Davis Reacts to VA Data Breach Report, Seeks Info From All Cabinet Agencies on Data Breaches

July 13, 2006

Washington, D.C. Chairman Tom Davis today issued the following reaction to the report of the Veterans Affairs Inspector General on the recent data loss suffered by the department:

"Today's report by the Veterans Affairs Inspector General reaffirms our initial concerns that the Department was slow to react to the loss of sensitive personal data, which was taken home by an employee without authorization. The IG found that processing the notification of the stolen data was 'not appropriate or timely,' that information security officials acted with 'indifference and little sense of urgency,' and officials acted with 'indifference and little sense of urgency,' and that current VA policies do not 'adequately protect personal or proprietary data.'

"The IG also noted that the Government Reform Committee's FISMA reports have identified vulnerabilities within VA that remain uncorrected. I am pleased that Secretary Nicholson concurs with the IG report and has pledged to raise the department's FISMA scores from an 'F' to an 'A' and become the government's 'gold standard' for information security.

"The VA was fortunate - the police eventually recovered its stolen data. Not all agencies are so lucky. And we can't go forward hoping for the same good luck in the future. The federal government must become a better steward of sensitive personal information."

That is why Davis and Ranking Member Henry A. Waxman (D-CA) sent letters this week to the heads of all Cabinet agencies, as well as the Office of Personnel Management and the Social Security Administration, seeking detailed information on any "loss or compromise of sensitive personal information held by the federal government" since January 1, 2003.

The text of one such letter, to Agriculture Secretary Mike Johanns, is reprinted below:

Dear Secretary Johanns:

In May, the Department of Veterans Affairs announced that computer equipment containing the personal information of approximately 26.5 million veterans and active duty members of the military was stolen from the home of a VA employee. Since that time, several other agencies including the Social Security Administration, the IRS, and the Department of Health and Human Services have revealed security breaches that impacted thousands more individuals.

In order to develop a full picture of the risks posed by data breaches at federal agencies, we request that you provide the Committee with details about incidents involving the loss or compromise of any sensitive personal information held by the federal government or a contractor that occurred in your Department since January l,

2003. Specifically, we request a brief summary of each incident, including the date, circumstances of the breach, information that was lost or compromised, and the number of individuals impacted.

For each of these instances, please provide documentation regarding the Department's remedial efforts, including any notification made to the individuals whose information was compromised.

We look forward to a response by July 24, 2006.

Sincerely,

Tom Davis
Chairman

Henry A. Waxman
Ranking Member