HoodaThunk?

By now most of us are aware of the VA had an employee who took a laptop home that contained thousands of veterans’ personal data on it and had it subsequently stolen. The flap is huge because virtually everything was on there – social security, dates and places of birth, etc. The VA started dismissal of that employee and left most of us with the impression that he had violated policy in taking the stuff home.

Turns out now that he might have been granted permission to do so.

 According to internal documents obtained by The Associated Press, the VA data analyst faulted for losing personal data for up to 26.5 million veterans had the department’s approval to access millions of Social Security numbers on a laptop from home.

The documents show that the data analyst, whose name was being withheld, had approval as early as Sept. 5, 2002, to use special software at home that was designed to manipulate large amounts of data.

A separate agreement, dated Feb. 5, 2002, from the office of the assistant secretary for policy and planning, allowed the worker to access Social Security numbers for millions of veterans.

A third document, also issued in 2002, gave the analyst permission to take a laptop computer and accessories for work outside of the VA building.

The story goes on to quote VA officials who say this analyst violated procedure by taking the data home. If the documents discovered are accurate (and authentic, let us not forget) then the violation of policy was performed by the person who provided the permission slips, not the analyst. That doesn’t excuse the analyst from his responsibility for handling the data properly, i.e. making sure the data files aren’t simply left open while he’s not actively working on it, ensuring that the laptop was powered down or at the very least locked when he wasn’t using it, and that he left the unit in a location he could reasonably expect was secure. The mere act of taking the laptop home, however, appears to have had the sanction of VA officials and that would mean that the theft doesn’t automatically equate with a screw-up on his part.

If the documents hold up then the person who made those approvals is the screw-up and should be fired in a very public way. I can understand completely that the analyst might want to work on that stuff at home or at least have the ability to do so. There are several ways to allow this without having that data stored on a mobile device that’s taken outside of the secure facility. The VA knows better, I know for a fact. They had better get their shit together as of yesterday and put the systems in place that don’t require the carriage of veterans’ private data outside the secure walls of their data center.