FORT KNOX, Ky. (Army News Service, Jan. 23, 2007) - Last month, President Bush signed into law the Veterans Benefits Improvement Act of 2006.
In addition to expanding healthcare benefits and setting aside money for new facilities, the bill is an attempt to better secure the personal data of millions of veterans. It also requires the VA to follow specific procedures if such a theft occurs again.
Last May, a laptop containing the names and Social Security numbers of 26.5 million veterans and 2.2 million members currently serving with the National Guard and Reserve were stolen from the home of a VA data analyst.
It was feared that thieves would use the information for identity theft crimes, but that turned out not to be the case. The laptop was eventually recovered, and a subsequent FBI investigation concluded that such information wasn't lifted from the computer's hard drive.
"There is also no indication that the information was accessed," said Phil Budahn, a spokesman for the VA in Washington D.C., during a telephone interview two weeks ago with the "Turret."
"The FBI has ways of looking at a hard drive and telling whether information in a particular file has been opened. We've seen no indication that it had."
Under the new law, the VA will use encryption protection for all data, according to Budahn. The VA will also centralize its management of information technology and security systems.
"We're convinced that the centralization (of the data) will permit us to exert the highest possible standards across the entire agency," Budahn said. "We're about 230,000 people as far as employees. It's the second largest federal agency. To put that all under one office with everyone using form standards and being accountable in the same way is a formidable undertaking."
If such a breach does occur again, the VA is now required to notify those affected so that they may act promptly to prevent or at least minimize damage. The VA must also issue fraud alerts to those affected. A fraud alert is a notice placed on a person's credit report that requires creditors to contact the person before new credit is issued under that name.
The VA must also provide credit-monitoring services to those who've had their information compromised. Companies hired to monitor credit will alert customers when there has been:
New account activity - whenever a new account is opened in the customer's name.
Address change - Thieves opening an account (in the victim's name) are also likely to use a different address. The service will alert customers to such attempts.
Account information changes - If other changes are made to information on the account, such as the amount borrowed, the customer will be notified.
Changes to public records - Customers will also be alerted to any change made to the type of public records that appear on a credit report, such as the status of bankruptcies or legal judgments.
Closed accounts - A customer will be alerted if his or her account has been closed.
Collection accounts - Monitoring services will alert customers if any action is related to collection services.
Inquiries to credit information - A credit-monitoring service will alert the customer if an inquiry is made to the customer's credit file.
The new bill also requires the VA to submit reports to Congress about the breach.
Finally, the VA must provide identity-theft insurance, which reimburses victims for costs incurred in restoring their identity and repairing credit reports.
"We're absolutely committed to what our secretary has called the 'gold standard of information security,'" said Budahn.
"We've dramatically tightened our processes for protecting information since that incident, and it's very important to note that it didn't involve any patient records."