break using a brute force approach,” Seliger said.

Price remains one of the biggest inhibitors to companies investing in the technological side of security. When arguing for their proposed budget, security managers should point out that data protection is by far less costly than data breaches, Litan suggested.

A company with at least 10,000 accounts to protect can spend as little as US$6 per customer account for data encryption in the first year — or as much as $16 when combining host-based intrusion prevention systems and strong security audits, according to Litan. This compares with at least $90 per customer account when data is compromised.

“In some ways, the VA was lucky with the recent theft in that it was an old-fashioned robbery. A truly electronic theft would have been far more alarming,” Seliger said.

“This does not mean that the VA and other organizations don’t need to implement the proper precautions,” he continued. “It does mean that we can all at least be thoughtful in terms of the precautions that are selected in order to find the right balance between protection to keep out the bad guys and the ability to support the appropriate flow of information so that the good guys … can do their jobs.”