A word (or two) from Senator Santorum

Never in a million years would I have thought that sending a flaming email of malcontent to a US Senator would yield a response. Never mind a response which was actually  articulated to that email, indicating that someone in Senator Santorums office read it.

This is in response to the VA idiots letting my personal data get stolen on a laptop from a less than intelligent analyst who took home 26 million records. Any way, I’m not going to go into the email, I’m just going to let it speak for itself:

Dear Mr. DeCoster:

Thank you for contacting me regarding the recent theft of personal information from the Department of Veterans Affairs (VA). I appreciate hearing from you and I share your frustration with this serious breach of security.

As you may be aware, the Department of Veterans Affairs recently learned that an employee, a data analyst, took home electronic data from the VA. This action was in violation of VA policy. The data contained the identifying information, such as the names, Social Security numbers, and dates of birth for 26.5 million veterans and some spouses. In addition, some disability ratings were included in the data. The employee’s home was subsequently burglarized and this personal data was stolen.

I am extremely upset that the personal information of millions of veterans has been stolen from a VA employee. As such, on May 23, 2006 I wrote to the Inspector General of the VA, George J. Opfer, regarding this breach of security that occurred within the VA. In the letter, I urged General Opfer to work to ensure that veterans are properly notified of any safety measures they can take to protect themselves from misuse of their personal information. In addition, I strongly recommended that the VA take steps to improve its security policies to ensure that this never happens again.

I recently received a response to my letter from General Opfer which stated that the VA is aggressively working on several issues related to this matter. General Opfer informed me that the VA is pursuing a criminal investigation, an administrative investigation, and a review of VA policies and procedures for using and protecting private data.

Since the incident, the data analyst who took home the electronic data from the VA has been notified of his impending termination. Additionally, VA Deputy Assistant Secretary for Policy Michael H. McLendon recently submitted his resignation, and Acting Assistant Secretary for Policy and Planning, Dennis M. Duffy, was placed on administrative leave.

Secretary of the VA, Jim Nicholson, has also directed all VA employees to complete the annual "VA Cyber Security Awareness Training Course" and complete the separate "General Employee Privacy Awareness Course by June 30, 2006; ordered all VA staff to annually sign an Employee Statement of Commitment and Understanding that will describe the consequences of non-compliance; and directed the Department to immediately conduct an inventory of all current positions requiring access to sensitive information to perform their duties undergo updated background investigations.

As you note, Senator John Kerry of Massachusetts introduced S. 2970, the Veterans Identity Protection Act of 2006. This bill would require the Secretary of Veterans Affairs to provide free credit monitoring and credit reports for veterans and others affected by the theft of veterans’ personal data, to ensure that such persons are appropriately notified of such thefts. Please be aware that S. 2970 has been referred to the Senate Committee on Veterans’ Affairs for further review and consideration. Should this bill come before the full Senate for a vote, I will be sure to keep your views in mind.

Like you, I am absolutely puzzled that a VA employee was simply able to walk out of the VA with the personal data of veterans. We must do everything in our power to protect those veterans whose information was stolen from crime.

Thank you again for contacting me. Please know that I will continue to aggressively monitor the VA’s investigation and safeguarding measures to ensure that this never happens again. If I can be of additional assistance in the future, please do not hesitate to call on me again.

Sincerely,

Rick Santorum
United States Senate

2 thoughts on “A word (or two) from Senator Santorum

  1. The solution is simple, it’s called TrueCrypt (http://www.truecrypt.org/). If organizations would use this open-source encryption technology to store sensitive data they would never have this problem. Well, that isn’t entirely true as some bonehead would still be able to save the data to a non-encrypted source, but if the policies were in place this could drastically reduce the chance.

    Main Features:
    * Creates a virtual encrypted disk within a file and mounts it as a real disk.

    * Encrypts an entire hard disk partition or a device, such as USB flash drive.

    * Encryption is automatic, real-time (on-the-fly) and transparent.

    * Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:

    1) Hidden volume (steganography – more information may be found here).

    2) No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).

    * Encryption algorithms: AES-256, Blowfish (448-bit key), CAST5, Serpent, Triple DES, and Twofish.

    Mode of operation: LRW (CBC supported as legacy).

    Damn, this post now looks like comment spam! 🙂

  2. Must not be though, since if it twer comment spam, the elite code monkies would have flagged it, edited it, sent it back to you 5,000 times for the next 42 days, then deleted it.

    Even basic encryption would have stymied the casual thief, so it wouldn’t have been an issue. Unless of course, this idiot, and the one in DC recently, were paid to have these laptops “stolen”, then that brings in a whole other issue….

Comments are closed.