WASHINGTON D.C CONGRESS APPROVES NEW SAFEGUARDS FOR VA DATA Marine Corps Times - Congress approves new safeguards for VA data:

Congress approves new safeguards for VA data

A bill setting new requirements for how the Department of Veterans Affairs should handle data security breaches was approved by Congress early Saturday, although the VA’s technology chief said Monday that he does not expect any more serious losses of personal information.

Included in a larger omnibus veterans’ bill passed by Congress is the VA Information Security Enhancement Act of 2006, the congressional response to the temporary loss last year of records of more than 26 million veterans and service members.

The Bush administration had opposed the data security legislation, but Rep. Steve Buyer, R-Ind., the House Veterans’ Affairs Committee chairman, insisted on its inclusion in the final compromise bill.

Buyer accepted one major change from the initial bill that he had been pushing. He wanted to create a new VA undersecretary position to oversee information technology, something the White House’s Office of Management and Budget opposed. When most of his other ideas, including putting current policies and responsibilities into law, were accepted as part of the compromise, Buyer ended up accepting a slightly lower-profile assistant secretary as the person in charge of information technology for VA.

Under the provisions, a new information security program would be established that includes periodic risk assessments of how much damage would be caused if data kept by VA was lost or stolen.

In May, when a laptop computer with data on millions of veterans and service members was stolen from the home of a VA employee, widespread identity theft became a very real possibility. VA had begun drawing up plans to provide credit monitoring services at government expense when the information was recovered by law enforcement agencies, and the FBI announced it did not believe any of the information had been compromised.

The bill does not demand an ironclad security system but instead requires the development of programs that will provide a cost-effective way of reducing risks “to an acceptable level.” Assessments would have to be done on each separate information system within VA.

Annual security awareness training also is required under the bill for all VA employees, contractors or anyone else allowed access to sensitive VA records.

If information is lost, stolen or misplaced, the bill sets procedures for VA to follow. Within 180 days, VA is required to have policies to perform an immediate risk analysis for any loss of personal data. If there is potential for the information to be used to steal a veteran’s identity, VA must provide credit protection services, including monitoring credit for individuals and data mining to determine if lost data is being misused.

VA’s assistant secretary for information and technology, retired Army Maj. Gen. Robert Howard, said Monday he is “pretty confident” there would not be another large security breach at VA.

According to a report from the International Data Group News Service, Howard said in a speech before the industry advisory council of the American Council for Technology that the VA has improved its security.

“No more excuses,” he said, according to the report. “We have got everything we need — we have got the organization, we have got the authority, we have got the money. We still have a lot of work to do in that area, but we’ve clearly improved the awareness of folks with respect to treating information the same way they’d want their information treated.”