At latest count over 26 million veterans had their data leaked by an employee who downloaded data onto a laptop, brought the laptop home, and was the unfortunate victim of a burglary in which the laptop was stolen. The records contained a variety of sensitive information including social security numbers.
As a result of this data theft there has been an expected outcry in industry and government circles about the need for greater security. Unfortunately, most of this hubbub focuses on the wrong issues. Polls show that U.S. citizens are concerned about privacy and identity theft, but primarily in the context of online transactions such as eCommerce purchases.
The VA case is a classic failure of behavioral policy within large organizations and has little to do with Internet security or eCommerce security per se. One of several root causes is important here:
- The VA did not have a policy on bringing home data on laptops.
- The VA did have a policy on bringing home data on laptops but it was too vague, too loose, not communicated to employees, or not enforced.
- The VA did have an enforced and communicated policy, but this employee did not abide by the policy.
In the case of number 3, we can certainly probe more deeply, but it is likely that the organization is still at least partially at fault, perhaps in failing to supervise or screen employees properly. In all three cases the failure is not primarily technological and is neither Internet-centric nor technology-centric.
In a nutshell: The VA needs better security governance.