[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]




                       UPDATE ON THE BREACH OF DATA 
                       SECURITY AT THE DEPARTMENT OF 
                            VETERANS AFFAIRS

========================================================================


                                HEARING

                               before the

                              COMMITTEE ON
                           VETERANS' AFFAIRS


                        HOUSE OF REPRESENTATIVES


                       ONE HUNDRED NINTH CONGRESS

                             SECOND SESSION

                               __________

                             JUNE 29, 2006

                               __________

       Printed for the use of the Committee on Veterans' Affairs


                           Serial No. 109-59


                               __________


                     U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2007
28-455.PDF

For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001





                     COMMITTEE ON VETERANS' AFFAIRS

                     STEVE BUYER, Indiana, Chairman

MICHAEL BILIRAKIS, Florida               LANE EVANS, Illinois, Ranking
TERRY EVERETT, Alabama                   BOB FILNER, California
CLIFF STEARNS, Florida                   LUIS, V. GUTIERREZ, Illinois
DAN BURTON, Indiana                      CORRINE BROWN, Florida
JERRY MORAN, Kansas                      VIC SNYDER, Arkansas
RICHARD H. BAKER, Louisiana              MICAHEL H. MICHAUD, Maine
HENRY E. BROWN, Jr., South Carolina      STEPHANIE HERSETH, South 
JEFF MILLER, Florida                       Dakota
JOHN BOOZMAN, Arkansas                   TED STRICKLAND, Ohio
JEB BRADLEY, New Hampshire               DARLENE HOOLEY, Oregon
GINNY BROWN-WAITE, Florida               SILVESTRE REYES, Texas
MICHAEL R. TURNER, Ohio                  SHELLEY BERKLEY, Nevada
JOHN CAMPBELL, California                TOM UDALL, New Mexico
BRIAN BILLBRAY, California               JOHN T. SALZAR, Colorado


                    JAMES M. LARIVIERE, Staff Director

                                 (ii)



                             C O N T E N T S

                              June 29, 2006
                                                                  Page
Update On The Breach Of Data Security at the Department of
Veterans Affairs..................................................    1

                               OPENING STATEMENT

Chairman Buyer....................................................    1
Hon. Bob Filner...................................................    3
Hon. Cliff Steanrs................................................    4

                           STATEMENTS FOR THE RECORD

Hon. Corrine Brown................................................   50
Hon. Tom Udall....................................................   55
Hon. John T. Salazar..............................................   56

                                   WITNESSES

U.S. Department of Veterans Affairs:

  Hon. R. James Nicholson, Secretary..............................     5
  Prepared statement of Hon. William F. Turek, Under Secretary for
    Memorial Affairs, National Cemetery Administration............    58
  Prepared statement of Hon. Jonathan B. Perlin, M.D., Ph. D., 
    MSHA, FACP, Under Secretary for Health, Veterans Health
    Administration................................................    67
  Prepared statement of Hon. Gordon H. Mansfield, Deputy
    Secretary.....................................................    76
  Prepared statement of Hon. Ronald R. Aument, Deputy Under 
    Secretary for Benefits, Veterans Benefits Administration......    84

                      MATERIAL SUBMITTED FOR THE RECORD

Letter and Memorandum dated June 28, 2006, regarding Delegation
  of Authority for Responsibility for Departmental Information 
  Security........................................................    98
VA Employee Home Use Amendment, Property Pass, and Justification 
  for Access to SSNs, submitted by Mr. Filner.....................   101

                                 (ii)



 
                   UPDATE ON THE BREACH OF DATA SECURITY
                   AT THE DEPARTMENT OF VETERANS AFFAIRS

                               ____________


                        THURSDAY, JUNE 29, 2006

                                                House of Representatives,
                                           Committee on Veterans Affairs,
                                                         Washington, D.C.


The Committee met, pursuant to call, at 10:30 a.m., in Room 334, Cannon 
House Office Building, Hon. Steve Buyer [Chairman of the Committee] 
presiding.


Present:  Representatives Buyer, Stearns, Brown of South Carolina, 
Miller, Boozman, Bradley, Filner, Brown of Florida, Snyder, Michaud, 
Herseth, Berkley, Salazar.


The Chairman.  The House Veterans Affairs Committee will come to order, 
June 29, 2006.

This morning we will continue our examination of the data theft and 
information security at the Department of Veterans Affairs.  The 
catalyst of this examination was the compromise in May of data belonging 
to over 26 million veterans, 2.2 million servicemembers, and some family 
members.  The purpose of our oversight has focused on obtaining as much 
understanding as possible, and has included business roundtable with 
information experts.  We have had seven hearings including two 
Subcommittee hearings. This is nothing less than a full examination of 
the information management systems of the Department of Veterans 
Affairs.

What we learn here will inform us in our efforts to make whole any 
veteran harmed by the theft of personal information, and assure the 
security of veterans' personal information.  Over the past month, this 
Committee has brought in over 17 witnesses to examine the loss of data, 
the current structure of information security as an extension of the 
structure of information technology, and options regarding credit 
monitoring and information security.

Witnesses have included Secretary Nicholson, the VA's Inspector General, 
General Counsel, experts from GAO, an academic; and experts in the field 
of data security, information technology management and identity theft 
have testified.  Additionally, the Subcommittee on disability assistance 
and memorial affairs held a joint hearing with the Subcommittee on 
economic opportunity on June 20th to review data security in the 
Veterans Benefits Administration.  The Subcommittee on health held a 
hearing on June 21st to review the security of medical information in 
the Veterans Health Administration.

Today's hearing is a capstone event.  Mr. Secretary, I want to thank you 
for being here this morning.  We look forward to hearing what steps the 
department has taken to mitigate the second largest breach of personal 
data in American history, and how we are going to help our veterans.  We 
are interested in learning as well what the VA is doing to prevent 
future security breaches, and what plans exist to mitigate the event of 
identity theft as a result of this breach or any other breach.

And before we receive your testimony, Mr. Secretary, in fairness to you, 
I offer a brief overview of what we have learned from these hearings, 
not to mention several years of painful experience in dealing with these 
issues and the VA's bureaucracy.  Almost without exception, experts from 
academia and leading businesses have told this Committee that the 
complexities and threats characterizing information management today 
require the system to be centralized.  They further state that the VA's 
decentralized IT structure make it, quote `` practically impossible''  
end quote, to secure its data.

Time and again, we have heard the same counsel: limit the number of data 
users, minimize the amount of data that must be exported for use, screen 
and train your people, centralize the system, and empower the Chief 
Information Officer.

While no one knows whether this compromise of data will produce cases of 
fraud, executives who have successfully recovered from large-scale data 
compromises have informed this Committee that fast action is required.  
Communications with your customers is important when time is of the 
essence.  Offer mitigating services quickly, and coordinate with law 
enforcement agencies quickly.

But the word ``quick'' does not seem to characterize anything about the 
VA's response to this threat over the years.  The GAO and the 
department's own IG have testified on these issues repeatedly since 
1997.  They brought grave security deficiencies and vulnerabilities to 
the attention of VA officials, who in turn essentially have ignored 
them. Two immediate former department CIOs and a former associate deputy 
assistant secretary for cyber and information security informed this 
Committee of impenetrable barriers thrown up by a turf-bound culture of 
the status quo that affects your middle and senior ranks of leadership.  
The department's general counsel in 2004 I believe gave the narrowest 
possible interpretation of your predecessor's decision of his efforts to 
centralize IT authorities and empower the CIO.

Mr. Secretary, from this vantage point, I believe that at times you have 
not been well-served.  You have inherited an unfortunate situation, and 
you are a military man yourself.  I commend you on the acceptance of 
responsibility for a sorry state of affairs.  But you are attempting to 
cut through the cultural resistance and fix it.  I read the memo that 
you issued last night, and I congratulate you for that memo.  I can 
almost envision the spirited debate that occurred at the table before 
you signed that memo, so I would like to thank you for that.

In your opening statement I would also, though, like for you to inform 
this Committee of any other data breaches that you have knowledge of; 
more in particular, the data loss in Minneapolis, and I am distressed to 
have heard about the lost tape in Indianapolis, because your counsel was 
just this week before this Committee, yet never informed this Committee 
that you have a missing tape that contains over 16,538 legal cases.  So 
I am pretty stressed this morning to have learned this last night, very 
late.

At this point, I yield to Mr. Filner for any opening statement he may 
have.

Mr. Filner.  Thank you, Mr. Chairman, and I again, as I have said in the 
preceding five hearings, thank you for this real example of oversight 
the Committee should be following.

Mr. Secretary, we are grateful about the announcement that you just made 
this morning.  It lifts a heavy burden from the hearts of millions of 
veterans, if it is true that there was no compromise of the data.  We 
congratulate law enforcement, and we can all breathe easier.  I think 
everybody here is very grateful.  But it doesn't change some fundamental 
things, Mr. Secretary.  You start off with a little stunt, you never 
told us that the data had been recovered.  Typical for this last two 
months, you have been spinning, spinning, spinning, you have been doing 
PR, and you have done very little to deal with the issue that the 
veterans face with fear every day.

It doesn't change the culture that we have had defined very clearly in 
these hearings, and which Mr. Buyer has been talking about for seven 
years.  It doesn't change the lapses in your personnel chain, that has 
kept information apparently from you, from the FBI, and from us.

It doesn't change the fact that your intentions seem to be to have 
blamed all of this on one guy, who as we will show today at the hearing, 
had permission to take his laptop home, had permission to download the 
data, had help to download the data, had authorization to use that data, 
and yet he has been, as far as I know, the only one in your whole 
operation that any action has been taken against in a personnel way.  He 
has been accused, as I understand, of gross negligence.  But he did 
everything he was supposed to do.  He informed his superior in 52 
minutes.  Your guys didn't inform you for six or seven days.  Who was 
grossly negligent?

So Mr. Secretary, we have got a lot to do.  This memo that Mr. Buyer 
referred to is a good step.  I agree on that. It is something that you, 
Mr. Chairman, have been working on for many years, and I know you feel 
some satisfaction in that.  This theft, which hopefully has not 
compromised any identities, was the stimulus to take action.  But the 
Chairman saw this coming for many years.  

So we still must act.  We still must act on the culture, we still must 
figure out why you decided to fire only one person in this whole mess, 
and whether he was actually grossly negligent, or other people were.

Mr. Chairman, I ask that my full statement be made part of the record.

The Chairman.  Hearing no objections, so ordered.


[No statement was submtited.]


The Chairman.  If any other members have opening statements, you may 
submit them for the record.


If you would like, I will yield to the gentleman.

[The statements of Ms. Corrine Brown, Mr. Tom Udall and Mr. John Salazar 
appear on p. 50, p. 55, and p. 56, respectively.]



Mr. Stearns.  Mr. Chairman, I just want to commend the Secretary for his 
announcement this morning.  I think it is breathtaking that he found the 
computer, and I commend he and his staff for doing it.

Mr. Filner.  I don't think he found it.

Mr. Stearns.  Well, at any rate, his announcement that at point they 
have the computer, and I think all of us are just waiting to hear more 
what has happened, and I think perhaps the angels are on his side at 
this point, so I will look forward to his comments.

Mr. Snyder.  Mr. Chairman?

The Chairman.  Yes, Dr. Snyder.

Mr. Snyder.  Thank you Mr. Chairman.  I am not going to make a 
statement, but I was not here, and when I walked in -- and so I hope the 
Secretary will begin anew, so I know exactly what Mr. Stearns is 
commending him for, thank you.

The Chairman.  We are going to give the Secretary great latitude, and we 
have invited him to come back after we had also done our due diligence 
and our investigations. And if you can recall, we had him here 
immediately after this happened, but also the Senate wanted him, so we 
only had him for about an hour.  So we are going to have the Secretary 
here for as long as it takes this morning.  And he has his under 
secretaries here, and Mr. Secretary, you are recognized. 


STATEMENTS OF THE HON. R. JAMES NICHOLSON, SECRETARY, U.S. DEPARTMENT OF 
VETERANS AFFAIRS, ACCOMPANIED BY THE HON. GORDON H. MANSFIELD, DEPUTY 
SECRETARY; THE HON. JONATHAN B. PERLIN, M.D. Ph.D., MSHA, FACP, UNDER 
SECRETARY FOR HEALTH, VETERANS HEALTH ADMINISTRATION; THE HONORABLE 
RONALD R. AUMENT, DEPUTY UNDER SECRETARY FOR BENEFITS, VETERANS BENEFITS 
ADMINISTRATION; THE HONORABLE WILLIAM F. TUERK, UNDER SECRETARY FOR 
MEMORIAL AFFAIRS, NATIONAL CEMETERY ADMINISTRATION; THE HONORABLE TIM 
MCCLAIN, GENERAL COUNSEL, U.S. DEPARTMENT OF VETERANS AFFAIRS; JACK 
THOMPSON, DEPUTY GENERAL COUNSEL; THOMAS BOWMAN, CHIEF OF STAFF; DENNIS 
DUFFY, ACTING ASSISTANT SECRETARY FOR POLICY, PLANNING AND PREPAREDNESS; 
MARK WHITNEY, OFFICE OF POLICY, PLANNING AND PREPAREDNESS


Secretary Nicholson.  Thank you, Mr. Chairman and members of the 
Committee.  When I was coming in here I was asked if I would make a 
brief statement to the press because of the news that we have, the good 
news, and so I will start just by repeating that, by saying that it was 
confirmed to me by the Deputy Attorney General, just right before coming 
up here, that they have indeed, law enforcement has in their possession 
the subject laptop and hard drive; the serial numbers match.

We are diligently conducting forensic analysis on it to see if they can 
tell whether it has been duplicated, or utilized, or entered in any way, 
and that work is not complete.  However, they did say to me that there 
is reason to be optimistic about that.  But that is not a certainty.

I would like to againI appreciate your kind words, Mr. Congressman.  The 
only part I had in this recovery were my prayers to St. Anthony, I'll 
tell you.  But the law enforcement community did a very, very good job 
in this. And to have, you know, gotten their hands on these two small 
items in the volume that there is circulating out there in that world is 
really extraordinary, and I am very grateful, and I know you are.  We 
will just have to remain hopeful that they haven't been compromised, and 
as I said, there is reason to be optimistic.

The Chairman.  Are they studying the forensics right now?

Secretary Nicholson.  As we speak, yes, sir.

The Chairman.  All right, thank you.

Secretary Nicholson.  Again, I would like to thank you all for the 
opportunity to appear here today to follow up on what has occurred at 
our department.  And my testimony, my opening statement will be in the 
context of this big problem, because I agree with Mr. Filner in many 
respects.  This has brought to the light of day some real deficiencies 
in our department, and the manner in which we have handled personal data 
and cyber information.  And if there is a redeeming part of this, and I 
believe there is, is that we can really turn this place around, and I 
sincerely think we can make it into the gold standard for information 
security, like we have the gold standard for electronic health records.  
And that is our challenge, and indeed that is our mandate.

But I will testify in the context that things are as we thought they 
were last night, or yesterday at this time.  So again, this theft 
occurred on May 3rd, and it has been tragic on many levels, but I also -
- and this may be moot, but there was a perception on the part of many 
members of the public that the data was lost to the VA, but it was never 
lost.  These are copies of the data that were lost.  And I also want to 
highlight the fact, to you, the members of this oversight Committee, 
that while we have been addressing this issue, as you would imagine, 
double time, we also have been attending to the business of the VA, 
which is our core mission, which is caring for the health needs and the 
benefits of our veterans, and of course the burials.

I would point out to you that we have over a million veterans come to us 
every week for health care provision, and we are taking darned good care 
of them.  Since this theft occurred, it has come to my attention, I have 
taken many proactive steps on many fronts, but all of them have been 
guided by one question, the answer to one question, which is what is 
going to be the best for the veterans?  And this Committee and its 
various Subcommittees has had at least one hearing a week since this 
theft became public, mostly focused on the elements of the theft and its 
aftermath.

Other committees have held hearings on this, and we provided briefings 
for various members of the Congress and their staffs.  So for that 
reason, much of what I say will be familiar to you, I know.  But I would 
like to organize my presentation into a few basic points, and that is 
what have we done, what are we doing, what needs to be done, and how 
will we measure progress on these fronts?  And again, our goal is, on 
behalf of the veterans, to make the VA into a first-rate organization in 
the realm of cyber and information security, just as we have done as an 
integrated healthcare provider.

Following the theft of this data at the employee's home, we determined 
or attempted to determine the scope of the loss, and we retained 
forensic experts.  And once the magnitude of this was more fully 
understood, we began working nonstop to see what steps are appropriate 
now going forward to protect our veterans.

I directed a series of personnel changes in the office of policy and 
planning where the breach occurred, the two senior people in that 
department, as well as the person who had custodial responsibly for this 
data.  I retained an outside independent adviser to me, Rick Romley, the 
former prosecutor and district attorney in Arizona.  I have expedited 
cyber security awareness training and privacy training for all VA 
employees, directed that VA facilities across the country observe 
Security Awareness Week this week, and it is focusing on assuring that 
security is an integral part of our workplace culture ethic.

The VA's initial response to this loss was to create a call center with 
a capacity to handle 260,000 calls, and we reprogrammed $25 million to 
do that.  To date, we have spent $9.3 million in that call center.  We 
have had a total of 212,000 calls.  Another thing that we did is a 
mailing to all of the 17.5 million people for whom we had addresses by 
matching our data with the IRS to come up with those addresses.  The 
mailing cost was $7 million.

As you well know, we also requested and got the requisite policy 
approval to seek from you the ability to provide security monitoring for 
the affected veterans, servicemembers, and family members, and I have 
quite a bit on that and I think I will demur on that, pending what 
questions that you might have on that.  You know, we hope and pray that 
is academic, but we don't know that as I sit here.

Let me talk about some specific actions that are going to --  that are 
and will occur at the VA, and again, one of the redemptive parts of this 
I think is the absolute wake-up call lightning rod to make changes in 
this organization, some of which I hope will become models for other 
agencies that I know have some similar complacency and laxity that we 
have had on information security.

I directed that every laptop computer in the VA undergo a security 
review to ensure that all security and virus software is current, 
including the immediate removal of any unauthorized information or 
software, and application of appropriate encryption programs.  But 
because of the pending lawsuits, this directive has been placed on hold 
until we obtain further guidance from the courts.

In addition, we have been in discussions with corporations which provide 
unique data breach analysis to see if the data has been exploited.  And 
we anticipate that we will enter into a contract for that service 
shortly, and I would add here parenthetically that I think that we 
should do that anyway regardless of what the outcome of what we are now 
hoping for, based on today's news.  This is not extremely expensive.  It 
is a new technology, but they can tell you whether a body of data is 
being used, exploited by people who do this, who steal identity and 
exploit it.

We are making an effort to be responsive to the concerns of you, Mr. 
Chairman, and this Committee, by directing us to provide detection, 
protection, and insurance.  And that I would say is there, it is pending 
further information.  I directed that the VA conduct an inventory of all 
positions requiring access to sensitive VA data, to ensure that only 
those employees who need such access to do their jobs have it.  And that 
they have the appropriate background checks.

And if you could think of a model for this, it is one that you are all 
familiar with, which is having a security clearance for having access to 
classified information, and having a need to know the information.  This 
unfortunately has just not been the standard in our organization.  And 
as you heard me say before, the person who had custody of this data had 
not had a background check in 32 years, as an example.

We have been in an effort to conduct this inventory of these positions, 
and then we are working on a program for getting these background checks 
in place, which is no small task, given the time delays there are on 
those, and it is costly.  We are doing a major IT reorganization within 
the VA, and it is true, as the Chairman and Ranking Member have said, 
that the VA has been very highly decentralized, and this is a huge 
organization that is spread all over the world really from Togus, Maine, 
to Manila in the Philippines.

And some of that decentralization has been good.  It has kept the IT 
closer to the ultimate user, and I would say that it has also been very 
valuable and important in the development of the highly vaunted 
electronic medical records that we have, that lead --  I was at a world 
forum of the American Enterprise Institute recently, where they were 
universally praising the VA for what it has been able to accomplish in 
this front.

But it has also, this decentralization, has led to a system that is 
very, very complex, frequently incompatible, and very difficult to 
manage.  And that has become clear to me shortly after I came into this 
job 16 months ago.  So after reviewing the recommendations of the 
consultant who had been studying the IT situation at the VA after the 
ill- fated Core FLS endeavor in Florida in October of 2005, or that is 
when I made the decision and signed the memorandum directing the 
reorganization of the IT within the VA.  That was last October.

And pursuant to that, now more than 4600 IT professionals engaged in 
operation and maintenance of the department's IT infrastructure, plus 
560 unencumbered positions, have been detailed to the Office of 
Information and Technology under the direction of the Chief Information 
Officer.  As of the beginning of the new fiscal year coming up on 
October 1st, those who have been detailed will become permanently 
assigned there, establishing thereby a new career field within OIT.

Given collective bargaining agreements -- 

The Chairman.  Excuse me, Mr. Secretary, if you could hold your spot, 
okay?  Put a little note there in your statement, hold that spot.  I 
have been informed we have three votes.  We have a 15-minute vote on the 
Poe amendment, a two-minute vote on Hefley, and a final passage.  So we 
are going to stand in recess for approximately 25 minutes.

And Mr. Secretary, given your announcement, I am sure that you are going 
to be asked questions from the press. You have the permission of the 
Committee to speak with the press and conduct an interview in this room.  
The Committee stands in recess.

[Recess.]

The Chairman.  The House Veterans Affairs' Committee full Committee will 
come back to order.

Mr. Secretary, there is much abuzz about your announcement this morning.  
We just returned from our votes. Members are feeling pretty good about 
the news, but don't know whether they can take the next breath until we 
have learned whether or not anything has been compromised.  Sir, when we 
left off you were still in your opening statement and we want to give 
you latitude.  You are now recognized, sir.

Secretary Nicholson.  Thank you, Mr. Chairman, I am glad that there is 
some positive buzz for a change, and let me, if I may read an e-mail 
that I have gotten with an update, which is as follows:

``An FBI spokesman said the laptop computer was recovered in the area, 
but could not provide more specific information.  Forensic tests 
showed,''  quote, ``the sensitive files were not accessed, according to 
the special agent in charge, Bill Chase.''

So it is still positive, very positive, and we remain hopeful.  With 
that, Mr. Chairman, I would like, if I could, to pick up where I left 
off, which is I think talking about a very important thing that we have 
launched at the VA, which I think is pleasing to you and the members of 
this Committee, which is the major movement of centralization that we 
are undertaking.

And I had mentioned that we had moved 4,610 people, professionals, 
engaged in the department's IT infrastructure, under the direct control 
of the Chief of Information.  Plus another 560 positions have been 
detailed there.  And come October 1st or the end of the current fiscal 
year, these details there will become permanent, and a new career field 
will be established in the VA, now, for career professionals in IT.  
That has not ever been the case.  And I think that that is a very 
important, progressive, and needed step.

There are collective-bargaining agreements with our unions that come 
into play and they have filed grievances in an attempt to prevent this 
change.  And some of this is I think normal.  There is a fair amount of 
anxiety because we are moving people now internally in the organization 
into a new organization.  We hope that we can resolve those things with 
the union and see and convince them that these people are really going 
to be better off, because they are no longer going to be hitchhiking 
career-wise to a different career field than their own specialty.

And in this reorganization all IT professionals are then going to be 
consolidated in the Office of Information and Technology.  And then 
there is one exception, and I know this is a very important exception to 
the Chairman, and that is the software developers who reside mostly with 
VHA and VBA.  But even for these, the CIO will be responsible for their 
enterprise architecture, their project planning approvals, through the 
OMB 300 process, funding, and cyber and information security, which we 
are meeting here today.

So in this concept, I think this is a very big step.  I can tell you it 
is a very big thing inside our organization. And I think a very positive 
thing.  And it is incremental, in my mind, and my goal is for these 
developers to also be brought under the total control of the CIO.  These 
are the real creative types that are out there, you know, creating these 
software application programs for medical research, and so on.

Various other functions are being centralized within the VA IT as well.  
The position of Chief Financial Officer, with budget authority, has been 
established in the Office of Information Technology.  Security has also 
been consolidated within the Office of Cyber and Information Security in 
the OIT.

Additionally, I want to assure you that I have been paying close 
attention to all of these hearings and I have heard your concerns about 
whether or not the CIO has sufficient enforcement authority to ensure 
compliance with the deficiencies noted in the past, and to ensure future 
compliance.  I have looked into this a great deal and I agree with you 
that there has been an ambiguity, to put it mildly, probably, in our 
directives.

Therefore, as has been mentioned, I have issued a memorandum making it 
absolutely clear that all responsibilities with appropriate authority, 
to include enforcement, lie with the Chief Information Officer, and I 
will say that your interest in this, in this Committee, and you, Mr. 
Chairman has been very helpful.  This is long overdue.

Further I have directed that responsibility for information security be 
included among the critical elements of all senior executives' 
performance plans, tying security performance and plans, and the reviews 
of that, to the effects on the bonuses of those individuals.  We have 
already had several major experts engaged to help us develop a 
consolidated data security program.  These include many recognized names 
in the industry.  They will be supporting a program whereby 
responsibility, authority, accountability, and enforcement are 
consolidated under the CIO.  We have engaged one of the world's leaders 
in the expert field of cyber and information security, which is a 
Carnegie Mellon SEI, to independently verify and validate our security 
plan and measure our implementation.

In addition, we will be retaining an acknowledged expert on program 
management operations to manage this entire process of transformation.  
I am also pleased to announce that just yesterday we entered into a 
contract with IBM to assist us in implementing our overall IT 
realignment plan.  IBM is a recognized expert in IT integration.  They 
themselves have experienced the difficulties of IT realignment, but I am 
confident that with our commitment and their assistance, we will meet 
our goal of completely transitioning to a fully realigned IT management 
system.

The range of IT programs administered by the Department of Veterans 
Affairs on behalf of our veterans is extensive. Many of these programs 
or services require that the IT to back them up be interactive, with VA 
professionals having a need to access and manipulate data elements in 
the course of providing health care or benefits, often in locations 
outside of the VA facility.  For example, VA employees checking on the 
care that a fiduciary is being provided with respect to an incompetent 
veteran, loan guarantee employees doing field examinations of 
appraisers, or home health care providers for housebound veterans, and I 
could go on and on. As a result, the array of hardware and software, 
where it is located, the number of systems, the number of persons having 
access to it, how that access is granted or denied, how the data is 
utilized, and by whom, what background checks are needed; all have grown 
tremendously over the years.

These are areas, then, that require our immediate review and, where 
necessary, remediation.  This VA data theft has been a real wake-up call 
to us.  IG reports in past years have highlighted specific weaknesses.  
But as an institution, the VA did not respond to those with a sense of 
urgency that in retrospect clearly was called for.  With the benefit of 
hindsight, that need for urgency is overwhelmingly apparent to me today.  
We recognize that we must change the culture of this department, and we 
have embarked on doing that.

On May 24th I instructed the deputy secretary to establish a three-phase 
program to assess existing conditions, strengthen internal controls, and 
establish enforcement mechanisms.  The assessment phase is now almost 
complete.  We are now reissuing guidelines and regulations clarifying 
and emphasizing requirements, and the ramifications for failure to 
follow them.

In addition, I have directed that all VA's sensitive data be kept on VA 
equipment, such as laptop computers.  In the past many employees have 
utilized their own personal computers to conduct VA business.  We are 
assessing just who is doing that and why, and we will be issuing 
guidance regarding that in the near future.  I have also directed that 
previously authorized work procedures, which allowed VBA employees to 
transport hard copies of claim folders to alternative work sites be 
stopped.  It is a government-wide practice to encourage telework or 
telecommuting, especially here in the Washington area.  Yet we must 
assure that our policies and procedures implementing this are such that 
sensitive data relating to our veterans is properly protected.  I have 
asked our Acting Under Secretary for Benefits to review and revise his 
own guidance to his staff in this area to ensure the protection of the 
veterans' vital records and sensitive data prior to resuming this 
practice, if at all.

As I mentioned, the VA is revising its regulations, policies, 
guidelines, and directives, in the entire area of information technology 
and security.  We are working to assure that we have clear guidance for 
all VA employees in place and that they are fully trained in what is 
required of them, and that compliance is monitored.

We are revising VA directive 6500, which sets forth the guidelines for 
information security and the enforcement mechanisms pertaining to that.  
This is on a fast track, and I anticipate issuing that directive very 
shortly.  But I am convinced that coming out of a very bad situation, we 
can make the VA a model for data security.

How are we going to measure our success in this endeavor?  Well, I am 
putting forth a slate of directives enhancing the authority of the CIO, 
creating accountability throughout the system and requiring measurement, 
and I have mentioned the consultants that we are engaging to help us 
with that.  Performance metrics will be tracked by my office in 
conjunction with the CIO until we become that model to be emulated by 
others.  And of course, we have our own Inspector General, who has 
pointed out shortcomings in the past.  And while the IG is housed at the 
VA he is independent, reporting directly to the President.  I think you 
will see that he offers a critical overview of what we are doing.  And 
initially that will be to correct deficiencies noted by him in the past.

In addition, we are scored each year on FISMA compliance.  And as I have 
noted in the past, we have received abysmal scores.  That is 
unacceptable and we must and we will do better.  In the area of 
legislation, Mr. Chairman, the Health Insurance Portability and 
Accountability Act, known by you all I am sure as HIPAA, governs all 
aspects of the privacy of sensitive information related to a person's 
health.  HIPAA provides for criminal penalties of up to 10 years' 
imprisonment and a fine of up to $250,000 for its intentional misuse.

There is no comparable law pertaining to the misuse of other non-health 
sensitive personal information.  And I believe that Congress should 
enact such a law.  Someone intent on fraudulently using personal 
information may think twice if he or she focuses on severe penalties 
that could be encountered for such a crime.  I also now serve on the 
President's new task force on identity theft and I will be making 
similar requests there for tougher laws, greater deterrents, and other 
actions that will minimize the likelihood of an event such as this 
occurring again.

In conclusion, Mr. Chairman, unfortunately a terrible thing happened, 
monumentally terrible.  It has outraged me and so has the slow response 
by some of my very good subordinates, but I am the responsible person, 
and it is to me that I think you are entitled to look to see that our 
victims are treated right and that this place gets fixed. And it will 
not be easy, and it will not be overnight, I am convinced that we can do 
this.  And we are already on the way I think to establishing a new 
culture of security within the VA with the policies and procedures and 
the people in place to maintain them.

That concludes my testimony, Mr. Chairman, I would be pleased to answer 
questions.


The Chairman.  Thank you very much, Mr. Secretary.

Under Secretary Tuerk, Under Secretary Perlin, Deputy Secretary 
Mansfield, Assistant Secretary Aument; the four of you have written 
testimonies, do you not?

All answer in affirmative.  Would you submit that statement for the 
record?

[All answer in the affirmative.]

The Chairman.  Hearing no objection it is entered, so ordered.


[The statements of Mr. Tuerk, Dr. Perlin, Mr. Mansfield, and Mr. Aument 
appear on p. 58, p. 67, p. 76, and p. 84, respectively.]


The Chairman.  Other witnesses are here to accompany the Secretary, and 
if members have questions of them we have a roving microphone.  If these 
witnesses will please rise when recognized.

The Honorable Tim McClain, General Counsel to the Department of Veterans 
Affairs.  You may be seated.  Mr. Tom Bowman, who is the Chief of Staff 
to the Department of Veterans Affairs.  Mr. Dennis Duffy, the Acting 
Assistant Secretary for Policy, Planning, and Preparedness, for the 
Department of Veterans Affairs.  Missing?  Sorry, please stand.  If you 
did, I didn't see you.  I apologize.  And Mr. Mark Whitney, with Policy, 
Planning, and Preparedness, for the Department of Veterans Affairs.  
Thank you.

Mr. Secretary, in your opening statement you referred to a memorandum.  
I would ask unanimous consent that your memorandum signed and dated June 
28, 2006, entitled, "Memorandum for the Assistant Secretary for 
Information and Technology,''  subject line, `` Delegation of Authority 
for the Responsibility for the Department Information Security,'' be 
entered into the record.  Hearing no objection so ordered.


[The attachment appears on p. 98]



The Chairman.  I Would also like to publicly thank Health Net.  Health 
Net is a company that does business with the VA, that they supplied 
$25,000 and matched the reward money.  And I think they should be 
publicly recognized for what they have done.

I will also ask Mr. Secretary, and I do want all the members to have 
their opportunity to talk with you, but I do want you to share with us 
these two other breaches that have occurred: the one in Minneapolis, 
whereby you had an employee put a laptop computer in the trunk of a car 
and the car was stolen and information was compromised, and you did have 
two cases of identity theft. The other, I would like to discuss the 
circumstances, and I would like to know about the notification 
procedures regarding the loss of a backup tape at the regional counsel's 
office, whereby they are missing 16,538 legal cases in the city of 
Indianapolis.  Mr. Secretary?

Secretary Nicholson.  Yes, sir, Mr. Chairman.  The incident in Minnesota 
was brought to our attention by a postal inspector, who had reason to 
believe that two people, two patients in one of our extended care 
facilities, was possibly having their identity exploited, and that led 
to a fact-finding endeavor that the IG has been investigating this.  And 
it turns out that the VA had a financial auditor in that facility to 
audit the income status of certain patients, because there is a means 
test that goes on for some of them in those facilities.  And that person 
put some of these patient files in the trunk of a car, of a rented car, 
and that car was stolen.  And there were I think 60- some, 66, I 
believe, people's information was in that, they were paper copies, and 
that happened in 2005, the car was stolen in 2005.

This did not come to our attention until, as I said, the postal 
inspector sensed that two people were being defrauded, and so we have 
the IGs inspecting, conducting an investigation and we are, you know, 
going back to the responsible person, waiting for the final report of 
the IG. Another case where the importance of this was not sensed and 
dealt with by that employee.  The Indianapolis --  

The Chairman.  Sir, we have a question on Minneapolis.

Secretary Nicholson.  Yes?

The Chairman.  When you said 66 people, are these 66 veterans?

Secretary Nicholson.  Yeah, I think they -- 

The Chairman.  All right.

Secretary Nicholson.  I am told yes.  I pause because there are a few 
people in --  facilities who are not --  

The Chairman.  And an audit of materials, would it indicate that it also 
contained necessary granulated information such as name, address, Social 
Security numbers?

Secretary Nicholson.  Yes, sir.

The Chairman.  And with regard to the notification of all 66 veterans, 
have they been notified with regard to the loss of this data?

Secretary Nicholson.  They have been notified, yes, sir.

The Chairman.  And are you considering taking the same action with 
regard to these 66 veterans as you were going to take with regard to 
this stolen laptop and hard drive, with regard to credit monitoring?

Secretary Nicholson.  Yes, sir, credit monitoring.

The Chairman.  And insurance?

Secretary Nicholson.  Yes.

The Chairman.  Okay.  All right, let's talk about Indianapolis.

Secretary Nicholson.  All right.  Indianapolis is more recent, where 
there is a backup tape that is missing. This occurred, I think, on May 
5.  It was in the regional counsel's office in Indianapolis, and the 
general counsel was notified of this on May 23rd.  It involves 16,500 
individual cases.  And again, the IG is investigating this, and we await 
their report for you know, the actions that we will take with respect to 
personnel.  We are notifying these people, and we plan to give them 
credit protection as well. The General Counsel is here, Tim McClain, if 
he cares to add anything to this, I would welcome him to do that.

There, the reporting was better than it has been.  But the practice, I 
mean, it happened, and we have a tape missing.  The data again is not 
missing, in that there is a daily chronology of these cases, a lot of 
this is litigation and stuff that they are tracking electronically, and 
so they have the day before and the day after, so that the data is not 
missing to us, but that tape is missing, with those individuals on it.

The Chairman.  Well, may I ask your counsel.  Mr. McClain, if there is a 
remote mike.  Mr. McClain, if there are 16,538 legal case records, would 
it not be true then that these files would have contained once again 
granulated information regarding the veteran, perhaps their dependents, 
some could be VA employees, Social Security numbers, claim numbers, 
addresses, date of birth, legal case numbers? Would that be an accurate 
assessment?

Mr. McClain.  In some cases, yes, Mr. Chairman.

The Chairman.  And in these case files, then, could there also possibly 
be embedded case-related documents such as claims, court documents, 
patient medical records, property descriptions, other personal 
information?

Mr. McClain.  Yes.

The Chairman.  With regard to the backup procedures that occurred prior 
to the loss, could you explain what occurred in the regional office in 
Indianapolis, with regard to how a backup was conducted and how these 
tapes were safeguarded?

Mr. McClain.  From what I have learned about this particular office, and 
how it was run, there is a computer room that the computers and the 
servers that run this particular system.  This is a homegrown software 
system known as GC Laws.  It is something that we developed and had 
implemented in 2002, and it has been in development since then.  It is a 
case tracking and attorney time tracking software.

Cases can be anything from a 30-minute telephone call with someone such 
as the VISN director or the medical center director, to a full-blown 
Federal Tort Claim Act case or medical case.  And so, we define a case 
essentially as you are giving legal advice in a substantive area and you 
are doing it for about 30 minutes or more.  That is why the number of 
cases are not going to be the same as the number of actual individual 
identifiers in the GC Laws area.  Every day, this system, which has 
information only from this particular region --  we have 22 regions that 
this is region 22 --  and they then back up this server that the GC Laws 
software resides.

The Chairman.  Do you know the territory of that region?

Mr. McClain.  Sir, it is the regional counsel offices in the federal 
building in Indianapolis, which I know you are very familiar with, sir.

The Chairman.  That would include parts of Ohio, Michigan, Illinois, 
Kentucky --  

Mr. McClain.  It would include all of Indiana and Kentucky.

The Chairman.  Please continue.

Mr. McClain.  This particular office maintained two weeks' worth of 
backup tapes; first Monday through Friday, second Monday through Friday.  
Every night, the tape would be changed, and then put into its 
appropriate --  the one taken out would be put into its appropriate 
slot.  On May 5th, it was discovered by the information security officer 
that the tape for the second Monday was missing.

The Chairman.  Are you aware or not whether it was a common practice for 
a backup tape to be taken home with one of your lawyers?

Mr. McClain.  I am not aware of that, sir.  The backup tapes for the 
most part stayed in the room.

The Chairman.  I would invite you to explore.  Did the tape contain 
confidential and privileged information?

Mr. McClain.  There most likely was privileged information that would 
have been generated in federal tort claims cases, which would have been 
attorney-client privilege.

The Chairman.  The room where these backup tapes are stored, is it 
secured or unsecured?

Mr. McClain.  It has a lock on it, but that is all. It is in the office 
and it has it on the door.

The Chairman.  I want to thank you, Mr. Secretary. Mr. Filner had asked 
for a timeline yesterday and we have received the timelines with regard 
to individuals for the case in Maryland.  Mr. McClain, have you put 
together a timeline with regard to notifications, with regard to this 
case in Indianapolis?

Mr. McClain.  Yes, sir, we have a general timeline.

The Chairman.  Okay.  Just for curiosity's sake, why didn't you tell us 
about this yesterday?

Mr. McClain.  That was my oversight, sir.  I owed you that.  I was 
concentrated on this particular situation that we have.  And there is no 
question you should have been notified.

The Chairman.  Mr. Secretary -- let me ask Mr. McClain. When were you 
notified with regard to the loss of this tape?

Mr. McClain.  May 23rd.

The Chairman.  Missing on May 5th, you were notified on the 23rd?  Mr. 
Secretary, when were you notified with regard to this lost tape in 
Indianapolis?

Secretary Nicholson.  I think that I was notified either that day or the 
next day, Mr. Chairman.

The Chairman.  The 23rd or the 24th?

Secretary Nicholson.  Yes, sir.

The Chairman.  This case runs parallel to what was occurring in 
Maryland, with regard to the notifications, and procedures.  We are 
going to need to learn more about Indianapolis,  Mr. Secretary, and I am 
pleased about your opening statement, because you exercised leadership 
here over the last four weeks.  But there is definitely more that we 
need to learn about this case in Indianapolis.  Because this is a 
tremendous exposure potential with regard to your legal system, Mr. 
McClain.

Mr. McClain.  Yes, sir.

The Chairman.  The last thing I would ask, with regard to the memo that 
has now been submitted for the record dated June 28th, Mr. McClain, as 
General Councel for the VA, do you believe that this memo complies with 
FISMA?

Mr. McClain.  Yes, sir, I do.

The Chairman.  Congratulations.  I yield to Mr. Filner.

Mr. Filner.  Thank you, Mr. Chairman.  And Mr. Secretary and your staff, 
we are all feeling better this morning.  You said, the saints were 
smiling on you.  I guess that was for your service in the Vatican, not 
on the RNC.

Secretary Nicholson.  St. Anthony.

Mr. Filner.  And we are all fortunate of course, we don't have to spend 
the money apparently for credit monitoring.  I was upset about the 
proposal for those dollars from an administration that spends hundreds 
of billions in a supplemental in the war on Iraq, yet wouldn't do a 
supplemental for the veterans, of $130 million.  It was going to take 
money out of food stamp programs or student loans, so I am glad that we 
won't have to argue about that one.  Let's hope that we don't.

And like the Chairman, I thought your statement was very good and 
powerful.  I wrote down some quotes I thought were very welcome here, 
the recognition of real deficiencies, a sense of urgency, the `` wake up 
call.'' I think those are all powerful statements, and I hope that they 
echo through the VA system.

There is a famous quote that says ``Those who cannot remember the past 
are condemned to repeat it.''   I know you all want to look forward and 
clear up some of the mistakes and errors and deal with them.  I still 
think there is a sense of denial, Mr. Secretary.  Mr. McClain just 
referred to this whole thing, as ``the situation.''  Yesterday he called 
it an ``incident.''  You called it a ``wake-up call.''   I call it a 
major disaster.  And I think people have to accept that we may have come 
out lucky on it, but it was a true disaster.  Until people get that, I 
don't think we are going to get the change throughout the system that 
you need.

The timelines that we have looked at have showed some real 
programmatical errors, I think.  And I hope you deal with them.  We are 
grateful that the FBI was able to do something, but from the timelines 
it looks like it took almost a month before they were even brought into 
it.  It maybe would have gone faster, it looked like to me after the 
initial police report there was all kinds of internal stuff and then you 
were notified and you called the White House. And then the FBI, and so 
it took some time for them to even be involved in it.  And I find that 
is a little disturbing, if that is the case.

All right, I would just like to take a few minutes, if I may, Mr. 
Secretary --  but your statement on the `` F''  grades from FISMA about 
``determined to change those''  is again, I think that needs to echo 
through the whole system, and I appreciate those statements.

With regard to the personnel and the errors that were made in the last 
eight weeks, has anybody been given a notice that they are going to be 
fired in this whole process?

Secretary Nicholson.  Yes, sir.  One person has been fired, because --  
he could be fired summarily because he was a political appointee, who 
was the Deputy Assistant Secretary for Planning and Policy.  The Acting 
Assistant Secretary is a career employee and has rights and due process.  
And so through a mutual arrangement, he retired, because he is eligible 
for retirement.  Those are the two senior guys, those are the number one 
and the number two guy in that department.

The person who had custody of the data that was stolen I will tell you 
quite frankly, when I heard about it I said, `` he needs to be fired, 
fire him.''  I was then told `` you can't fire him, but you can put him 
on administrative leave with pay,''  which we did, we have done.  And we 
have initiated a process to have him terminated from federal employment.

Mr. Filner.  Based on what?

Secretary Nicholson.  Based on the advice that I was given that he did 
this in violation of existing policies. And that he acted irresponsibly 
and negligently in having that kind of data, you know, that could be 
stolen.

Mr. Filner.  The reason I am concentrating on this, Mr. Chairman, is I 
think there was an initial sense, what you called the Abu Ghraib 
mentality, to blame it on the lowest person possible.  I would like to 
enter into the record several documents that have been redacted from 
names, so I think it is perfectly acceptable, what is called an 
``employee home use amendment''  to the VA's license agreement for the 
software, that this employee was authorized to have that data at home.  
Also, there is a property pass that was issued to him that he was 
authorized to have the laptop at home.  And a third document, again 
redacted from the names, that he had authority for access to the files.

The Chairman.  Does the gentleman ask unanimous consent that these be 
made part of the record?

Mr. Filner.  I do, sir.

The Chairman.  Preserving the right to object upon further examination -
-  

Mr. Filner.  Sure.  Under the advice of counsel, they have been redacted 
of any personnel specifics.

The Chairman.  I have no objection to entering these in the record.  Any 
objections?  So ordered, they will be made part of the record. 

[The information referred to by Mr. Filner appears on p. 101]


The Chairman.  Mr. Secretary, are you familiar with these documents?

Secretary Nicholson.  No, I am not.  I would like to take a look at 
those if I could.  I have heard about those, but I don't think I have --  

Mr. Filner.  You have heard of them, did you say?

Secretary Nicholson.  I heard that they existed, yes, sir.

Mr. Miller.  Mr. Chairman, can we get copies?

The Chairman.  Yes.

Mr. Miller.  They are all being passed out over here?

The Chairman.  I am not sure.

Mr. Filner.  We will get copies to you.

The Chairman.  Let us allow the Secretary to look at the three documents 
and --  Ma'am, are you passing out the three documents?  All right.

Mr. Miller.  And the minority members have them as well.

The Chairman.  Yes.

Secretary Nicholson.  Okay, all right.

The Chairman.  Mr. Secretary, you are familiar with these three 
documents?

Secretary Nicholson.  I am looking at this document, first time I have 
ever seen it.

The Chairman.  Mr. McClain, are you familiar with these documents?

Mr. McClain.  Yes, sir, generally.

The Chairman.  Generally.  Mr. Duffy, are you familiar with these three 
documents?

Mr. Duffy.  Again, generally, yes.

The Chairman.  All right.  Mr. Filner, you are -- 

Mr. Filner.  My sense is, and you can comment on this, Mr. McClain, that 
the employee was authorized to remove these files, and that was the 
first thing he was going to be removed for.  And gross negligence, I 
mean, he got all the approvals that he was supposed to have, and I am 
told that even in the --  well, I'll ask about this later.

It looks to me that the gross negligence is in the policies.  There is 
no policy.  You have said he violated the policy.  I don't know of any 
policy that he violated.  That is the real negligence, that there were 
no policies.

He notified the police 52 minutes after the theft occurred, according to 
the police report.  And your staff didn't notify you for 6 to seven 
days.  I don't know which is more gross.

Secretary Nicholson.  Thirteen days.

Mr. Filner.  I am sorry, 13 days.  Thank you.  I think there is more 
gross negligence from the uppers than this poor guy at the bottom.  So 
what policy did he violate and why is it more negligent to not tell you 
about what happened and not tell the FBI et cetera, et cetera?

Secretary Nicholson.  Mr. Filner, we have taken these actions and we 
took them based on the reasons that I have given you.  This employee who 
has, you know, rights --  has asserted those rights and he is entitled 
to a hearing and will have that hearing, and that is pending. And with 
all due respect, Sir, I think it would be wise for me not to comment 
further on the disposition of this employee.

Mr. Filner.  I understand that, Mr. Secretary.  I introduced them, again 
redacted for names, to show that we didn't want to have one person at 
the very bottom of the food chain held responsible for the biggest data 
loss in federal government history.  I mean, that is what it is, and we 
are saved by something or other but it is still there. It is still 
happening.  And I guess I would like to ask you, and you don't have to 
answer now, but the powerful statement you made in terms of changing the 
culture, which is still going to be a hard job, but I think you are.  I 
think the Chairman and I would agree that you are doing exactly what has 
to be done, that you have to hold folks accountable for the `` F''  
grades, the previous FISMA things, for the delay in reporting, for all 
that was going on.  I appreciate the one mistake of a good employee is 
not the only thing in this record, but I think you have to make a bolder 
statement about accountability, with some personnel changes, is my 
sense.  You don't have to comment now, but I think our sense of you as 
trying to change the culture would be enhanced by that.

I may say one more thing for the record, the Secretary took the 
initiative just a little while ago, pulling me aside and saying, "let's 
get on a more personal note here.''   I appreciate that very much. I 
think we are both trying to do the best we can for veterans.  I'll try 
to do better in terms of personal actions, but I appreciate your taking 
the initiative, and as always, Mr. Chairman, we are saved by our spouses 
who are working together for the PVA annual gala dinner.

Mr. Secretary, we want to do the best for veterans. We want to help you 
do that job.  You have taken the first step, and we do appreciate the 
announcement today.

Thank you Mr. Chairman.

The Chairman.  Mr. Filner, I do not question the spirit of your personal 
enterprise.  I appreciate the bipartisan fashion here over the last four 
or five weeks that we have worked together, all of us on this Committee 
have worked in a bipartisan fashion.  This really goes back with Art Wu 
and Len Sistek, almost seven years and I think that investment of time 
is paying off dividends.

And Mr. Secretary, I am going to yield to Mr. Brown, but you know, I 
enjoin and affiliate myself with the comments of Mr. Filner.  The 
statement that you give us today compared to the statement that you gave 
us several weeks ago, you cannot compare the two statements.  You came 
in here today as a man in charge.  You told us in response to a moment 
of your leadership that you were going to do that, that you were going 
to exercise leadership and take control of this, give assurances to 
veterans, and make changes to the system.  And you have come in here 
with your bold strokes and bold initiatives and for that you are 
entitled to be recognized.

Mr. Brown, you are recognized.

Mr. Brown of South Carolina.  Thank you, Mr. Chairman.  Mr. Secretary, a 
recent IG report identified vulnerabilities relating to offshore 
subcontractors who have access to VA medical transcription data.  I know 
that you were confronted with this question by Chairman Walsh earlier 
this week.  But this Committee is also very interested in your views on 
the role of offshore contractors and subcontractors and their access to 
sensitive health-specific data on US veterans.  Would it be prudent in 
your opinion to consider contracting limitations for offshore entities 
in order to mitigate the risk of data loss or theft?

Secretary Nicholson.  Thank you for that question, Mr. Brown.  The case 
you are referring to is one that I have looked into.  It was a case 
where we had entered into a contract, the contractor subbed, and he 
subbed to another sub, doing back-office work in India.  The 
Intermediary sub went bankrupt.  Our contractor had paid the first sub 
that went bankrupt, and the working folks in India weren't paid. I go 
into this detail to illustrate the vulnerabilities of this.

So they weren't paid, they came to us.  And they have over 30,000 
entries of sensitive data of veterans that they were working with and 
they said that `` You either pay us or we are going to put this 
online,''  which to me is a microcosm of the vulnerability that we have 
in this whole field, where we give people access to this data that we 
don't know enough about.  Even our own employees, let alone people 
offshore.

So the answer to your question is clearly yes.  We should endeavor not 
to have these contracts end up offshore for that reason, particularly.

Mr. Brown of South Carolina.  How many other contractors are you dealing 
with, Mr. Secretary, besides this one?  Do you know?

Secretary Nicholson.  One minute.  The only one that I know of right 
now, we are looking at this, but there is one other right now and that 
is a contract that we entered into with a company to provide the general 
management of the homes that we repossess under our VA guaranteed loan 
program.  We have a master contractor to go through the foreclosure, 
take possession, refurbish, and remarket those homes.  They do their 
back-office accounting work, have it done offshore.  That is the only 
one that I know of right now.  By the way, we are reviewing that 
contract, because it is coming up for renewal and that is a relevant 
item in that discussion that we are having.

Mr. Brown of South Carolina.  So I guess your opinion, and you are going 
to try to lessen any further exposure by going offshore with some of the 
information gathering?

Secretary Nicholson.  You know it is this globalized digital world that 
we are living but I think it just creates too many vulnerabilities for 
us.

Mr. Brown of South Carolina.  Thank you.  Thank you for your service, 
Mr. Secretary.

The Chairman.  Mr. Brown, I want to yield--but may I ask a follow-up?  
It provides too many vulnerabilities to us?  Following Chairman Brown's 
questioning, this issue about subcontracting and offshoring, 
outsourcing, these present grave concerns to you?  They do?

Secretary Nicholson.  Yes they do.

The Chairman.  Okay.  all right, do we have any of our call centers that 
are subcontracting coming of places such as China?  Are you aware?

Secretary Nicholson.  No, sir.  No, none that I am aware of.

The Chairman.  Is it possible that service centers for your medical 
devices might originate from China?  Is Mr. Howard in the room?

Secretary Nicholson.  I might best refer to Dr. Perlin for a detailed 
answer.

Dr. Perlin.  Mr. Chairman, with respect to medical devices, many of the 
major manufacturers are not American: Siemens, Fujitsu, Motorola, 
Philips, et cetera, if you want any MRI or CAT scan or angiography suite 
or radiology.  I personally am not aware if any originate from China but 
I would not be surprised if some devices are manufactured there.

I would note that the servicing of the device is electronic in 2006.  
And there is interaction with that.  I would have to defer to Mr. Howard 
for any further elaboration.

The Chairman.  Mr. Howard?

General Howard.  Sir, I really can't add any more to that.

The Chairman.  All right.  Well, I think if you take a look, you are 
going to find out perhaps that it may be true that one of the service 
centers for one of your medical devices comes from China.  As the world 
gets smaller, the more we are interconnected, and then as we seek to try 
to protect our veterans I think we are going to find we have some 
serious problems.

Ms. Brown?

Ms. Brown of Florida.  Thank you, Mr. Chairman, and thank you for 
holding this hearing.  Yesterday, I had the pleasure of meeting with the 
Veterans Widows International Network.  I am looking forward to working 
with them, but as we move forward for the Independence holiday, we 
cannot forget why we are here, and we are here all of us to serve the 
veterans.

And Mr. Secretary, in your testimony you stated that you have just 
issued a memorandum that all functions lie within the CIO.  Which 
guarantees will you make that the lawyers will not get involved and rule 
the exact opposite like what happened to your predecessor?

Secretary Nicholson.  If I understand your question correctly, Madame 
Congresswoman, my answer is yes, that is the purpose, is to centralize 
this, and to have residing with the same person, and not just 
responsibility but the authority.

Ms. Brown of Florida.  Yes sir, I understand what you are saying.  But 
what I am saying is that your predecessor did the exact same thing: 
issued the memorandum saying that that person had the responsibility, 
but the lawyers ruled just the opposite.

Secretary Nicholson.  I am with you now, and that has changed.  We have 
changed that.  We moved these people to come under the CIO.  A lot of 
objection, debate, just we have done it.  And they now are under that 
Chief Information Officer.

The Chairman.  Mr. McClain, could you help and be responsive to the 
gentle lady's question?

Mr. McClain.  If I understand the question correctly, is that the 
Secretary ordered a directive and then my office, as Office of General 
Counsel, would say that it was invalid or ruled differently?

Ms. Brown of Florida.  Yes, just the exact opposite.

Mr. McClain.  Mr. Chairman, I would basically rely on my testimony from 
last week, where this was gone into in depth as to exactly what that 
opinion was.  And both opinions from 2003 and 2004, essentially, was in 
a nutshell an interpretation of FISMA and what could be delegated.  And 
this delegation memo that we have here today is actually what was 
delegated under FISMA.

Ms. Brown of Florida.  I have a follow-up question for you.

Mr. McClain.  Yes, ma'am?

Ms. Brown of Florida.  In reading the information, what was passed out 
as far as the employee that took the information home and had clearance 
to do that, a memorandum, and also directly afterwards, reported that it 
was stolen, I mean, just right away, but this is a person that is going 
to be fired, can you clear that up for me?  Because I can see that we 
are headed to a lawsuit with this, because he had permission, and he had 
it in writing, a memorandum.

Mr. McClain.  First, I am not going to comment directly on pending 
personnel action for this employee, because it is still pending.  There 
has been no final decision made in this employee's particular case.  But 
the documents that were presented by Mr. Filner, one being a 
justification for access to Social Security numbers, that would be part 
of his job to look at those.  Another one is an employee license to have 
software at home, and the other one is a laptop property pass that does 
not relate to this laptop.

Ms. Brown of Florida.  That's your answer?

Mr. McClain.  Yes.

Ms. Brown of Florida.  Well I guess, you know, I am not a computer geek, 
but it would be no point in using the software at home if you know, you 
couldn't use it.

Mr. McClain.  Yes, ma'am, I understand that once again I would like to 
say that the process is continuing, and for the integrity of indeed this 
due process that the employee is entitled to, I can't directly comment 
on the pending personnel action.

The Chairman.  May I?

Ms. Brown of Florida.  Yes, sir.

The Chairman.  We are in a touchy area.  My colleagues, What I feel a 
little uncomfortable with is that we interviewed this individual.  The 
Counsel for Minority and Majority, along with the staff directors of 
oversight, interviewed the individual.  And these were some of the 
documents, and I am a little uncomfortable for us to move this into the 
public arena, because this individual has rights.

Ms. Brown of Florida.  Yes.

The Chairman.  Ms. Brown -- 

Mr. Filner.  If I may -- 

The Chairman.  Yes.

Mr. Filner.  Ms. Brown, the particular property pass Counsel referred to 
was just one of a series of authorizations that the employee had.  I 
don't know if the number of this one matches, but there were a series.  
Certainly he believes for several years that he had the authorization to 
take it home.

Ms. Brown of Florida.  Just a follow-up question then, with the 
Secretary.  Mr. Secretary, I know that everybody is breathing a sigh of 
relief, but I want to know whether or not we are going to continue to 
monitor the situation to see whether or not the integrity of the 
information that was out there, are we still going to give the veterans 
the assurances that we are going to monitor the credit reports?  I mean, 
where are you with this?

Secretary Nicholson.  Well, I think that is a very fair question. You 
know, it is dynamic.  Things are happening even since we have been in 
this room. But my feeling about it right now is that we should engage 
the unique capability that we have to see if data are being exploited.  
That is not relatively expensive to do that, and we could do that, and 
then I think we ought to keep an eye on, to make darn sure that this 
data has not been exploited, or has not, you know, been copied, which 
would be subject to being exploited.  And I think we need to remain 
vigilant.

Ms. Brown of Florida.  All right.  Thank you, Mr. Chairman, Mr. 
Secretary, I yield back the balance of my time.

The Chairman.  Thank you, Ms. Brown.  My colleagues, the Secretary is 
accompanied by the Deputy Secretary.  Two of the Under secretaries could 
not be here.  So we have his Assistant Secretary.  Sir, what should I 
say?  You haven't been confirmed by the Senate, and that is why you are 
not at the witness table.

The reason we have them all here is for you to be able to ask questions.  
As we learned from the Under Secretary, the CIO did not have certain 
authorities to enforce. Therefore the enforcement of all these 
directives and rules really lay with these gentlemen.

Chairman Miller, you are recognized.

Mr. Miller.  Thank you, Mr. Chairman.  Mr. Secretary, is somebody from 
the Board of Veterans Appeals involved in looking at the security 
issues?  And the reason I raise the question is that many of us recall 
several years ago that an employee from VBA was found to have many files 
in boxes in their garage.

Secretary Nicholson.  Yes.  Judge Terry has been involved in the many 
meetings we have had on this.  I will say that they do have a program 
whereby they take files home, the judges.  But we have looked at it very 
carefully, and it has been prescribed, it was authorized, and they are 
in locked containers en route.  They are to be put in locked containers, 
when they are not being worked on at the residence, and in locked 
containers coming back.  We have made a few spot checks on that, and it 
looks like there is good compliance on that.  So we have not made that 
change.

You noted in my testimony that with respect to the Veterans Benefits 
Administration, they were taking files home for adjudication.  I have 
stopped that because it was not tight enough.  So we are, they are very 
engaged with us on this and I think, you know, getting the message as 
well.

Mr. Miller.  Going back to the backup tape, is it assumed missing or 
potentially stolen?

Secretary Nicholson.  I think that is an open question.  I would ask 
General Counsel, do you have a view?

Mr. McClain.  [Inaudible.]

Secretary Nicholson.  We are captioning it as being missing.  It is 
missing, and the IG is investigating it.  I don't know.

Mr. Miller.  And I asked the question that way because I think if you 
were framing it that you think that somebody took it, that the chances 
would be different from the laptop scenario, where it just happened to 
be that somebody took a laptop that had the data on it, versus somebody 
knowing that they have now in their possession a backup file and you 
could --  I would assume that something nefarious would be intended with 
that information.  And so I was wanting to know, you know, at what point 
do you treat it differently from being stolen, to missing?

Secretary Nicholson.  I don't think we treat it very differently.  We 
are notifying all the people involved.  We are setting up credit 
monitoring for them.  I don't think with respect to the effect of people 
that it makes much difference.

Mr. Miller.  And back to the records that the Chairman was referring to 
that were entered into the record, the three documents.  Is there 
anything in these three documents that indicates --  not gives the 
impression or not gives an assumption, but indicates that the employee 
with these documents had the ability to take home that information?  I 
don't read that, but I am just wanting to know if there is anything in 
here that I am missing.

The Chairman.  Does the gentleman mean ability or authority?

Mr. Miller.  Either.  Obviously, he had the ability.

Mr. Filner.  Would you yield for a second, Mr. Miller?

Mr. Miller.  No, sir, on my time, and I would like to hear the 
Secretary.

Secretary Nicholson.  Chairman Miller, I am going to demur.  This is a 
pending personnel action, and I think for the protection of the affected 
employee and the integrity of the system, that we probably shouldn't 
discuss this any further than we have.  He is going to have a hearing, 
and a fair hearing.

Mr. Miller.  And as he should.  You know, it is unfortunate that in this 
entire incident that you had an employee that had he not come forward 
and said that he had this information on this laptop, VA may never have 
known that it was on the laptop.  They may have known that the laptop 
was gone, but not that the information was.  And I am glad to hear that 
he will get the due process that is due. And I yield to my friend Mr. 
Filner.

Mr. Filner.  I just wanted to point out that one of the forms says `` 
home use,''  authorization for home use.  And the other one says a 
property pass to take home.  

Mr. Miller.  -- reclaim my time.  Well, on the license agreement, and 
this gets outside of that so this is not the employee in particular.  An 
employee that is there today has this signed, the software.  Is there 
anything this software is used for other than --  I mean, other data 
that is in it, could it be used for something else?  I am just trying to 
get to the fact that I think this is a stretch, and I am wanting to know 
if the software can be used for anything else other than what he was 
using it for?  Other data collection?

Secretary Nicholson.  Well, I will give you, you know, a general answer 
that yes, I mean, the software has different applications that would 
make it available for different kinds of use and collations.

Mr. Miller.  Thank you, that answers my question.

The Chairman.  Chairman Miller, would you yield for just a second?

Mr. Miller.  Yes, sir.

The Chairman.  Mr. Secretary, you notice that members have been asking 
questions about the firing of the employee. I would also note that your 
testimony, well, actually, while you were waiting to testify on the 
second panel before the Appropriations Subcommittee, that expert 
witnesses talked about their concerns about immediate firing of 
employees, that it could have a chilling effect with regard to future 
losses of data.

I would note that the case that you discussed here today with regard to 
Minneapolis was a case whereby you were not notified through internal 
sources.  You testified to us that it came from a postal inspector.  So 
I think what you are finding is members have concerns here in how, as 
the man in charge, you want people to be able to tell us what the 
vulnerabilities are, and what has gone wrong; if something is lost, 
please tell us.  If they feel that they will lose their job because of 
it, we may never know, and the vulnerabilities could hurt our veterans, 
and I think that is what I am sensing from the questions of Mr. Miller, 
Ms. Brown, and some others.  I just wanted to note that to you, Mr. 
Secretary.  Yes, I yield back to the gentleman.

Mr. Miller.  Thank you.  One other question, are you aware your cyber 
security chief is resigning as of today? And if so, do you know why?

Secretary Nicholson.  Am I aware that my cyber security chief is 
resigning today?

Mr. Miller.  Yeah, is there any truth to that?

Secretary Nicholson.  I am not aware of that.

Mr. Miller.  Is anybody at the table aware of that?

General Howard.  The answer to that is yes, sir.  We were notified 
today.

Mr. Miller.  And the Secretary wasn't?

The Chairman.  You didn't tell the Secretary?

General Howard.  I told the Deputy as he came in.

Mr. Miller.  No further questions.

General Howard.  I got an e-mail about half an hour ago that it was 
official.

The Chairman.  Wait a minute.  Mr. Miller, you still have the time.

Mr. Miller.  I yield to you, Mr. Chairman.

The Chairman.  Thank you.  Your CIO has resigned, your Chief Information 
Officer resigned not long ago.  Now your cyber security man has 
resigned.  Mr. Howard, do we know why the CISO has resigned?

General Howard.  Sir, about two weeks ago he gave me a letter of 
recusal, that he was thinking about leaving.  I convinced him to take it 
back, you know, that we needed his service and all of that.  And just 
the other day, he handed me another one with no date as to when he was 
going to resign.  And as I mentioned, you know, I just got an e-mail a 
while ago that it is effective.  I think the date on my e- mail was 13 
July or something like that.  As far is I know, it was due to pressure 
on his family due to what has been going on.  You know, he has been 
working extremely hard.  He has been in charge of the forensic work, for 
example, that has been going on, working very long hours. They are all 
under a great deal of pressure, you know, to get at the details, produce 
the facts.  And I think most of it was family, but it was probably just 
the work environment as well.

The Chairman.  All right, Dr. Snyder, may I ask a question, or Mr. 
Miller?

Have you informed the Secretary?

General Howard.  Sir, I told the Deputy Secretary.

The Chairman.  Have you informed the Secretary, Deputy?

Mr. Mansfield.  No, sir.  I heard it in the hallway on the way in here.

The Chairman.  All right.  Mr. Secretary, you are now informed.

Mr. Mansfield.  I wasn't sure if it was official.  I was trying to get 
that information.

General Howard.  Sir, it was official -- 

The Chairman.  All right, let me just ask.  Mr. Miller, may I continue?

Something deep inside here is telling me something, that there have been 
meetings at the table; the CIO, the former CIO, Mr. McFarland, didn't 
get along too well at these meetings at the table.  He tried to perfect 
some changes.  He ended up making a professional judgment to leave.  We 
now have the CISO, who has now resigned.  Regarding this memorandum, Mr. 
Secretary, that you have issued, did the CISO participate in the 
drafting of this memo, or give input with regard to this memo over 
security matters it VA?

General Howard.  Sir, I am not sure if he was personally involved, but I 
definitely know his people were. I can get you the answer to that and 
they --  

The Chairman.  You know, I really can't blame the guy for resigning.  If 
I were the man in charge of security for a department --  that is 
exactly what the Secretary has asked of me --  and have not been invited 
to be at the meeting of the drafting of the security issues on behalf of 
the Secretary?

Let me ask this, Mr. Secretary: who was in charge to help put this 
matter together for you?

Secretary Nicholson.  This was a collegial effort between myself, the 
CIO, the Deputy, the General Counsel, our consultant, Mr. Romley.  There 
were a lot of people involved in this.

The Chairman.  All right, thank you.

Secretary Nicholson.  But I would say, Mr. Chairman, I would not be 
surprised if there aren't other people that resign, because the world is 
changing over there.  And these two and I think there might be other 
people that will resign.

The Chairman.  Well, I don't doubt that.  Mr. Miller's question here --  
I thank you for bringing this to our attention --  but if it is the 
people of whom are supposed to be perfecting these changes, who are 
fighting against the culture and they are the ones who are leaving, 
maybe the wrong people are leaving.  I yield back to Mr. Miller.

Mr. Miller.  I yield back Mr. Chairman.

The Chairman.  Dr. Snyder, you are recognized.

Mr. Snyder.  Thank you, Mr. Chairman, and thank you for your work on 
this.  I have been unable to attend all the hearings we have had because 
of the Armed Services Committee has been often at the same time, but I 
appreciate the hearing.

I had one little detail question, Mr. Secretary.  When I arrived today 
or several of us arrived today at the beginning of the hearing, we had a 
bit of a circus going on here with you talking into a microphone and 
holding a mini press conference.  In your opening statement you said 
someone asked you to take the microphone and make some kind of 
informative statement.  Who asked you to take a microphone and make a 
statement?

Secretary Nicholson.  I don't know.  Some person from the press, as my 
press person was coming down the hall, said `` they were going to ask 
you to make a statement when you step into the room about what has just 
unfolded with respect to the data.''

Mr. Snyder.  What is the current status, as I assume you are in the same 
boat that we --  I assume you have one of your letters --  

Secretary Nicholson.  I did, yes.

Mr. Snyder.  I got one too.  I appreciate you sending it to me.  What is 
the status, though, that was mentioned, you know, I guess from Mr. 
Filner, about credit reporting? You have publicly announced that 
veterans would have some kind of monitoring of credit reporting, and I 
expect there are veterans that have relied on that information at some 
point along the way.  Have you made any kind of announcement or decision 
about where we are at with regard to the announcement you made recently 
with the credit reporting?

Secretary Nicholson.  Where we are with that, sir, is we are writing the 
RFP right now, put that out for bids, for the companies that provide 
that service to bid on.  There are certainly three of them: Trans Union, 
Esperion, and Equifax --  

Mr. Snyder.  Are you moving ahead with that, or are you under discussion 
now of not moving ahead with that in view of the fact that the computer 
was found?

Secretary Nicholson.  That was a question I think was asked the little 
while ago.  You know, a lot has changed this morning.  We have been 
pretty focused on this hearing, but my internal sense is telling me 
right now that we ought to definitely go ahead with the capability that 
is out there to analyze data to see if they are being exploited.  That's 
relatively inexpensive.  And continue to, you know, to verify and see if 
the FBI and these people are conducting these forensic analyses have a 
high enough sense of confidence that this has not been used, that we 
need not do it, while having that other screen out there looking to see 
if anything pops up, and they have a pretty good way of telling whether 
a collective amount of data is being used.

Mr. Snyder.  In the memorandum of June 28, your memorandum, Mr. 
Secretary, which seems to be very thorough in the way you all put it 
together, but there is an itemized list of what is delegated.  And you 
say, `` this includes but is not limited to the authority to.''    Give 
me a few examples of some things that are not on the list, you know, 
that phrase `` is not limited to'' ?  What are some things that are 
beyond what is on the list of delegated authority?

Secretary Nicholson.  Could you point to -- 

Mr. Snyder.  Says number two, Delegation, ``This memorandum delegates 
the Assistant Secretary for IT complete responsibility and complete 
authority for enforcement of information security policies, procedures 
and practices. This includes but is not limited to the authority to.''

What are some examples of some things of authority that you are 
delegating but is not in this itemized bullet point list?

Secretary Nicholson.  I think that language is somewhat boilerplate-ish 
in that I intend for this to be expansive or, you know, not to be 
inclusive, but to be exclusive, to --  I want the Assistant Secretary 
for IT to feel empowered in a broad way, and not a narrow way.

Mr. Snyder.  Is there any discussion -- I know you have been in the 
crisis mode here for several weeks.  Is there discussion underway, 
currently with regard to this issue that has come up before, about when 
and if both the military and Veterans Affairs Department is going to 
abandon the use of Social Security numbers as an identifier?

Secretary Nicholson.  Yes, we had a lot of discussion about that in this 
crisis that we have been in.  I can't tell you I am too sanguine about 
it, because you know, to be a veteran you have to come through DoD, and 
on every dog tag and --  I have got an ID card in my wallet, that has 
got my Social Security number and on it, military ID card --  

Mr. Snyder.  Yeah, but we are of a different generation, Mr. Secretary -
-  Ms. Herseth and Mr. Michaud --  my service number was not my social 
number --  1969, I finished my --  I enlisted in 1967 I have a service 
number that is --  I still remember, but is not my Social Security 
number, and in 1969 the change was made from the Social Security number, 
and what can be changed one time can be changed back.  But I agree there 
clearly will have to be a coordination, potentially with the military 
about that, and that maybe something that ought to get --  I assume you 
all are having discussions.

Secretary Nicholson.  We are, and certainly we are not rigid on it.  We 
could deal with the different identifier.

Mr. Snyder.  My last question is totally apart from all of this 
discussion here which you have been focused on now for weeks.  I want to 
be sure we are not losing track of anything else.  What is the number 
two thing that keeps you awake these days with regard to what's going on 
with veterans? If you didn't have all this computer business and cyber 
breaches, what is the number two thing on your list that is important to 
you and important to this Committee also?

Secretary Nicholson.  Well, I can only be kept awake once, you know, one 
night at a time, and this has been doing it.  I think it is our --  the 
job that we need to be doing for the returnees from the combat area, 
that we are doing the transition effectively, seamlessly.  You know, we 
have a growing number of trauma patients and --  and our polytrauma 
centers are performing.  That is something that I think about a lot.

Mr. Snyder.  Thank you, sir.  Thank you. Mr. Chairman.

The Chairman.  Thank you.  Chairman Boozman?

Mr. Boozman.  Thank you, Mr. Chairman. I also was pleased, as the 
Chairman and Ranking Member mentioned, that you were saying --  things 
like `` wake-up call,'' and `` lightning rod,''  these are truly the 
kind of rhetoric that I want to hear.  And not just the rhetoric, but it 
looks like you are doing what you need to do to get things in place.  
The VA has done such a good job of switching over, as you mentioned, we 
are the model for trying to get our records this way.

I think we are almost missing the forest for the trees though, in the 
sense that this is a problem in the VA, but it is a huge problem in 
government in general.  And I hope that as you are around those cabinet 
meetings, envisioning with the President, envisioning with your cohorts 
in the other agencies, that there is some coordination, that this is a 
problem that is not going to go away.  That as we do a better job of 
getting our records, and data like this, we are much more in advancement 
of doing that, versus the security.  A few years ago, if you were to 
take that information home, you would need a van to haul the computer 
in.  A few years before that, you would need maybe even semi loads or 
tractor-trailers, to get that information home. As you mentioned in your 
testimony not too long ago, that data, I think, you said five times that 
data now could be just on, basically a card.

So I guess the question I have got, alluded to you laying awake at night 
and you are responsible --  we are ultimately responsible, in this 
sense.  I am laying awake thinking about lots of different things.  Who 
is the guy now, you are responsible.  Who is the guy in the VA that once 
this settles down --  and it will settle down, and, we will get this 
fixed --  what position, who is the guy responsible for moving this 
thing forward?  What position is that?  Who is the person in that role 
now? Who will we look to in the future?

Secretary Nicholson.  It is the Chief Information Officer, and that is 
Major General Bob Howard, who is the Acting Assistant Secretary for 
Information, and in a pending confirmation.  He has had a distinguished 
career in the military, he has had a rich background in IT, was a math 
professor at West Point, and is a highly qualified, highly motivated 
person.  We are very lucky to get him, and we got him out of private 
industry to come in and do this.

Mr. Boozman.  I guess my next question would be --  legislatively, has 
he got all the tools that he needs to do his job?

Secretary Nicholson.  Well, I think collectively we don't.  That is, 
this agency and I would say probably that about other departments of the 
government, serving on the President's task force on identity theft.  I 
think that we need some more legislation.  I mentioned in my testimony, 
I think we need to change the teeth for violations of the privacy act 
and make them comparable to those of HIPAA, because there is a real 
sensitivity about HIPAA.  In fact, when I first came in to this job 16 
months ago we were done having trouble getting medical records from the 
Department of Defense because of HIPAA.  And we needed them to treat the 
people they were protecting.

And they were, you know, they were in good faith on that.  They felt 
that was a problem.  We need, I think, some legislation to enable us to 
get what I call clearances for these people.  More background checks, 
which is also going to cost more money.  I think we could use some new 
law on personnel dispositions, you know, we can debate the disposition 
of this person that we have debated around here, but I think that 
managers of these agencies, like I am, need more prerogative.  We talked 
about changing the veterans' ID system, we just talked about it, I think 
that is something that we ought to look at, and I think that FISMA needs 
some changes to give more enforcement power to the Chief Information 
Officers.  Like ours.

Mr. Boozman.  Very good.  Well again, we are responding to this crisis.  
And hopefully the silver lining is, in all this, that we really can, 
through our Committee, and, whoever else we need to involve, can give 
you the tools to get the job done.

And then again, I really would encourage you to have an individual who 
is responsible in the VA.  We really need an individual that has 
significant authority with the administration, to coordinate this among 
the agencies, because the other side is, we are going to wind up 
spending, hundreds of millions of dollars on this, probably agency-by-
agency versus coordinating --  because we all have the same problem.  
And so I would encourage you, as you have the President's ear, to really 
push him in that direction.  Thank you.

Secretary Nicholson.  Yes sir.

The Chairman.  Ms. Herseth, you are now recognized.

Ms. Herseth.  Thank you, Mr. Chairman.  And I thank Mr. Michaud for 
allowing me to pose some questions in the essence of time for other 
committees that many of us must get to before they wrap up.

Mr. Secretary, I will just associate myself with the comments of many on 
both sides here about appreciating the memorandum, your testimony today. 
Can you tell me about when exactly the police or the FBI recovered the 
laptop?  Was it just yesterday, do you know precisely the date it was 
recovered?

Secretary Nicholson.  It was yesterday.

Ms. Herseth.  And all the data that we were concerned about was on the 
laptop?  It wasn't an external hard drive as well that perhaps wasn't 
recovered?  It was everything that we thought had been compromised we 
know have back on the laptop?

Secretary Nicholson.  Madame Congresswoman, most of the data was on the 
hard drive.  But we have both of them, we have the laptop and the hard 
drive.

Ms. Herseth.  And the hard drive, okay.  And I am going to submit a 
question for the record before I have to leave, to all the Under 
Secretaries that are here, and the Deputies as well, based on some of 
the questions we have posed over the last couple of weeks to other 
witnesses on different panels.

But let me ask you this, Mr. Secretary: a few people have asked about 
the credit monitoring, the fact that we have let veterans know we are 
going to do this one year of free credit monitoring.  And I know that 
some might contend that things have significantly changed in light of 
yesterday's development.  I don't think so.  I would like to think so, 
but when we have incidents in Minneapolis and Indianapolis, when some of 
the questions that have gone to whether or not the employee in question 
here had authorization or not, I have this great fear that there is data 
floating around out there, whether it was authorized to be taken out or 
not.  And in the case of the Minneapolis case it was last year and you 
weren't made aware of it until recently.

And I agree with the Chairman.  I just think you came into a tough spot; 
at times you haven't been served well, and I would contend that we 
should continue and move forward.  Even with the cost of offering one 
year of free credit monitoring, to put people's minds at ease, as you 
make this ID IT realignment.  Would you at least be open today in 
responding that you will fully consider continuing to offer the one year 
of credit monitoring in light of these other instances of potentially 
compromised data, particularly in Minneapolis when it looks like maybe 
two individuals whose paper files were taken out may be defrauded?

Secretary Nicholson.  Well, so noted, Congresswoman. With respect to 
Minneapolis, the 66 people there, they are going to get credit 
monitoring.  The 16,500 in Indianapolis, they will get credit 
monitoring.  As to this big thing, I am going to reserve judgment.

Ms. Herseth.  But let me just rephrase.  You have not made any final 
decisions as of today that you are not going to continue to pursue the 
RFP, and put this out to bid, and offer credit monitoring?

Secretary Nicholson.  No, I have not.

Ms. Herseth.  I would just suggest to my colleagues on the Committee 
that there is some potential risk, some huge risk that continues to be 
out there, and we should also consider whether or not the entire 
universe of veterans' data that is held at the VA, that one year of free 
credit monitoring to all of our veterans might be in order.

But anyway, let me just pose this before having to depart:  I think now 
we have the memo that delegates clear authority to the CIO and now that 
we have contractors that you described, that are going to help move this 
IT realignment forward; the question that I would pose, and would hope 
that each under secretary could submit to the members of the Committee, 
timely, is how do you think things are going to go differently now.  I 
don't want there --  none of us want there to be, as Mr. McFarland 
described yesterday, these disagreements with any of the recommendations 
for how to go forward with IT realignment, or disagreements with the 
memo.  We are here now.  We have the memo.  We have the contractors to 
move forward with the realignment.  So how will each Under Secretary do 
things differently than they did before in ensuring that compliance 
moves forward, that the recommendations are implemented, and that we 
don't have inaction in response to disagreements that continue to exist?

Secretary Nicholson.  I think that is a very good question.  And things 
are already happening, and differently, and I mean, I told you that we 
moved 4,610 IT people out of their, you know, comfort of their present 
work cocoon into a new department.  There is a great amount of 
uncertainty and anxiety that goes with that, and we are trying to leaven 
that with the fact that we think we are going to be better off because 
they are going to become professionals in their own career field which 
we are establishing.

And that has the full credit and support of the three Under Secretaries, 
you know, the three operating arms of the VA: medical, benefits, and 
burials.  They are strongly supportive of that.  They also of course --  
I think they would tell you --  had a lot of these meetings that we have 
had, they have been charged to be very, very vigilant.  We have the 
Chief Information Officer, has now, you know, a great deal of authority 
and responsibility, but they are in the loop as well, when it comes to 
enforcement of transgressions of their people.  And answerable to me on 
that.

But I think the transcendent point is that there is en route a new 
culture.  And there is a big need for that, frankly, and you know, it is 
my job to make sure that that progresses and happens.

Ms. Herseth.  Thank you, Mr. Secretary.  Thank you, Mr. Chairman.

The Chairman.  Ms. Herseth, in regard to your questions to the Chair, 
Mr. Secretary, it is worthy of your consideration for an IDIQ contract, 
whereby you can award a contract based on quantity and usage. Therefore, 
you should consider placing this in your budget, while you are getting 
hold of this one, knowing that we already have some present data losses, 
whereby a contract can be ordered.  You might be able to access this, 
because I think we are going to have some other breaches, until we can 
come into full compliance.

And probably that would be my recommendation, rather than just awarding 
it to everyone.  But you are going to have to come up with a budget 
number and request for proposals, most importantly to put the veterans 
in good stead.

Mr. Bradley, I thank the gentleman, and I yield.

Mr. Bradley.  Thanks very much, Mr. Chairman, and thank you, gentlemen, 
and certainly Mr. Secretary, Deputy Secretary Mansfield, for the 
forthright way that you have answered the questions today, and the 
leadership that you have shown to try to deal with what has had to have 
been an extremely difficult situation for all of you personally, and 
certainly for the 26.5 million veterans.

I apologize if this question has been answered.  Like Dr. Snyder, I was 
at an armed services hearing on the Sarin containers that were found 
recently in Iraq and trying to be in two places at once.

Did you describe how the computer was actually found, how the FBI --  I 
assume you said was the FBI found it?

Secretary Nicholson.  Congressman Bradley, I cannot detail, because one, 
I don't know.  And two, the FBI, when I talked to them last, which was -
-  well, I talked to the Deputy Attorney General before the starting of 
this hearing this morning, and there have been a few developments since 
then, like an e-mail from an FBI spokesman, you know.  I don't know if 
you were here or not, but it said that it appears that this data has not 
been exploited in any way.  We sure hope that is true.

What I have been told is that there have been no arrests made, that this 
data was provided to law enforcement and that the reward is operative.

Mr. Bradley.  And at least at this point in time, and my last question 
is, you are reasonably certain, based on what the FBI has told you, that 
the hard drive was not breached in a way that would have revealed the 
data?

And how long do you think it will be until you are more certain, and 
reasonably certain?  Or is there no way to even know that at this point?

Secretary Nicholson.  Whether or not you can know this with 100 percent 
certainty, I don't know.  I will tell you what I do know.  And I was 
told by the Deputy Attorney General with whom I spoke just before coming 
here, and I asked him the same questions that you are asking me about 
the timing on the analysis by the forensic experts.  He said that it 
will be soon.  He also said there was a reason to be optimistic.

So I asked him to follow up and I got no further details, but he did 
say, on the timing, he did say it would be expressible in days, not 
weeks.  Since we have come here we have gotten this e-mail from this FBI 
spokesman.  So, you know, that leads me to believe that they have gotten 
pretty conclusive about how they feel about.

Mr. Bradley.  And my last question, when you have determined as 
conclusively as you are able to conclude okay whether the data has been 
breached, and the 26 million veterans either have to continue to worry 
or not worry, are you going to do another letter and inform them of the 
status of, you know, the information?

Secretary Nicholson.  That's a good question, and I honestly haven't had 
time to think about it.  We have been thinking about the credit 
monitoring question, but the letter is provoking.  I will think about 
it.  Thank you.

Mr. Bradley.  Very good.  Thank you.

The Chairman.  Thank you.  Mr. Michaud?

Mr. Michaud.  Thank you very much, Mr. Chairman, for having this 
hearing, and your continued interest in looking at this issue.

And I want to thank you, Mr. Secretary, in coming before this Committee.  
I also appreciate the focus you are now giving this issue and your 
willingness to keep the Committee up to date on the progress that is 
being made.  A couple of questions, and you mentioned something here 
earlier today in previous meetings that relate to what Mr. Filner had 
brought up earlier that you are disappointed that you did not fire the 
employee immediately, that you needed more prerogative.

But looking at the documentation Mr. Filner had presented, it is clear 
the employee, had home use, he had a license for the program, he had 
authorization to remove the computer and accessories.  It looks like the 
employee was doing his work.  I guess the concern that I have is that in 
your statement a little earlier, that you need more prerogative, is that 
an individual who was authorized to work at home is being used as a 
sacrificial lamb to cover the gross data security problem at VA.

You know, civil service laws exist, Mr. Secretary, for a  reason.  They 
exist to protect career civil servants from being political scapegoats.  
I view this as a leadership failure.  The data breach is the fault of VA 
leadership, for failing to implement the necessary data security 
measures that time after time after time have been recommended by the 
Committee, by the IG, and by the GAO.  It is the leadership where the 
failure is at.  And I do not think you need any more prerogative to do 
what you have to with that leadership.

As far as using this one employee as a scapegoat or firing, I think that 
is more bad judgment after bad judgment.  My concern is, what is going 
to happen here on out for other employees who are authorized to bring 
work home and are broken into and equipment is stolen? It is going to 
lead to them not actually reporting it.  So I do think you have the 
prerogative, because I believe a lot of this failure is at the top 
level.

My question is -- a couple of questions.  Dealing with the $131.5 
million that is going to be used for the credit monitoring, and it looks 
like that might not be used, but if you still have to use it, 
whereabouts is that going to come from within the VA budget?  What 
programs will have to sacrifice because of themoving of the funds?

Secretary Nicholson.  Twenty nine point five million of that will be a 
program that come from the VA, Congressman Michaud.  And that will come, 
if it comes, from unexpended funds in the VBA, Veteran Benefits 
Administration.  They are ramping up, but they are --  had some savings 
in there.  Many of the hires that they have made have been more junior 
pay grade than anticipated, so there has been a savings there. Plus, 
there is some lag in the training cycles, put these people in, that has 
saved some payroll expenses.  And the combination allows us to make that 
transfer out of there without any diminution of services, or diminution 
of hiring in the VBA.

Mr. Michaud.  When the budget is put together, are you fully funded for 
all the positions you are authorized to have, even if they are vacant?

Secretary Nicholson.  Are we fully-funded for all VISNs?

Mr. Michaud.  The headcount that the VA has, are those, when you submit 
your budget, when you get your budget, are those position counts fully 
funded?  Even if they are vacant?

Secretary Nicholson.  In the VA?

Mr. Michaud.  Anywhere within the VA system.  If you have headcount --  

Secretary Nicholson.  If I understand your question right, I think the 
answer is yes, referring to our VERA allocations to the VISNs; yes, we 
look at the positions in those VISNs and allocate that money thusly, 
which is based on the veteran population count, you know.  So yes, the 
answer is yes.

Mr. Michaud.  I only received the memo today, that was handed out 
earlier this morning.  Not having a chance to compare this with what 
former Secretary Principi had done, I thought, if I remember correctly, 
what the former secretary did was similar to this.  How does what you 
are doing today differ from what former Secretary Principi tried to do?

And the second part of the question is, in this memorandum have you 
given all the authority that you are legally able to give over to the 
information officer?

Secretary Nicholson.  Yes, I have, in answer to the last part of your 
question first.  Secretary Principi issued two memoranda in this regard, 
that were pretty much disregarded.  There was also a disagreement 
between the Secretary and Secretary's office and the General Counsel's 
office about the delegation, and whether the delegation was operative, 
and effective, and permissible.   That is not the case.  This is --  
gone over this very carefully.  The General Counsel is in concurrence 
with this.  This is a stronger, clearer delegation of both 
responsibility and authority. And there is a great amount of command 
emphasis on this.

Mr. Michaud.  Okay, I don't know if this is a question for you, Mr. 
Secretary, or Mr. Howard, but as Acting Assistant Secretary of 
Information Technology, does the Secretary's letter, Mr. Howard, from 
yesterday, delegate authority for --  to you, that applies to you fully, 
or are there legal limitations, because you have not been confirmed by 
the Senate?

Secretary Nicholson.  I will go, then I will ask Bob Howard if he would 
like to comment.  I need to point out that on the enforcement part, with 
regard to people who are not in his command, that belongs to the Under 
Secretary.  So they, that has to be a communication between the CIO and 
them.  And I am looking to them, then, to do the enforcement.  So that 
is a power he doesn't have from this.

With that, I would ask him, do you have anything to add, Bob?

General Howard.  Sir, I have the letter from the Secretary designating 
me Supervisor of the Office of Information and Technology, and to do 
what I need to do, and that is what I intend to do.

Mr. Michaud.  Even though and you haven't been confirmed by the Senate 
as an Acting Assistant Secretary?

General Howard.  The letter gives me all the authority I may need.

Mr. Michaud.  Thank you.  My last question, Mr. Secretary, deals with an 
issue that actually came up at one of the other hearings we had earlier 
from a former employee of the VA when you look at the failing grades, so 
to speak, of the agency.  When you deal with security and data issues, 
that former employee thought that VA failed I think 16, or can't 
remember how many areas, and that there should be no bonuses given out 
to the folks who are within the agency. You have the authority to give 
bonuses.  I don't know if you heard the testimony on this issue, but, 
what are your comments on that?

Secretary Nicholson.  I didn't hear that testimony but I guess whoever 
you are talking about, I agree with and I testified to that in my 
opening statement.  I think that is another way to put some teeth into 
this, into this cultural change that we need to make, as it will pinch 
them in the pocketbook as well.

Mr. Michaud.  So is it your intention that any time, if the Inspector 
General comes up with a report, and you have failed, that you will not 
be giving any bonuses?

Secretary Nicholson.  It is my intention to look at each of those cases 
with that in mind, yes, sir.

Mr. Michaud.  So they could fail, but you still might give bonuses.

Secretary Nicholson.  Well, it is hard to imagine doing that if they 
failed, because I believe, you know, in performance pay and in 
performance reviews.  And bonuses are also an incentive --  well, not 
also, they are an incentive. But in this case, they are going to become 
sort of a negative thing if people are not performing, and giving this 
the attention that it needs.

Mr. Michaud.  Thank you very much.  I yield back, Mr. Chairman.

The Chairman.  Thank you very much.  Ms. Berkley, you are recognized.

Ms. Berkley.  Thank you, Mr. Chairman, and I will be brief. I had a 
series of questions, but I would like the opportunity to review the 
testimony, because I wasn't here during a lot of the questioning, and 
with a little effort on my part, some of these questions may have 
already been answered.  And whatever is left, I would like to submit, if 
that is all right.

The Chairman.  Ms. Berkley, you may submit questions for the record.  We 
will be responsive.

Ms. Berkley.  Thank you.  And if I can just make a quick statement, I 
first welcome all of you.  We are not strangers to each other and we 
have worked very well together on behalf of the veterans in my community 
for quite a while now.  I think we have been very fortunate and 
hopefully we have averted a crisis here.  And I am hoping that it will 
serve as a wake-up call, not only for the VA department and for all of 
us, but for the other agencies and departments within our government, 
that they need to start looking at these systems and ensure that the 
privacy not only of our veterans but of all Americans are protected.

And I think this is an important first step for us.  I have been very 
critical of you, Mr. Secretary, and I think you know that.  When you 
were here earlier in the year to present the budget, I didn't think that 
after a year of being in your position that you were as engaged as I 
would have liked to have seen you and as knowledgeable about what was 
happening in your department as I think you needed to be, and I believe 
I said that at that time.

I also think it is important to compliment as well. The difference 
between now and a few months ago is quite dramatic and I am very happy 
to see it.  I think as I mentioned, this is a wake-up call for all of 
us, but the burden of your position has fallen on you and I think you 
have picked up the gauntlet, and understand the importance of what we 
are doing here collectively.

Secretary Nicholson.  Thank you.

Ms. Berkley.  I also want to thank you for that and I suspect --  I know 
that between Mr. Filner and Mr. Buyer, we will be watching, and 
hopefully, this will not be the VA will not be an embarrassment for any 
of us; quite the contrary, it is going to be a shining example of what 
we can do well in government to protect the people that look to the 
United States Congress and the United States government to have their 
needs met.

So I am looking forward to working with you on this. And I will submit 
whatever questions you haven't answered after I have had an opportunity 
to review your remarks to other questions.  So thank you very much.

Thank you, Mr. Chairman.

The Chairman.  Thank you very much.  I would like to ask an open 
question to all of the witnesses.  Does anyone here have knowledge of 
any other data breaches within the VA other than what has been presented 
in Maryland, Minneapolis, and Indianapolis?

Mr. Mansfield.  Yes, sir, I do.

The Chairman.  Yes, Secretary Mansfield?

Mr. Mansfield.  Mr. Chairman, yes, I do.

The Chairman.  All right, where?

Mr. Mansfield.  There is a newly instituted weekly report that comes 
forward that identifies the incidents across the system.  Some of it is 
historical and includes the two that you have just mentioned.  It just 
got started this week --  sorry, it started three weeks ago.  It goes 
down in the Office of Cyber Information Security.  The operations group, 
they are the ones that with the new collection of all the ISOs that do a 
national group, or a centralized group under the office of IT, that are 
now reporting through the national system.

So that report just started, and one of the things we have obviously 
learned this morning is that there isn't a part of it that requires 
notifications as you mentioned. That's part of what we had to work on as 
we bring folks in to help us redesign the system on a national basis.

The Chairman.  All right, and where is the additional data breach?

Mr. Mansfield.  Sir, we have a whole list.  Most of them are small, some 
of them are pending information, and the most recent --  

The Chairman.  While the Deputy Secretary is reviewing the list, Mr. 
Secretary, have you been informed of this list?

Secretary Nicholson.  I know that we are making this list, we are 
keeping this list, we just started this.  And I have been presented with 
this list, I don't know that I have this copy that Gordon is reading 
from.

The Chairman.  All right, let me ask this, before we go too much 
further.  This list would contain how many incidents approximately?  Is 
this pages?

Mr. Mansfield.  Sir, I would have to -- one, two, three, four, five, 
six, seven, eight, nine, 10.  And I could make the point that these 
cover the waterfront.  For example, this one talks about potential 
unauthorized access to information, and it goes down and talks about 
this case can be closed out as the contractors were authorized access to 
sensitive information, so --  

The Chairman.  All right.  I think what we are doing here is helpful, 
because what you are seeking, Mr. Secretary, is a process of open 
disclosure.  Because what you have got is a team, and you have to build 
that esprit de corps.  And if somebody makes an error, you need to know 
about the error because we need to make sure we take care of veterans 
and then that it is corrected.

So my purpose here is not to go through all these.  I want to know what 
our vulnerabilities are, what is out there.  I would like to speak with 
you offline about many of these because some of them you may not want to 
discuss.  I don't know where they are in the process.  I yield to you, 
Mr. Secretary.

Secretary Nicholson.  I think that, Mr. Chairman, if you like it would 
seem to me we could provide this report to you and the Ranking Member if 
you want it, if you want to see that on a weekly basis.  I mean, you 
know, we are trying to be really sensitive.  Here is one where, you 
know, an employee may have taken sensitive information home on a 
spreadsheet contains some information about medications. You know, we 
are try to err on the --  

The Chairman.  You know what, I can even see a lot of this happening.  
So in your opening testimony, you say to us that you are going to check 
all laptops, that you are going to make sure that they are all secure.  
Have you granted any waivers to that policy?

Mr. Mansfield.  Doctors.

The Chairman.  Doctors?

Secretary Nicholson.  No, we have not granted any waivers to checking, 
but doctors who deal with patients from home will have to be able to 
continue to do that.  We do know that.  But that doesn't exempt them 
from a data call.

The Chairman.  All right, going back to this issue on the budget for the 
moment.  It appears that until you are able to perfect your federated 
model, as you move to centralize your IT management systems, we are 
going to continue to have vulnerabilities.  As the culture begins to 
change, it is highly possible that we will have some future data 
breaches. There is a human element.  

So Mr. Secretary, I would ask of you to work with OMB. You work with OMB 
with regard to your potential budget supplemental, the $160.5 million.  
It appears that that number will now change.  But it appears that some 
monies will need to be accessed.

My hope is that in your communication with OMB, I don't want OMB to say 
to you, Mr. Secretary, `` You are to take this out of hide,''  and `` 
out of hide''  would be, you know, FTE for personnel with regard to 
claims processing, and the other painful decisions or judgments that you 
have to make. So I would hope that you would communicate with OMB and 
the director that with regard to these monies that were offered up, when 
they said to you `` that last $29 million had to come from you,''  that 
was the last part, and we ought to be able to access the monies with 
regard to this account for you to do one of these ID IQ contracts, and 
we could access as we proceed.  Would you concur that that would be a 
good initiative?

Secretary Nicholson.  Well, I absolutely concur, and, you know, of 
course had those conversations with OMB on that subject.  Yes, sir.

The Chairman.  All right, very good.  With regard to lines of authority, 
General Howard is going to directly report to whom?

Secretary Nicholson.  Direct report to me.

The Chairman.  To you?

Secretary Nicholson.  Yes.

The Chairman.  Does he have dotted line to the deputy, or just a 
straight shot to you?

Secretary Nicholson.  A straight shot to me, with a dotted line to the 
Deputy.

The Chairman.  Okay, now as we proceed on the implementation of your 
federated model, our milestones or benchmarks, performance measures, 
have these been, are they in place, with regard to your Under 
Secretaries, so that they can provide the leadership that down the 
chain, that your initiatives are being implemented and executed?

Secretary Nicholson.  The answer is generally yes, in that we have, you 
know, a very good consultant in place helping us with that, and we have, 
as I said now two or three times this morning, we have already detailed 
those people out of their old existing organizations into this detailed 
status of the new IT organization.  And then come October 1st, the 
beginning of the fiscal year, they will be formalized in that.  That of 
course is a major benchmark. And we have several others in this perk 
chart that we are following to do this with.

The Chairman.  All right, we will follow that with you.

Secretary Nicholson.  I am sure you will.

The Chairman.  Let me turn to your Under Secretaries if I may.  Dr. 
Perlin, with regard to our patient medical records, what assurances can 
you give veterans today that as we perfect the federated model, that 
these records are secure?

Dr. Perlin.  Mr. Chairman, the electronic health record is a great 
advance in security over paper.  Unlike paper, there is an audit trail.  
But with the advances in the department, with the leadership that will 
occur in cyber security with the end-to-end encryption as was discussed 
here in previous hearings, the security that already exists will be 
enhanced.

Unlike the tragic event that recently occurred, the electronic health 
records are not transportable in bulk. And so that is in itself one very 
important assurance.  And when they are looked at or accessed, there is 
an audit trail of who was there, and with that we can know why.

The Chairman.  All right.  Before I yield to Mr. Filner, we had 
painfully learned here over the past few weeks how Mr. McClain's memo 
was interpreted.  So we are very clear that with regard to authorities 
of enforcement of the Secretary's policies, that it rests with the under 
secretaries, that the so-called `` F''  belongs to you.

So what that means is, as I turn to the Secretary and say  `` you are 
not being served well,''  I return to the under secretaries and say it 
is also your moment of leadership. So please advise the Committee right 
now, and we have the three of you testify, as to what are you doing to 
ensure veterans' records are secure?

Secretary Tuerk?

Mr. Tuerk.  Well, thank you for that opportunity, Mr. Chairman.  As you 
will see in my prepared testimony, we have taken a number of actions, we 
are in the midst of executing a number of actions, and we have a number 
of actions planned for the future, essentially all leading toward the 
same goal.

These actions emphasize my commitment to assuring that veterans' privacy 
is respected and protected.  They reinforce the necessity for all of our 
employees to understand their obligations in detail with respect to 
these issues, and they proceed towards implementing, within our internal 
organizational assessment process, a more penetrating review and self-
assessment of compliance with those requirements so that we can assure 
accountability of the people within the National Cemetery 
Administration.  Everything I have done with respect to this issue has 
been aimed towards those ends.

The Chairman.  Dr. Perlin?

Dr. Perlin.  Mr. Chairman, thank you as well for the opportunity to 
comment on this.  And I want to say first and foremost that I fully 
support the Secretary's plan --  a real opportunity to work on 
developing what we hope will indeed be the gold standard for information 
and privacy, not only in government but certainly also in health care. 
This week is an important week; as the Secretary mentioned at the 
beginning of the testimony, this is Security Awareness Week, and we are 
pleased that VHA took the lead in authoring the activities in support of 
the Secretary's plan for the different events during Security Awareness 
Week.

Because however hard we make the hardware, and however tight we make the 
software, it ultimately comes down to the warm-ware, the people, and 
that is why we believe that today, through this week, that security 
awareness has to be the first part, to make people understand the need 
to operate with the information necessary to do-, but transport or 
access the minimum information necessary to do- their jobs.  So at this 
very moment, I am literally on a broadcast throughout the system, 
instructing the VHA employees on the importance of operating with 
vigilance and diligence, and the protection of secured information.

We support Bob Howard and the activities that he will bring forward in 
terms of hardening, the biometrics that limit the access, and prevent, 
and preclude inappropriate access.  Because while this occurred in an 
area totally, totally unrelated to health records, we embrace that this 
is a wake-up call and an opportunity.  We support anything that comes 
forward in the Department in terms of encryption.  We believe that can 
enhance our ability to safely serve veterans.  We are inventorying all 
of the data sets and inventorying all of the assets throughout the 
system again to ensure that where it exists, there is a need to know; 
that people understand that that is a privilege in the process of 
serving veterans.  Thank you.

The Chairman.  Mr. Aument?

Mr. Aument.  Yes, Mr. Chairman.  At VBA, we have undertaken a complete 
review of all of our policies and procedures governing access to 
information and access to VBA systems in particular.  We have rules of 
behavior that anyone who wishes to gain access to a VBA business system, 
whether that be a VBA employee or others who may be authorized access to 
VBA systems, such as veterans' services organization representatives, we 
require that they first of all undergo the cyber security training that 
all employees must undergo, and that they read and understand and sign 
our rules of behavior.

We have acquired encryption software that we are going to be applying to 
all laptop computers in the Veterans Benefits Administration.  We have 
had all of those laptop computers returned to the home office by their 
employees. Once general counsel has given us a green light to proceed to 
install that software, we will proceed to ensure that all laptops are 
encrypted.  We have taken steps to make sure that all of our employees 
within the organization have completed both the cyber security and 
privacy training, that are to be completed by tomorrow.

We believe that we have taken very strong steps.  We have also reviewed 
the agreements that we have in place to provide outside entities 
information from VBA systems.  That includes entities both within the 
department and external to the Department of Veterans Affairs.  And we 
are making sure that those are current, they are still needed, and that 
they bring with them all of the access controls that are appropriate for 
the data that is being provided.

The Chairman.  Thank you.  Mr. Filner?

Mr. Filner.  Thank you, Mr. Chairman. Let's wrap up this long hearing 
for all of you. Mr. Buyer asked the folks in the front row.  Let me just 
get the folks right behind you, if you would give the microphone to Mr. 
Whitney.  Your position, Mr. Whitney?

Mr. Whitney.  I am the office system administrator, privacy officer, and 
security officer.

Mr. Filner.  And you help people with routine IT problems, I take it?

Mr. Whitney.  Day-to-day, yes.

Mr. Filner.  And would you help people load up their computers for their 
software, their accessories, say, if they worked at home?

Mr. Whitney.  No, I do not load up home computers.  I would provide the 
appropriate software once they have been approved for home --  

Mr. Filner.  Well, I am not talking about a home computer.  Say you have 
an office laptop that would be taken home to do work at home.

Mr. Whitney.  Yes, if it was designated for that, that would be me.

Mr. Filner.  And people do do that, right? They take work home?  They 
are authorized to do that?

Mr. Whitney.  Yes.

Mr. Filner.  And so you would help load up the software if they required 
it.

Mr. Whitney.  If it was necessary, yes.

Mr. Filner.  Okay.  I just wanted to see how that was working.

And Mr. Duffy, your position right now?

Mr. Duffy.  I am presently the principal Deputy Assistant Secretary for 
Policy and Planning.

Mr. Filner.  And as of tomorrow?

Mr. Duffy.  As of tomorrow, I will officially retire from the Department 
of Veterans Affairs.

Mr. Filner.  How long have you been with the department?

Mr. Duffy.  Been with the department 34 and a half years.

Mr. Filner.  That's a long time.  Thank you for all that work.

Mr. Duffy.  Thank you.

Mr. Filner.  When someone has software, a software license that 
authorizes home use of the software, that is intended for office work, 
right?  That is the purpose?

Mr. Duffy.  That is correct.

Mr. Filner.  And so, this employee who had that authorization, what was 
exactly he doing?   

Mr. Duffy.  The individual was a senior data analyst, a statistician.  
He worked on a variety of different analytical projects, including 
things like the development of the next national survey of veterans.

Mr. Filner.  And that is what he was working on when this --  

Mr. Duffy.  That is my understanding.  That was one of the issues that 
he was working on at the time of this particular tragedy.

Mr. Filner.  Mr. Duffy, We wish you well in your retirement.

Mr. Bowman.  Thank you.

Mr. Filner.  Mr. Bowman, you are the Chief of Staff, give me an English 
definition of that?

Mr. Bowman.  Well, sir, as the chief of staff -- 

Mr. Filner.  For the Secretary?

Mr. Bowman.  for the Secretary, yes, sir.

Mr. Filner.  And how did you come to know about this tragic situation?

Mr. Bowman.  I was made aware of it initially in a conversation with Mr. 
Duffy on the 9th of May.

Mr. Filner.  Did you think there was a sense of urgency?

Mr. Bowman.  I felt that there was a sense of serious concern, based 
upon how it was described to me as the potential for the loss.  But 
there was still some doubt as to exactly what was the magnitude of the 
loss.

Mr. Filner.  And how far do you actually work from the Secretary?

Mr. Bowman.  Sir?

Mr. Filner.  How far is your office from the Secretary's office?

Mr. Bowman.  Maybe 75 feet.

Mr. Filner.  And I assume you talked to him many times during the week, 
after you knew about this?

Mr. Bowman.  Well, sir, there were two days -- I have open access to the 
Secretary.

Mr. Filner.  I still can't figure out, as a chief of staff, why you 
didn't tell him about it earlier than you did.

Mr. Bowman.  I can tell you right up front that me not telling him I 
regret at this point.  But when I became aware of it on the ninth, I 
felt it important to gain a little more information, and I asked Mr. 
Duffy to provide me that information in a memo.  The concern being, with 
a greater awareness of what might be the magnitude of the loss and the 
kind of information that may be missing, it would help define what might 
be the approach the department may take in addressing it.

Mr. Filner.  Has the Secretary expressed regret that you didn't tell 
him?  I mean --  what is going to happen differently in that 
relationship and knowledge that comes to you, based on this?

Mr. Bowman.  Well, one thing that has happened differently is that as I 
become aware of anything that would be important to the Secretary, I 
report it and obviously I have to apply some sense of judgment to that, 
I exercise very open access with the Secretary and with the deputy.

Mr. Filner.  Thank you.  I appreciate that.  You know, we have the 
luxury of asking you in hindsight, and I realize that.  But it looks to 
me, there were serious lapses of judgment, and not sufficient 
appreciation of the effect on the veterans and the fear that was 
propagated to everybody.

I think all you at the top failed us -- not failed us, failed the 
veterans.  Again, I mentioned at other hearings, I had a recent 
election, so I was talking to a lot of people in the last month, after 
the theft was known.  There was incredible fear, and a sense that 
veterans didn't know how to handle this, and they weren't getting the 
help, or assurance that they were going to be helped, and I think you 
all have to examine that whole process.  I mean, you got to have --  
some of you military guys, in your debriefing, or after action reports, 
you got to go over this and see what happened.

I am not going to just say everybody ought to be fired --  I have said 
some things like that in the past --  I think all of you want to serve 
the veterans.  But this is a serious lapse and you have to figure out 
why it happened and make sure it does not happen again.  You all have to 
work on that, and let us know how that is solved, because the folks 
outside are really, really afraid. 

Lastly, Mr. Secretary, I think you are appropriately still leaving open 
the need for credit monitoring.  You have put a lot of emphasis on 
credit reporting as your proactive thing.  The testimony that we have 
had from these experts --  and it sounds like you have had similar 
conversations, because of some of your answers --  it may be more 
important --  one, I would have, if this thing was still an open 
question today, I would emphasize insurance, some sort of insurance 
policy for loss, because it is cheaper and it is much more assuring.  
Any credit changes, if this was a professional job, would not be 
apparent for a year or so.  So it may not do any good to monitor.

And the RFP that you are still working on, getting a sense of was there 
any identity theft based on analyses of different databases, is far more 
important and a lot cheaper.  At least one company that testified said 
they would do it free for the first year.  So I think this is a matter 
of judgment still.  And I don't think that you have to assume that just 
credit --  everybody is saying `` credit monitoring.''   That doesn't 
sound to me like the answer that you need, especially at this point.  
The `` screen,''  as you called it, between a certain set of data and 
what could have happened to it is far more important, because it will 
show up on credit later.  

I still don't understand why we have a lot of experts here that never 
even talked to you.  I think you should have called them first.  I still 
can't figure out why Mr. McClain doesn't talk to other general counsels 
about interpretation of FISMA.  As several people said on both sides of 
the aisle, the coordination here with other departments is absolutely 
vital.  And if Mr. McClain was the only one who said that you had to 
interpret FISMA this way, versus 10 others, that should have led to some 
questioning in the department, why is he the only one saying this?

These are just some thoughts I have from someone who has been critical.  
I am trying to say, take this seriously and show us that there have been 
some results and some self-critical judgment.  Thank you, Mr. Secretary 
for sitting through all this.  If you have any final thoughts, please --  

Secretary Nicholson.  The only one right now I would say, Mr. Filner is, 
I agree with you, I think we should pursue the, you know, the data 
screen on this population, just as a belt and suspender, you know, at 
least, and it is not very expensive.  And the question of then credit 
monitoring in my mind right now is still open.

The Chairman.  I thank the gentleman.  Mr. Aument, before I conclude, I 
need to go back because I have been pondering one of your responses and 
this deals with the issue about the laptops and making sure all the 
laptops are secure.  So, you went out into the field and asked for 
everybody to bring their laptops in and `` let us check them and make 
sure they are properly encrypted,''  or have the right software on them?

Mr. Aument.  That is correct, Mr. Chairman.  We have had all the 
employees, those who by nature of their positions have to be working 
away from the office; visiting schools, appraisers, fiduciaries, we have 
had them bring their laptops back to their home regional office.

The Chairman.  What was it that you needed, that you have to get 
permission from general counsel to do what?

Mr. Aument.  This is the lawsuit that has been filed, that was requiring 
us to leave the machines intact while the litigation was proceeding.  So 
I believe General Counsel can answer that much better, but we were asked 
not to make any changes fundamentally to those machines until that issue 
had been resolved.

The Chairman.  Well, this is a rather bizarre situation.  If we have 
veterans' groups filing a lawsuit, for them to think they are going to 
act on the interest of veterans, and the lawsuit now is to the detriment 
of veterans.  I am disappointed, and I am also most hopeful that these 
organizations would dismiss that class-action lawsuit.  This is not 
necessary, and I am most hopeful that these organizations will direct 
their lawyers to take appropriate action to do so.  It is hard for us to 
work through this, work with you, Mr. Secretary, perfect change and take 
care of veterans, if we can't do so because of a class-action lawsuit.  
Is this also occurring with you, Secretary Tuerk, and Secretary Perlin?  
Does the same apply to you with your laptops?

Dr. Perlin.  Yes, Mr. Chairman.  We understand that from General 
Counsel, that there is effectively an injunction precluding the sort of 
actions that we would all want to take.  I would turn to our General 
Counsel for additional elaboration.

The Chairman.  What has the court directed you to do or not do, Mr. 
McClain?

Mr. McClain.  Mr. Chairman, really, there are two separate issues.  We 
have three class-action lawsuits that have been filed.  There was a TRO 
that was issued last Friday in the Eastern District of Kentucky, and 
will be heard tomorrow at 2:00 o'clock in the afternoon.  And the issue 
there was communicating with potential members of the class, and credit 
monitoring.

In one of the other cases, there was a very strong letter from the 
plaintiff's counsel saying that he had heard about the Secretary's plan 
for the security awareness week, which included one of the items being 
the security of the laptops, to ensure that things were supposed to be 
on it were, and were not supposed to be on it were taken off. They sent 
a letter saying, `` we believe that this would be destroying evidence, 
or tampering potential evidence in the lawsuit,''  and therefore our 
attorneys at DOJ recommended that until we can get the court to rule, 
that we not do anything with the laptops.  So it is a delay in doing 
this with the laptops; it is not a moratorium.

The Chairman.  So now we have a Secretary and under secretaries seeking 
compliance, and they can't do so to secure their systems because of 
class-action lawsuits.  Is that what you are telling me?

Mr. McClain.  Yes, sir.

The Chairman.  That is a sad state of affairs.  Now we have got the 
plaintiff's bar involved.  Well, wow.  Mr. McClain, the Department of 
Justice is litigating your defense?

Mr. McClain.  Yes, in all three cases.

The Chairman.  Have they filed for summary judgment in all three cases?

Mr. McClain.  That is under consideration right now, sir.  We have made 
no appearance yet in these cases.

The Chairman.  Given that there is no evidence of damage --  you have 
got a class that has been certified, but yet no evidence of damage, this 
ought to be an immediate summary judgment.  I yield to you, but I think 
we are certainly --  

Mr. McClain.  We are certainly considering it, sir.

The Chairman.  Yes.  Well, I would encourage that, Mr. Secretary.  We 
need to get on, make sure this is secure. This is unprecedented in the 
history of the VA, and you know that, Mr. Secretary.

And I laud your leadership.  You have had to take control of this, and 
you have done that.  When I said it was a moment of your leadership, you 
have stepped forward.  And you are off the heels and on the toes.  And I 
think you are sending the right message, not only to the deputy 
secretary. He gets it, and so do your under secretaries, by their 
testimony here today.

And Mr. Howard, I do not understand, perhaps, why your cyber security 
man was not in the room in the drafting of the directive.  Perhaps that 
was your choice, but with this memorandum you have been empowered.  It 
appears that you are about to be embraced to perfect these changes.

Taking advantage of the widely felt impetus for change, as you spoke, 
Mr. Secretary, I am most hopeful this will yield the vast and crucial 
improvements necessary in your department, and we will continue our 
oversight.  And I want to thank you, and we will work with you with 
regard to these budgetary matters.

This hearing is now concluded.

[Whereupon, at 2:11 p.m., the Committee was adjourned.]


                                 APPENDIX


[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]

[GRAPHIC] [TIFF OMITTED]