Group items tagged

The Veterans Affairs Department has agreed to pay up to $20 million to veterans for exposing them to possible identity theft in 2006 after losing their sensitive personal information. In court filings Tuesday, lawyers for the VA and the veterans said they had reached agreement to settle the veterans' lawsuit alleging invasion of privacy. The money will be used to pay for veterans who suffered actual harm, such as emotional distress or expenses incurred for credit monitoring. The lawsuit came after a VA data analyst in 2006 admitted that he had lost a laptop and external drive containing the names, birth dates and Social Security numbers of up to 26.5 million veterans and active-duty troops. The laptop was later recovered intact.

Rarely is the response to a new government initiative a unanimous round of "thumbs up," but so far that seems to be the case regarding yesterday's (April 9) announcement that The Defense Department and the Department of Veterans Affairs will collaborate on building an electronic database of administrative and medical information for U.S. servicemen and women. Since developing a broad electronic health records (EHRs) initiative is a prominent feature of the Obama Administration's economic stimulus plan, it makes sense to start (or at least focus) on a defined segment of the population -- current and past military personnel. But, apart from the specific technology, architecture and technical administration aspects of this program, there will be other challenges in pursuing the goal of EHRs for the military -- challenges that insurance technology executives know only too well. These include collaboration among different and sometimes competing interests (in this case, the Department of Defense (DOD) and the Department of Veterans Affairs (VA), which historically have not worked together as closely as one might imagine); and concerns about privacy and security. In fact, the ways in which the military EHRs initiative addresses the privacy issue could provide some interesting best practices (or actions to avoid) for private-sector players. "Currently, there is no comprehensive system in place that allows for a streamlined transition of health records between DOD and the VA," President Barack Obama said at yesterday's announcement, "and that results in extraordinary hardship for an awful lot of veterans who end up finding their records lost, unable to get their benefits processed in a timely fashion. And that's why I'm asking both departments to work together to define and build a seamless system of integration with a simple goal: When a member of the Armed Forces separates from the military, he or she will no longer have to walk paperwork from a DOD

www.killdo.de.gg Most quality online stores. Know whether you are a trusted online retailer in the world. Whatever we can buy very good quality. and do not hesitate. Everything is very high quality. Including clothes, accessories, bags, cups. Highly recommended. This is one of the trusted online store in the world. View now www.retrostyler.com

The theft in 2006 of an employee laptop that contained personal information on millions of veterans taught the Veterans Affairs Department some hard lessons. VA became "the poster child of data breaches," said Kathryn Maginnis, the department's associate deputy assistant secretary for risk management and incident response. As a result of that incident and several breaches that followed, the department developed a comprehensive incident response program and incident resolution team that evaluates all serious exposures of sensitive data. "We have a culture of report, report, report," Maginnis said at the recent FOSE conference in Washington. The incident response program received a perfect score last year in the VA inspector general's Federal Information Security Management Act audit, and Maginnis said she expects to get another perfect score this year. The department developed two in-house online tools to help track and evaluate incidents, said Amanda Graves Scott, director of the incident resolution team. The Formal Event Review and Evaluation Tool uses a 56-question questionnaire to determine the risk category of a data breach, and the VA Incident Response Tracking System automates a manual tracking process for information technology incident response.

Point by Marcus Ranum THERE'S AN OLD SAYING, "Sometimes things have to get a lot worse before they can get better." If that's true, then breach notification laws offer the chance of eventual improvements in security, years hence. For now? They're a huge distraction that has more to do with butt-covering and paperwork than improving systems security. Somehow, the security world has managed to ignore the effect voluntary (?) notification and notification laws have had in other fields-namely, none.We regularly get bank disclosure statements, stock plan announcements, HIPAA disclosures, etc.-and they all go immediately in the wastebasket, unread.When I got my personal information breach notification from the Department of Veterans Affairs, it went in the trash too. Counterpoint by Bruce Schneier THERE ARE THREE REASONS for breach notification laws. One, it's common politeness that when you lose something of someone else's, you tell him. The prevailing corporate attitude before the law-"They won't notice, and if they do notice they won't know it's us, so we are better off keeping quiet about the whole thing"-is just wrong. Two, it provides statistics to security researchers as to how pervasive the problem really is. And three, it forces companies to improve their security. That last point needs a bit of explanation. The problem with companies protecting your data is that it isn't in their financial best interest to do so. That is, the companies are responsible for protecting your data, but bear none of the costs if your data is compromised. You suffer the harm, but you have no control-or even knowledge- of the company's security practices. The idea behind such laws, and how they were sold to legislators, is that they would increase the cost-both in bad publicity and the actual notification-of security breaches, motivating companies to spend more to prevent them. In economic terms, the law reduces the externalities and forces companies to deal with the true costs of