In case you didn’t notice among all the TARP and Stimulus Bill news…the Veterans Affairs Department has agreed to pay $20M to settle a lawsuit filed by veterans due to a VA laptop containing sensitive information stolen in 2006.
(Before I go any further, I want to be clear that I completely support veterans receiving compensation for out-of-pocket expenses that resulted from the computer theft, credit monitoring to protect against identity loss and medical expenses that were the result of severe emotional distress.)
So how is “customized knowledge” and “individual-level accountability” worth at least $20M of your and my money (tax payer dollars)?
For starters, if Veterans Affairs had clearly defined “customized knowledge” (acceptable usage policies and procedures) and if Veterans Affairs would have had each employee acknowledge their accountability for protecting mobile devices, handling sensitive information and home security requirements, then the laptop computer should not have been:
- Loaded up by an employee with sensitive information for 26 million veterans
- Taken home by an employee without encrypting sensitive data first
- Taken home by an employee without clearly defined mobile/home usage security guidelines
In actuality, Veterans Affairs was extremely lucky because in this incident the stolen laptop was RECOVERED and forensic investigators determined that the criminals had not accessed the sensitive data. The original class action lawsuit filed in 2006 asked for $1,000 in damages for every veteran and could have resulted in a settlement of more than $26B – yes Billion. Not to mention all the headaches that the 26M veterans would have been facing.
So now that we have this lesson learned, I am hopeful that all public and private leaders will be taking immediate action to IMPLEMENT their own version of “customized knowledge” with “individual-level accountability”. Taking immediate actions will help ensure that all appropriate personnel understand what, how, when, where and why it is less expensive (and better for their organization’s reputation and bottom line) to protect sensitive data than it is to pay for damage control, employee fallout and lawsuits later.