VA’s M.I.A. Laptop Is Rescued — Now What?

The Department of Veterans Affairs said late this week that it recovered the now-infamous laptop that contained critical data on 26.5 million veterans and other military personnel. Some of the sordid details of the laptop’s recovery have been revealed, but what remains floating in the incident’s wake are a lot of questions. Like, who stole it, how was it recovered, why isn’t anyone in police custody for stealing it, and was Chuck Norris in any way involved in the rescue mission? (One can only hope.)

Now comes the “good news / bad news” part of this saga.

Good News: It’s good that they found the laptop (especially considering that 82 percent of laptops that are lost or stolen are never recovered — according to mobile security vendor Credant Technologies). It’s good that the VA’s claiming that the data appears untouched (says the FBI) and there have been no reports of ID theft among the 26.5 million Veterans whose Social Security numbers were on that laptop (that would be a really bad group of Americans to screw over — “Thanks for serving our country and possibly getting yourself killed for the good of our nation…. And, oh, so sorry about your liquidated bank accounts, bogus credit-card charges and bad credit rating for the rest of your life. God Bless America, and have a great July 4th!). And, finally, it’s good that the VA chief said they will use this incident to fix the “deficiencies” in how they handle the veterans’ personal data.

Bad News: Now they’re actually going to have to fix the deficiencies.

Though this data loss had the potential to have been catastrophic, the VA certainly is not alone in its laptop-loss transgressions. Just last week, two laptops were stolen from a locked car belonging to an analyst who worked for the Federal Trade Commission. On the laptop was more than just the standard fare of your typical laptop theft and possible data breach, however. Included in the data were individuals’ names, addresses, Social Security numbers, birth dates and, in some cases, financial account numbers, the FTC said. There have so many similar incidents in both the public and private sector during past two years, it’s getting hard to keep track.

Jim Nicholson, the Veterans Affairs Secretary, said that “we have to remain hopeful [that the veterans’ personal information has] not been compromised.” Wait. So now we’re accepting “we hope nothing bad will go wrong” as a legitimate info-security strategy and action plan? I hope not. It’s also interesting to note that on Friday news broke that the VA was now revealing two other data breaches in the past, and that its CISO submitted his resignation.

A legitimate and broader question, though, is what’s it going to take to stop more of these incidents from happening? In past articles, I’ve written about controlling the proliferation of mobile devices inside your company and creating enforceable security policies for corporate-owned devices. A policy, which has some bite to it, is a start.

Here’s the rub for IT and infosec folks, though. The potential for blunders such as these are only going to increase as workers demand more mobile computing options, and IT loads more data and corporate information onto those devices. A Forrester Research mobility report that came out in March said that right behind the number-one mobility challenge (security) was keeping pace with end-user demand. In turn, Forrester found that companies are adopting mobility devices faster than they had planned. And you know what that can mean? A shaky, chaotic mobile device management “policy” along the lines of, “Give ‘em what they (meaning, users) want right now, and we (meaning, IT folks) will take care of provisioning questions, security fine-tuning and policy enforcement later (meaning, never).” And that’s not a good plan.

What do you think about all of this? And how are you managing mobility issues inside your company? Let me know.