WASHINGTON D.C COMPUTER THEFT LEADS TO GENERAL COUNSEL LOSS OF JOB Did the VA Security Leak Lead to the GC's Departure?: "Did the VA Security Leak Lead to the GC's Departure?

Ross Todd
Corporate Counsel
November 27, 2006

One of the biggest data breaches yet may have cost a GC his job. In May a computer belonging to the U.S. Department of Veterans Affairs that contained 26.5 million personal records was stolen. Afterward, several lawmakers suggested that the theft might not have occurred if VA general counsel Tim McClain had allowed the department to develop a centralized computer security policy. According to his congressional critics, two old memos by McClain prevented the VA's chief information officer from keeping a closer rein on the department's equipment.

In July the VA announced that McClain was stepping down to 'return to the private sector.' Though the VA didn't blame McClain for the data breach, some of the department's in-house lawyers speculated that their boss took the fall for the lapse. McClain did not respond to requests for comment for this article. But in an internal memo obtained by The Associated Press, he wrote that he had 'mixed feelings' about his departure.

The breach occurred on May 3, when a laptop and external hard drive containing the names, birthdays and Social Security numbers of millions of veterans wasstolen from the home of a VA data analyst. Though unauthorized to do so, the analyst had brought the computer home to do work for years. In late June the stolen equipment was handed over to authorities by an informant hoping to get a $50,000 reward. An analysis of the computer by the FBI determined that the data had apparently not been accessed.

When the House Veterans' Affairs Committee met on June 22 to look into the incident, some members pointed fingers at McClain. In particular, lawmakers seized on a pair of memos that the GC's office issued -- one in 2003 and one in 2004 -- that effectively blocked the VA from developing a centralized IT policy. According to the memos, which McClain signed, a federal law limited the ability of the VA's chief information officer to enforcecomputer security. Specifically, the CIO couldn't discipline VA employees for misuse of the department's equipment if they weren't under his direct command.

McClain told committee members that the CIO could have disciplinary power if it was delegated to him by the secretary of the VA. However, McClain admitted in his testimony that he never advised the secretary to do so.

Representative Bob Filner, D-Calif., was one of several lawmakers who blamed McClain for creating a culture that led to the laptoptheft . Filner told the GC, "It was your memos that said there couldn't be any centralization [of IT security enforcement]. ... Why shouldn't you be fired for this incredible breach?" McClain replied that the memos were interpretations of federal law, not policy statements.

THE LATEST 'CASUALTY'

McClain, who became the VA's general counsel in 2001, was the fifth official to leave the department in the wake of the theft. In a July 19 e-mail that assistant GC Deborah McCallum sent to the VA's in-house legal staff, which was later obtained by The Washington Post, McCallum complained that McClain appeared "to be the latest 'casualty' of the fallout from the computer theft issue." According to the Post, McCallum sent a follow-up e-mail later that day saying that she had been assured by deputy GC John Thompson "that Tim is not being forced out and in fact the front office is very sorry to see him go."

While McClain was faulted for his interpretation of a federal law that only affects IT policies at government agencies, he also got in trouble for not thinking about data security in a broad enough way. And that's something that could easily trip up GCs in the corporate world, several experts say. If a data breach occurred at their company, general counsel could be blamed for failing to foresee and prepare for such problems.

"GCs have to ask this question: Will it happen on my watch?" says Ruth Hill Bro, a partner at Baker & McKenzie in Chicago. "People are pointing to the general counsel's office whether or not it's right [to blame them]." Bro adds that companies should do a data security assessment to identify vulnerabilities and develop written plans. With 34 different state laws on the books concerning the loss of personal data, and federal legislation in the works, Bro says it's important to follow the trends in legal compliance.

Still, not all consultants agree that information security is the direct responsibility of the general counsel's office. Scott Rosenberg at the law technology consulting firm of Baker Robbins & Company questions whether data safety belongs on the GC's agenda. But even Rosenberg agrees that when a breach occurs, in-house lawyers have to perform damage control. "When it hits the fan, [the GC is] the one that has to do something," Rosenberg says.