Government Computer News
When data walks
After VA's loss, agencies revisit the job of controlling data, people
Digg
De.licio.us
Slashdot
TechnoratiRobert McFarland, former VA CIO
Image: Henrik G. de Gyor
“The reorganization and consolidation of the infrastructure ... will give them a better opportunity to put good controls in place.”
In this report
GCN survey; Taking it with you gets easier
More on this topic from GCN
VA data files on millions of veterans stolen
OMB to agencies: review personal data protections
VA outlines data security upgrades
VA changes staff over data theft
When data walks
VA loss renews calls to update Privacy Act
How do you defend yourself against 'good' employees?
Active-duty personnel at risk from VA data breach
VA may need to create claims process: Buyer
House panel delves into VA data breach
Subcontractor put VA health records at risk: IG
The Office of Management and Budget said as much in a memo to agencies shortly after VA announced the theft of electronic data late last month.
OMB urged agencies to scrutinize all administrative, technical and physical means to safeguard personally identifiable information, correct any gaps, and remind all employees of their responsibility to protect that information and the penalties for violating the rules.
Federal privacy and security policies are based in large part on the Privacy Act of 1974, the E-Government Act of 2002 and the Federal Information Security Management Act. Agency officials are to detail any corrective actions in their annual FISMA reports.
“Securing private and sensitive information requires constant vigilance. All agencies must continually work to ensure that they are FISMA compliant, and that means training employees to comply with tough security measures,” an OMB spokeswoman said.
Despite its quick reaction to the announcement of the data theft, OMB privacy guidance generally remains vague, said Ari Schwartz, associate director for the Center for Democracy and Technology.
The Government Accountability Office has written time and again that OMB should demonstrate stronger leadership in telling agencies what they need to do, he said.
Clear policies needed
“OMB needs to go back and review general privacy policy, make it more clear, and provide best practices,” Schwartz said.
The credibility of an agency’s privacy and security depends in large part on employees adhering to policies and procedures. If agencies are decentralized, as VA is, compliance is a matter of supervisors and assistant secretaries vouching for their adherence, but no central office enforces them. Even though OMB required agencies to name a chief privacy officer in February 2005, most experts agree it hasn’t made a big difference.
And VA’s experience demonstrates that policies without teeth can’t keep sensitive data safe.
VA secretary Jim Nicholson told lawmakers that employees have not followed some of his predecessors’ directives, “directives that some employees did not interpret as being mandatory or operative to them.” VA reps vowed to tighten data security policies immediately.
![1105 Government Information Group [happiness]](/images/1105logo_website.gif "Government Computer News [happiness]")
© 1996-2008 1105 Media, Inc. All Rights Reserved.
