Senator Collins’ remarks are all the more remarkable given other occasions over the past year when she and her committee have reiterated such phraseology concerning other bureaucratic missteps which took place by the former Director of the Federal Emergency Management Agency (FEMA), Michael Brown, during his testimony on Hurricane Katrina recovery efforts and during hearings regarding the Committee of Foreign Investments in the U.S. (CFIUS) and its approval of the government of Dubai’s purchase of several U.S. ports’ operations without considering its full ramifications or advising members of Congress.

The VA was among eight agencies given a failing grade for computer security practices in 2005 by the GAO. But since 2001 the VA Inspector General’s Office has advised the VA that its information access controls are materially weak, creating substantial risk and serious vulnerabilities which remain uncorrected. Such vulnerabilities are far simpler to correct than one might think as the failure to encrypt files sent electronically or placed on disks and the allowance of access to information by unauthorized personnel are among the VA’s security violations. And although federal privacy security policies are based upon the Privacy Act of 1974 and the 2002 Federal Information Security Management Act, along with further legislation pending, it remains up to employees to adhere to policies and procedures, no matter how many more are put in place.

Due to the interconnectivity of massive federal agencies it becomes even more necessary for diligence in protecting data and computer systems. In fact, had not the employee who took the laptop reported the theft, there would have been no way for the VA to have known of the breach of information. Yet, given each agency’s own policies in place concerning data protection the differences in practice are wide ranging. The Senate is looking to centralize such data protections not only within an agency but federally, as well as requiring notifications to those whose information has been breached. Such notification presently is only required by a handful of states and with respect to the financial industry or data credit brokers only. It is however important to note other cases of security breaches within the VA over the past few years. In April 2006 military computers containing personnel records were found being sold at a bazaar outside a U.S. military base in Afghanistan. In September 2005, thieves stole personnel information on deployed soldiers from Fort Carson, CO. Records on more than 560,000 troops, veterans and dependents was stolen in December of 2002 from computers at a healthcare provider located in Arizona. All such data was in unencrypted databases. In addition, military personnel’s physical papers and ID’s have been stolen from military personnel outside of as well as within the VA.