[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]



 
ONCE MORE INTO THE DATA BREACH: THE SECURITY OF PERSONAL INFORMATION 
                          AT FEDERAL AGENCIES

=======================================================================


                                HEARING

                               before the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             SECOND SESSION

                               __________

                              JUNE 8, 2006

                               __________

                           Serial No. 109-159

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html
                      http://www.house.gov/reform


                                 _____


                 U.S. GOVERNMENT PRINTING OFFICE

28-759 PDF              WASHINGTON : 2006
_________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government 
Printing  Office Internet: bookstore.gpo.gov  Phone: toll free 
(866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250 Mail:
Stop SSOP, Washington, DC 20402-0001




                     COMMITTEE ON GOVERNMENT REFORM


                     TOM DAVIS, Virginia, Chairman
CHRISTOPHER SHAYS, Connecticut       HENRY A. WAXMAN, California
DAN BURTON, Indiana                  TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
GIL GUTKNECHT, Minnesota             CAROLYN B. MALONEY, New York
MARK E. SOUDER, Indiana              ELIJAH E. CUMMINGS, Maryland
STEVEN C. LaTOURETTE, Ohio           DENNIS J. KUCINICH, Ohio
TODD RUSSELL PLATTS, Pennsylvania    DANNY K. DAVIS, Illinois
CHRIS CANNON, Utah                   WM. LACY CLAY, Missouri
JOHN J. DUNCAN, Jr., Tennessee       DIANE E. WATSON, California
CANDICE S. MILLER, Michigan          STEPHEN F. LYNCH, Massachusetts
MICHAEL R. TURNER, Ohio              CHRIS VAN HOLLEN, Maryland
DARRELL E. ISSA, California          LINDA T. SANCHEZ, California
JON C. PORTER, Nevada                C.A. DUTCH RUPPERSBERGER, Maryland
KENNY MARCHANT, Texas                BRIAN HIGGINS, New York
LYNN A. WESTMORELAND, Georgia        ELEANOR HOLMES NORTON, District of 
PATRICK T. McHENRY, North Carolina       Columbia
CHARLES W. DENT, Pennsylvania                    ------
VIRGINIA FOXX, North Carolina        BERNARD SANDERS, Vermont 
JEAN SCHMIDT, Ohio                       (Independent)
 ------

                      David Marin, Staff Director
                Lawrence Halloran, Deputy Staff Director
                       Teresa Austin, Chief Clerk
          Phil Barnett, Minority Chief of Staff/Chief Counsel



                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on June 8, 2006.....................................     1
Statement of:
    Johnson, Clay, III, Deputy Director for Management, Office of 
      Management and Budget; R. James Nicholson, Secretary, 
      Department of Veterans Affairs, accompanied by Tim McClain, 
      General Counsel, Department of Veterans Affairs, and Robert 
      Howard, Senior Adviser to the Deputy Secretary and 
      Supervisor, Office of Information and Technology, 
      Department of Veterans Affairs; David M. Walker, 
      Comptroller General, Government Accountability Office; 
      William E. Gray, Deputy Commissioner for Systems, Social 
      Security Administration; and Daniel Galik, Chief Mission 
      Assurance and Security Services, Internal Revenue Service, 
      Department of Treasury.....................................    13
        Galik, Daniel............................................    69
        Gray, William E..........................................    59
        Johnson, Clay, III.......................................    13
        Nicholson, R. James......................................    18
        Walker, David M..........................................    31
Letters, statements, etc., submitted for the record by:
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................   102
    Cummings, Hon. Elijah E., a Representative in Congress from 
      the State of Maryland, prepared statement of...............   100
    Davis, Chairman Tom, a Representative in Congress from the 
      State of Virginia, prepared statement of...................     4
    Dent, Hon. Charles W., a Representative in Congress from the 
      State of Pennsylvania, prepared statement of...............    96
    Galik, Daniel, Chief Mission Assurance and Security Services, 
      Internal Revenue Service, Department of Treasury, prepared 
      statement of...............................................    71
    Gray, William E., Deputy Commissioner for Systems, Social 
      Security Administration, prepared statement of.............    61
    Johnson, Clay, III, Deputy Director for Management, Office of 
      Management and Budget, prepared statement of...............    15
    Nicholson, R. James, Secretary, Department of Veterans 
      Affairs, prepared statement of.............................    22
    Schmidt, Hon. Jean, a Representative in Congress from the 
      State of Ohio, prepared statement of.......................    98
    Walker, David M., Comptroller General, Government 
      Accountability Office, prepared statement of...............    33
    Waxman, Hon. Henry A., a Representative in Congress from the 
      State of California, prepared statement of.................     8


ONCE MORE INTO THE DATA BREACH: THE SECURITY OF PERSONAL INFORMATION AT 
                            FEDERAL AGENCIES

                              ----------                              


                        THURSDAY, JUNE 8, 2006

                         House of Representatives,
                       Committee on Government Reform,
                                        Washington, DC.

    The committee met, pursuant to notice, at 10:41 a.m., in 
room 2154, Rayburn House Office Building, Hon. Tom Davis 
(chairman of the committee) presiding.
    Present: Representatives Tom Davis, Shays, Mica, Gutknecht, 
Souder, LaTourette, Platts, Marchant, Dent, Schmidt, Waxman, 
Sanders, Cummings, Kucinich, Clay, Van Hollen, and Norton.
    Staff present: David Marin, staff director; Ellen Brown, 
legislative director and senior policy counsel; Chas Phillips, 
policy counsel; Rob White, communications director; Andrea 
LeBlanc, deputy director of communications; Victoria Proctor, 
senior professional staff member; Teresa Austin, chief clerk; 
Sarah D'Orsie, deputy clerk; Kristin Amerling, minority general 
counsel; Adam Bordes and Anna Laitin, minority professional 
staff members; Earley Green, minority chief clerk; and Jean 
Gosa, minority assistant clerk.
    Chairman Tom Davis. The committee will come to order.
    Secure information is the lifeblood of effective government 
policy and management, yet Federal agencies continue to 
hemorrhage vital data. Recent losses of critical electronic 
records compel us to ask: What is being done to protect the 
sensitive digital identities of millions of Americans, and how 
can we limit the damage when personal data does go astray? In 
early May, a Veterans Affairs employee reported the theft of 
computer equipment from his home, equipment that stored more 
than 26 million records containing personal information. While 
he was authorized to access those records, he was not part of 
any formal telework program.
    VA leadership delayed acting on the report for almost 2 
weeks, while millions were at risk of serious harm from 
identity theft. And since admitting to the largest data loss by 
a Federal agency to date, the VA has been struggling to 
determine the exact extent of the breach. Just yesterday we 
learned the lost data includes information on over 2 million 
active duty and Reserve personnel as well as veterans. So the 
security of those currently serving in the military may have 
been compromised, and the bond of trust owed to those who 
served has been broken. And that is just only the latest in a 
long string of personal information breaches in the public and 
private sectors, including financial institutions, data 
brokerage companies and academic institutions. Just recently, a 
laptop computer containing information on nearly 300 Internal 
Revenue Service employees and job applicants, including data 
such as fingerprints, names, Social Security numbers and dates 
of birth, was lost while in transit on an airline flight, 
according to reports. These breaches illustrate how far we have 
to go to reach the goal of strong uniform government-wide 
information security policies and procedures.
    On this committee, we have been focused on government-wide 
information management and security for a long time. The 
Privacy Act and E-Government Act of 2002 outline the parameters 
for the protection of personal information. These incidents 
highlight the importance of establishing and following security 
standards for safeguarding personal information. They also 
highlight the need for proactive security breach notification 
requirements for organizations, including Federal agencies that 
deal with sensitive personal information. I know other 
committees have been working on the requirements for the 
private sector. Federal agencies present unique requirements 
and challenges, and it is my hope that we can work to 
strengthen personal data protections through regulatory changes 
and any needed legislative fixes.
    The Federal Information Security Management Act of 2002 
[FISMA], requires Federal agencies to provide protections for 
agency data and information systems to ensure their integrity, 
confidentiality and availability. FISMA requires each agency to 
create a comprehensive risk-based approach to agency-wide 
information security management. It is intended in part to make 
security management an integral part of everyday operations. 
Some complain that FISMA is a little more than a paperwork 
exercise, an analog answer to a digital problem. This latest 
incident disproves that complaint. FISMA requires agencies to 
notify agency inspectors general and law enforcement among 
others when a breach occurs, promptly. It appears VA didn't 
comply with that requirement. Each year, the committee releases 
scorecards based on information provided by chief information 
officers and inspectors general in their FISMA reports. This 
year, the scores for many departments remained unacceptably low 
or dropped precipitously. The Veterans Affairs Department 
earned an F the second consecutive year and the fourth time in 
the last 5 years the department received a failing grade. The 
Federal Government overall received a whopping D-plus, although 
several agencies improved their information security or 
maintained a consistently high level of security from previous 
years, including the Social Security Administration.
    Today the committee wants to discuss how we can improve the 
security of personal information held or controlled by Federal 
agencies. In my view, these efforts should include 
strengthening FISMA and adding penalties, incentives, or 
proactive notification requirements. OMB will discuss 
government-wide efforts to improve data security. GAO will 
highlight areas in which the protection of consumer information 
can be enhanced. In this context, we will focus on security at 
the Veterans Affairs, Social Security Administration and the 
IRS. VA Secretary Nicholson will discuss the details of that 
department's potentially catastrophic data breach. Officials 
from the IRS and Social Security Administration will describe 
the experiences and efforts of those agencies which stand as 
guardians of the largest storehouses of taxpayer information. 
Government information systems hold personal information about 
millions of citizens, including health records, military 
service histories, tax returns and retirement accounts. E-
commerce, information sharing, online tax filing are 
commonplace. If the Federal Government is going to be a trusted 
traveler on the information super highway, critical data on 
millions of citizens should not be able to go missing after a 
trip around the Beltway in a back seat of some government 
worker's car. And that is kind of where we are.
    So we appreciate everybody being here.
    Secretary Nicholson, you are new to the VA, and I know this 
has come up, and you are trying to deal with it. We appreciate 
your being here today and sharing your thoughts.
    Mr. Waxman.
    [The prepared statement of Chairman Tom Davis follows:]
    [GRAPHIC] [TIFF OMITTED] 28759.001
    
    [GRAPHIC] [TIFF OMITTED] 28759.002
    
    Mr. Waxman. Thank you, Mr. Chairman.
    I'm pleased you are holding this hearing on Federal data 
security. Last month, the sensitive data on 26.5 million 
veterans and active duty members of the military were stolen 
from the Department of Veterans Affair. Everybody has heard 
about this, but I think we need to examine it carefully and 
learn from this experience. The administration needs to provide 
the public with a thorough accounting regarding the VA 
incident, and it must detail how it will ensure that no future 
breaches will occur with respect to the tremendous volume of 
information the Veterans Administration and other Federal 
agencies maintain on Americans across the country.
    The recent VA data breach represents a violation of trust 
of remarkable magnitude. The administration's failure to 
protect against such an incident and its delayed response may 
have made millions of men and women who currently serve or have 
served in uniform vulnerable to identity theft and other 
potentially costly misuse of their information.
    Unfortunately, this breach does not come as a surprise. 
Consider for example GAO's July 2005 assessment of information 
security in the Federal Government. GAO stated: Pervasive 
weaknesses threaten the integrity, confidentiality, and 
availability of Federal information and information systems. 
These weaknesses exist primarily because agencies have not yet 
fully implemented strong information security management 
programs. These weaknesses put Federal operations and assets at 
risk of fraud, misuse and destruction. In addition, they place 
financial data at risk of unauthorized modification or 
destruction, sensitive information at risk of inappropriate 
disclosure and critical operations at risk of disruption. So we 
had a warning as of July 2005, and indeed in this year, March 
of this year, in its annual scorecard evaluation, this 
committee gave the Federal Government a government-wide grade 
of D-plus, and the VA received a grade of F.
    Well, remarkably and regrettably, the Bush administration 
has repeatedly shown questionable commitment to protecting the 
privacy of American citizens. For example, last December, we 
learned that the President had authorized warrantless 
eavesdropping on Americans' e-mails and phone calls despite 
Federal laws prohibiting this practice. Just this week, the 
Washington Post reported that, ``since the Federal medical 
privacy requirements went into effect in 2003, the 
administration has received nearly 20,000 complaints alleging 
violations but has not imposed a single civil fine and has 
prosecuted just two criminal cases.''
    Well, I hope the administration will view the VA data 
breach as impetus for placing higher priority on privacy issues 
relating to the sensitive data it collects and maintains on 
Americans. You would think that the General Accounting Office 
report in July 2005 which was so damning should have been a 
wake-up call. Now we have another wake-up call where the data 
has actually been surreptitiously available to others that 
could do harm to the veterans whose data may be used against 
them. Well, I hope we will give a higher priority on privacy 
issues because technology advances facilitate the sharing of 
information, and as we develop new ways to use data on 
individuals to further important goals such as terrorism 
prevention, we must be vigilant about protecting Americans' 
privacy rights. In the short term, the government must do 
everything possible to address expeditiously, any harm 
resulting to the individuals whose data was stolen. The VA 
Secretary has taken several steps to provide information to 
veterans about the breach, but the administration should be 
doing more to support the affected veterans and active service 
members.
    I recently joined Representative Salazar and over 100 other 
colleagues in urging President Bush to request emergency 
funding for free credit monitoring and additional free credit 
reports for veterans and others whose information was 
compromised. For our part, Congress should consider measures, 
such as the Veterans Identity Protection Act of 2006 which 
Representative Salazar has introduced. This bill would require 
the Department of Veterans Affairs to certify that it has 
notified all affected individuals. It would also direct the VA 
to provide free credit monitoring services and reports to each 
affected individual. We must also determine exactly what went 
wrong at the VA, not only to know what happened but to prevent 
future breaches. To that end, there is an ongoing joint 
investigation by the inspector general, the Department of 
Justice and local law enforcement, and I hope that today's 
hearing will advance our understanding of this issue.
    Finally, the VA data breach should underscore the 
importance of ensuring implementation of sound information-
security practices government-wide. The reports from the Office 
of Management and Budget and the Government Accountability 
Office show that some agencies, some agencies are making 
progress on this front. The A-plus grade this committee gave 
the Social Security Administration this year underscores that 
large agencies with aging systems and vast amounts of sensitive 
data can comply with Federal information security requirements.
    I want to thank all the witnesses for taking time to appear 
before the committee today. I look forward to hearing from them 
about the issues raised by the VA data breach. I hope this will 
not just be another hearing, another wake-up call that is 
ignored and that we find ourselves with similar breaches of 
privacy as we unfortunately have seen with the veterans in this 
country.
    Chairman Tom Davis. Thank you.
    Members will have 7 days to submit opening statements for 
the record.
    [The prepared statement of Hon. Henry A. Waxman follows:]
    [GRAPHIC] [TIFF OMITTED] 28759.003
    
    [GRAPHIC] [TIFF OMITTED] 28759.004
    
    [GRAPHIC] [TIFF OMITTED] 28759.070
    
    [GRAPHIC] [TIFF OMITTED] 28759.071
    
    [GRAPHIC] [TIFF OMITTED] 28759.072
    
    Chairman Tom Davis. We will move to our panel.
    We have the Honorable Clay Johnson III, the Deputy Director 
for Management, Office of Management and Budget; the Honorable 
R. James Nicholson, Secretary of the Department of Veterans 
Affairs, accompanied by Tim McClain, who is the General Counsel 
of the Department of Veterans Affairs, and Robert Howard, the 
senior adviser to the Deputy Secretary and Supervisor, Office 
of Information and Technology, Department of Veterans Affairs; 
the Honorable David Walker, the Comptroller General, Government 
Accountability Office; William E. Gray, the Deputy Commissioner 
for Systems, Social Security Administration; and Mr. Daniel 
Galik, Chief Mission Assurance and Security Services for the 
IRS, Department of Treasury.
    It is our policy to swear all witnesses in before they 
testify. So, including Mr. McClain and Mr. Howard, if you would 
rise and raise your right hands.
    [Witnesses sworn.]
    Chairman Tom Davis. We will start with you, Mr. Johnson, 
and we will move straight down. Thank you very much.

STATEMENTS OF CLAY JOHNSON III, DEPUTY DIRECTOR FOR MANAGEMENT, 
OFFICE OF MANAGEMENT AND BUDGET; R. JAMES NICHOLSON, SECRETARY, 
  DEPARTMENT OF VETERANS AFFAIRS, ACCOMPANIED BY TIM MCCLAIN, 
  GENERAL COUNSEL, DEPARTMENT OF VETERANS AFFAIRS, AND ROBERT 
HOWARD, SENIOR ADVISER TO THE DEPUTY SECRETARY AND SUPERVISOR, 
 OFFICE OF INFORMATION AND TECHNOLOGY, DEPARTMENT OF VETERANS 
   AFFAIRS; DAVID M. WALKER, COMPTROLLER GENERAL, GOVERNMENT 
ACCOUNTABILITY OFFICE; WILLIAM E. GRAY, DEPUTY COMMISSIONER FOR 
  SYSTEMS, SOCIAL SECURITY ADMINISTRATION; AND DANIEL GALIK, 
CHIEF MISSION ASSURANCE AND SECURITY SERVICES, INTERNAL REVENUE 
                SERVICE, DEPARTMENT OF TREASURY

                 STATEMENT OF CLAY JOHNSON III

    Mr. Johnson. Mr. Chairman and members of the committee, 
thank you. I'm here to speak about the adequacy or inadequacy 
of existing laws, regulations and policies regarding privacy, 
information security and data breach notification. I'm here 
because we have had an unprecedented security breach causing 
the loss of personal data concerning millions of people.
    Generally, at OMB, we believe we have sound laws, policies 
and standards related to this topic. But we can and must do a 
much, much better job of implementing them. We have policies 
and standards that call for encryption and passwords to protect 
data taken offsite via laptops, for instance. But we obviously 
need to do a better job of abiding by them. We must do a better 
job of holding ourselves accountable for implementing existing 
policies and holding each employee accountable for performing 
their assigned responsibilities.
    In the short term, as the Deputy Director for Management, I 
have instructed agencies to remind each employee of their 
specific responsibilities for safeguarding personally 
identifiable information and the relevant rules and penalties. 
I have instructed them to review and appropriately strengthen 
the means by which they hold their bureaus and people 
accountable for adhering to existing security guidelines, and I 
have instructed them to ensure that they are reporting all 
security incidences as required by law.
    Our inspectors general are already reviewing the adequacy 
of their data security oversight. As chair of the PCIE and the 
ECIE, the two inspector general associations. I will make sure 
that IG oversight is consistent with the high level of 
accountability called for in this matter.
    Longer term, the Federal Government is already implementing 
a 2004 Presidential Directive to develop and utilize 
information cards that will be used to control access to 
government computer systems and physical facilities. It will 
take several years to implement this new initiative.
    OMB, all executive branch agencies and employees, and the 
inspectors general community have a shared responsibility to 
minimize the risk of harm associated with our use of this type 
of data. I am committed to working with Congress to ensure our 
information security policies and procedures are what they need 
to be and, most importantly, that we are all held accountable 
for following them. Thank you.
    [The prepared statement of Mr. Johnson follows:]
    [GRAPHIC] [TIFF OMITTED] 28759.005
    
    [GRAPHIC] [TIFF OMITTED] 28759.006
    
    [GRAPHIC] [TIFF OMITTED] 28759.007
    
    Chairman Tom Davis. Thank you very much.
    Secretary Nicholson, thanks for being with us.

                STATEMENT OF R. JAMES NICHOLSON

    Secretary Nicholson. Mr. Chairman, ranking member, members, 
I want to thank you for holding this hearing. I think it is 
very timely, and I thank you for the invitation to appear here 
before you to provide you with a report and an assessment of 
current events at the Department of Veterans Affairs.
    In that context, I will also present a brief overview of VA 
security policies along with the Department's views on the 
adequacy of current regulation legislation, regulations and 
policies regarding privacy, information security and data 
breach notification. Facts surrounding the recent data breach 
at VA are well known to you through their coverage in the 
media. I will briefly recap them, though, before reviewing with 
you the actions that I have taken in response and what we have 
learned and are learning as a result and what we need to be 
doing as we go forward.
    A 34-year VA employee, a VA analyst, took home electronic 
data files from the VA. He was not authorized to do so, but he 
had been in the practice of doing it for 3 years. On May 3, 
that employee's home was broken into in what appears to local 
law enforcement to be a routine breaking and entering. His 
laptop computer and hard drive containing the VA data were 
stolen. These data contained identifying information on up to 
26.5 million veterans, some spouses and dependents. It is 
important to note that the data did not include any of the VA's 
electronic health records.
    On June 1, independent forensic experts that we retained, 
confirmed that there was some data pertaining to active duty, 
Guard and Reserve troops. On June 5, we learned through ongoing 
analysis and through data matching and discussions with the 
Department of Defense that private information on over 2 
million active duty, Guard and Reserves may have also been 
included. As I stated in my testimony before the House and the 
Senate Committees on Veterans Affairs recently, I am totally 
outraged at the loss of this data and the fact that an employee 
would put so many people at risk by taking it home in violation 
of existing VA policies.
    I'm also gravely concerned about the timing of the 
Department's response once the burglary did become known. I 
accept responsibility for this. I am in charge of this 
Department. I have never been so disappointed and angry at 
people, but it is my responsibility also now to fix this. And 
just as the health care system, the VA has risen to be a 
paradigm of integrated health care in our country and it has 
done so in a relatively short period of time, I think that we 
can make the same of the VA and data security, and I'm 
committed to doing that because it's doable. It won't be easy, 
and it won't be overnight because we are going to have to 
change a culture.
    Full-scale investigations into this matter remain ongoing. 
Authorities believe it's unlikely the perpetrators targeted the 
items stolen because of any knowledge of the data contents. We 
remain hopeful that this was a common random theft and that no 
use will be made of this data. However, certainly we cannot 
count on that. And because we are committed to keeping our 
veterans and our service members informed, we have established 
call centers with call numbers to provide information which we 
have promulgated in many different ways, including a letter to 
each of the known affected people. We've dedicated a Web site 
that provides answers to any concerned veteran, service member 
or family member. These are updated as additional information 
becomes available to us regarding this theft and what it might 
entail.
    From the moment I was informed, the VA began taking all 
possible steps to protect and inform our veterans. On May 31st 
I named Maricopa County District Attorney Richard Romley, 
formerly district attorney, as my new special adviser for 
information security reporting directly to me. Mr. Romley 
shares my commitment to cutting through the bureaucracy to 
provide the results our Nation's veterans and service members 
deserve and expect. I have initiated several actions to 
strengthen our privacy and data security programs. On May 24th, 
we launched the Data Security Assessment and Strengthening 
Program, a high-priority focus plan to strengthen our data 
privacy and security procedures. On May 26th, I directed my top 
leadership to reenforce each VA manager of their duty to 
protect sensitive information. I've instructed all employees to 
complete privacy and cyber security training by June 30th. 
Further, I have convened a task force of VA senior leadership 
to review all aspects of information security, inventory all 
positions requiring access to sensitive VA data and ensure that 
personnel have the appropriate current security clearances. On 
June 6th, 2 days ago, I issued a VA information technology 
directive entitled, Safeguarding Confidential and Privacy Act-
Protected Data at Alternative Work Locations. I also issued a 
separate directive under the under secretary of benefits 
suspending the practice of permitting veterans' benefits 
employees to remove files for claims from their regular work 
stations in order to adjudicate claims from alternative work 
locations, including their homes.
    During the week of June 26th, VA facilities across the 
country and including Guam, Manila and the Puerto Rican islands 
at every hospital, clinic, regional office, national cemetery, 
field office and our central office will stand down for 
Security Awareness Week. Managers throughout the VA will review 
information security and reenforce privacy obligations and 
responsibilities with their staff. I've also ordered that every 
laptop in the VA undergo a security review to ensure that all 
security and virus software is current. The review will include 
removal of any unauthorized information or software. I have 
also ordered that no personal laptop or computer equipment will 
be allowed to access the VA's virtual private network or be 
used for any official business.
    You asked that I review the VA's data security policies and 
procedures. I believe these have been shared with you and your 
staff and they are discussed in my written testimony. They 
include: VA Directive 6502, issued on June 30, 2003 on our 
privacy program; Directive 5011 dated September 22, 2005, 
providing specific policies and procedures for the approval of 
alternative workplace arrangements and teleworking.
    One existing guideline, Security Guideline for Single-User 
Remote Access, will be published very soon as a VA directive. 
This document sets the standards for access, use and 
information security including physical security, incident 
reporting and responsibilities. I believe that the policies we 
have and the legislation under which they are promulgated is 
generally adequate. But it is, Mr. Chairman, too hard in my 
opinion to discipline people in the Civil Service. It is too 
hard to impose sanctions. I have multiple examples of that I 
can give you of people at each strata of leadership in the VA 
who, due to the cultural lapses, have violated the existing 
policies. I think something that this committee and the 
Congress should look at is HIPA, the Health Information 
Portability Accounting Act, which has teeth in it for 
violations of health information breaches, and I think we 
should consider putting the same kind of teeth into an 
enforcement mechanism for the compromising and the careless and 
negligent handling of personal information, putting it under 
the same category of enforcement.
    Another that I think needs to be considered is that while 
we have a system in the government of doing background 
investigations for people to whom we will give access to 
classified information, we do not have a similar screen for 
those to whom we will give enormous amounts of data. And I will 
use--this is my wallet. This is a hard drive that holds 60 
gigabytes; 60 gigabytes will hold 12 times the information that 
was compromised in our data breach. This will hold the personal 
information of the population of the United States, and it fits 
very easily into my vest pocket.
    So obviously what we need to do is know more about the 
people who have access. This employee who took this home, as I 
said, worked for 34 years with the VA. He has not had a 
background check for 32 years. He did, by the way, this year 
sign the annual requirement for security awareness.
    So it is clear that we need to put some teeth behind the 
obvious needs that also exist at the VA for more training, 
education and enforcement and the ascertainment of the culture 
of the people that we are giving access. This has been a 
painful lesson for me at the VA.
    Ultimately our success in changing this is going to depend 
on changing the culture, and that depends on our ability to 
change the attitudes of our people. It is our obligation to do 
this, to ensure that they have the right training, that they 
are instilled with the sense of discipline and the commitment 
to be careful in their trusteeship of this data, and we have an 
obligation on, collectively, I believe, at the governmental 
level to ensure the character and the vulnerability of people 
that have access in important work for caring for our veterans 
and all of the other people in this government. This is a 
personal priority of mine. Indeed, I believe it needs a 
crusade. This is an emergency. It is an emergency at the VA, 
and it should be an emergency in our society.
    Last night I was approached by a university president who 
recognized me to tell me about a data breach that they'd just 
had--I can't divulge--but a very prestigious university and its 
recommendations. So this is unfortunately rampant and we need 
to have better tools in the way of approaching it. Significant 
change in the way the VA manages its infrastructure ironically 
was put into place by me last October. Part of the reason the 
VA I think has gotten so lapse is that it is decentralized and 
it is spread all over this country, as you know. I made a major 
policy decision and we are centralizing information technology, 
and that is undergoing significant cultural resistance but we 
are going to do that and that was underway and that will also 
assist us in this broader goal and it will include both cyber 
and information security and privacy. We will stay focused on 
these problems until they're fixed and we will take direct and 
immediate action to address and alleviate people's concerns.
    With greater control comes greater accountability. Mr. 
Chairman, I remain cognizant that we are accountable not only 
to you, the Congress, but also to our Nation's veterans and our 
service members. And, Mr. Chairman, that concludes my 
statement. Thank you for this opportunity.
    [The prepared statement of Secretary Nicholson follows:]
    [GRAPHIC] [TIFF OMITTED] 28759.008
    
    [GRAPHIC] [TIFF OMITTED] 28759.009
    
    [GRAPHIC] [TIFF OMITTED] 28759.010
    
    [GRAPHIC] [TIFF OMITTED] 28759.011
    
    [GRAPHIC] [TIFF OMITTED] 28759.012
    
    [GRAPHIC] [TIFF OMITTED] 28759.013
    
    [GRAPHIC] [TIFF OMITTED] 28759.014
    
    [GRAPHIC] [TIFF OMITTED] 28759.015
    
    [GRAPHIC] [TIFF OMITTED] 28759.016
    
    Chairman Tom Davis. Thank you, Mr. Secretary. And now we'll 
hear from General Walker.

                  STATEMENT OF DAVID M. WALKER

    Mr. Walker. Thank you, Mr. Chairman. I assume that the 
entire statement will be included in the record and therefore I 
will move to summarize.
    I appreciate the opportunity to be here today to discuss 
the key challenges that Federal agencies face in safeguarding 
certain personal and sensitive information that's in their 
custody and taking action when that information is compromised.
    As we've just heard, there have been circumstances in the 
past where such information has been compromised, and I think 
it is important to note that this is a matter of increasing 
concern both in the public and the private sector and breaches 
have occurred all too frequently in the private and the public 
sector. As we look forward, I think it is important to keep in 
mind that Federal agencies are subject to security and privacy 
laws that are aimed in part at preventing security breaches, 
including breaches that could result in identity theft.
    The major requirements of the protection of personal 
privacy by Federal agencies come from two laws: The Privacy Act 
of 1974 and the E-Government Act of 2002. The Federal 
Information Security Management Act of 2002, FISMA, also 
addresses the protection of personal information in the context 
of securing Federal agency information and information systems.
    Federal laws to date have not required agencies to report 
security breaches to the public, although breach notification 
has played an important role in the context of security 
breaches in the private sector. A number of actions can and 
should be taken in order to help safeguard against the 
possibility that personal information maintained by government 
agencies is inadvertently compromised.
    First, agencies should conduct privacy impact assessments 
and, second, agencies should ensure that they have a robust 
security program in place. In the course of taking a more 
strategic approach in adopting these two particular measures to 
protect privacy and enhance security over personal information, 
agencies should also consider several other specific actions, 
including limiting the collection of personal information, 
limiting data retention, limiting access to personal 
information and conducting appropriate training of persons who 
do have access, and considering using technological controls 
such as encryption when data needs to be stored on mobile 
devices, and other measures.
    Irrespective of the preventative measure that James put in 
place data breaches are possible and may occur. However, in the 
event that an incident does occur agencies must respond quickly 
in order to minimize potential harm that could be imposed by 
identity theft. Applicable law such as the Privacy Act 
currently do not require agencies to notify individuals of 
security breaches involving their personal information. 
However, doing so allows those affected the opportunity to take 
steps to protect themselves against the dangers of identity 
theft. Breach notification is also important in that it can 
help an organization address key privacy rights of individuals 
and in the government notifying somebody like OMB, helps to 
obtain a better understanding of the government-wide challenges 
associated with this area.
    Public disclosure of major data breaches is a key step to 
ensuring that organizations are held accountable for personal 
protection of information. At the same time, care needs to be 
taken to avoid requiring agencies to notify the public of 
trivial security incidents.
    In summary, agencies can and should take a number of 
actions to help guard against the possibility that data bases 
of personal, sensitive information aren't inadvertently 
compromised. Furthermore, when such compromises do occur, it is 
important that appropriate notification steps be taken.
    We at GAO are attempting to lead by example as well, and I 
must note, Mr. Chairman, that I met with my own CIO about these 
issues and am comfortable that we are taking appropriate steps, 
but I have also instructed them to take a couple of additional 
steps in light of some of the recent events that have occurred.
    I would also note that with the additional proliferation of 
teleworking and with the additional use of laptop computers in 
the government that this becomes an increasing challenge and 
one of significant concern and interest. As Congress considers 
legislation requiring agencies to notify individuals or the 
public about security breaches, we think it is important to 
ensure that there are specific criteria that are defined for 
the incidents that merit public notification. Congress may also 
want to consider a two-tier reporting requirement in which all 
Federal Government security breaches are reported to OMB and 
affected individuals regarding the nature of the violation and 
the risk imposed.
    Furthermore, Congress should consider requiring OMB to 
provide guidance to agencies on how to develop programs and 
remedies to affected individuals.
    And last, Mr. Chairman and members of the committee, I 
would say on listening to the two colleagues who presented 
before myself, you may want to think about whether or not there 
should be additional requirements for restricting access to 
sensitive information or conducting mandatory training and 
monitoring with regard to those who do have access for 
requiring reporting to OMB to the extent there is a significant 
breach within the Federal Government, and as the Secretary 
mentioned, make sure that there are tough sanctions for 
violators.
    We need to have incentives. We need to have transparency, 
and we need to have an accountability mechanism, and if we 
don't have all three of those the system won't work.
    Thank you very much.
    [The prepared statement of Mr. Walker follows:]
    [GRAPHIC] [TIFF OMITTED] 28759.017
    
    [GRAPHIC] [TIFF OMITTED] 28759.018
    
    [GRAPHIC] [TIFF OMITTED] 28759.019
    
    [GRAPHIC] [TIFF OMITTED] 28759.020
    
    [GRAPHIC] [TIFF OMITTED] 28759.021
    
    [GRAPHIC] [TIFF OMITTED] 28759.022
    
    [GRAPHIC] [TIFF OMITTED] 28759.023
    
    [GRAPHIC] [TIFF OMITTED] 28759.024
    
    [GRAPHIC] [TIFF OMITTED] 28759.025
    
    [GRAPHIC] [TIFF OMITTED] 28759.026
    
    [GRAPHIC] [TIFF OMITTED] 28759.027
    
    [GRAPHIC] [TIFF OMITTED] 28759.028
    
    [GRAPHIC] [TIFF OMITTED] 28759.029
    
    [GRAPHIC] [TIFF OMITTED] 28759.030
    
    [GRAPHIC] [TIFF OMITTED] 28759.031
    
    [GRAPHIC] [TIFF OMITTED] 28759.032
    
    [GRAPHIC] [TIFF OMITTED] 28759.033
    
    [GRAPHIC] [TIFF OMITTED] 28759.034
    
    [GRAPHIC] [TIFF OMITTED] 28759.035
    
    [GRAPHIC] [TIFF OMITTED] 28759.036
    
    [GRAPHIC] [TIFF OMITTED] 28759.037
    
    [GRAPHIC] [TIFF OMITTED] 28759.038
    
    [GRAPHIC] [TIFF OMITTED] 28759.039
    
    [GRAPHIC] [TIFF OMITTED] 28759.040
    
    [GRAPHIC] [TIFF OMITTED] 28759.041
    
    [GRAPHIC] [TIFF OMITTED] 28759.042
    
    Chairman Tom Davis. Thank you very much.
    Mr. Gray.

                  STATEMENT OF WILLIAM E. GRAY

    Mr. Gray. Chairman Davis, Representative Waxman and members 
of the committee, thank you for inviting me here this morning 
to discuss government data security at the Social Security 
Administration. As SSA Deputy Commissioner for Systems, I 
appreciate the opportunity to talk about the ongoing challenge 
of safeguarding the personal information that the public counts 
on us to protect.
    As you know, Mr. Chairman, the Social Security Board's 
first regulation published in 1937 dealt with confidentiality 
of SSA's records. Our policies predate and are consistent with 
the Privacy Act, and while the technologies we employ to ensure 
the safety and privacy of our records has changed dramatically 
over the 70-year history of our program, our commitment to the 
American people and maintaining the confidentiality of our 
records has remained constant.
    We nurture a security conscious culture throughout the 
agency from the executive level down. Every time an SSA 
employee logs on to his or her work station, and that includes 
the Commissioner of Social Security, a banner pops up warning 
that unauthorized attempts to access, upload or otherwise alter 
SSA's data are strictly prohibited and subject to disciplinary 
and/or criminal prosecution. In effect, every SSA employee sees 
that message every day he or she comes to work.
    We use state-of-the-art software that carefully restricts 
our employees' access to data. Using this software, we ensure 
the employees only have access to the information they need to 
perform their jobs. The software allows us to audit and monitor 
the actions of individual employees, and it provides us with 
the means to investigate allegations of misuse.
    Every year every SSA employee must read the Sanctions for 
Unauthorized Systems Access Violations, which we developed to 
secure the integrity and privacy of personal information 
contained in the computer systems. This memorandum advises SSA 
employees of the category of security violations and the 
minimum recommended sanctions. Annually, all employees are 
required to read and sign the acknowledgment statement 
indicating that they have read and understood the sanctions.
    Our Flexiplace agreements require adherence to our 
information management in the electronic security procedures 
for safeguarding data and data bases. While each Flexiplace 
agreement is different, they share different basic 
requirements. The agreements generally contain provisions that 
require participating employees to maintain lockable storage 
for securing files at the alternate duty site. They also 
require participating employees to protect government records 
from unauthorized access, theft and damage in addition to 
requiring protection from unauthorized disclosure in accordance 
with the Privacy Act and other Federal laws restricting 
disclosure of the information we maintain.
    A violation of the conditions set forth in the agreements 
results in disciplinary action. Penalties may range from 
reprimand to removal, depending on the seriousness of the 
violation.
    Despite our best efforts in establishing policy and 
procedures and enforcing these procedures, no system of 
safeguards is immune from human error. We use these rare 
occurrences to review and strengthen our security precautions.
    At SSA, our approach to data security is multi-faceted. It 
involved numerous policy and hardware and software safeguards. 
Even with all of the measures and safeguards we use, we cannot 
rest and be satisfied that we've plugged every hole. We 
continue to monitor, test, and evaluate what we are doing to 
prevent, detect and mitigate any potential threat. We strive to 
create and maintain a security conscious culture. We continue 
to try to stay abreast of all threats and vulnerabilities 
associated with emerging technologies, and our goal is to keep 
up with best practice approaches related to information 
security.
    We have recently reemphasized with all employees the 
critical importance of safeguarding personal information, and 
we've directed managers to reinforce this point with their 
employees. In light of recent events, we are also conducting 
the review of our response procedures and protocols.
    Mr. Chairman, Commissioner Barnhart and I recognize that 
data security is an ongoing challenge and critical component of 
our mission. We look forward to continuing to work with the 
committee to assure the American people that we are doing all 
that we can to maintain the security of the information 
entrusted to us.
    Thank you for the opportunity to speak before this 
committee, and I am happy to answer any questions.
    [The prepared statement of Mr. Gray follows:]
    [GRAPHIC] [TIFF OMITTED] 28759.043
    
    [GRAPHIC] [TIFF OMITTED] 28759.044
    
    [GRAPHIC] [TIFF OMITTED] 28759.045
    
    [GRAPHIC] [TIFF OMITTED] 28759.046
    
    [GRAPHIC] [TIFF OMITTED] 28759.047
    
    [GRAPHIC] [TIFF OMITTED] 28759.048
    
    [GRAPHIC] [TIFF OMITTED] 28759.049
    
    [GRAPHIC] [TIFF OMITTED] 28759.050
    
    Chairman Tom Davis. Thank you very much.
    Mr. Galik.

                   STATEMENT OF DANIEL GALIK

    Mr. Galik. Good morning, Mr. Chairman, Mr. Waxman and 
members of the committee. I am pleased to be with you this 
morning to discuss IRS's efforts relative to information 
technology security and the privacy of both employee and 
taxpayer information. Commissioner Everson regrets that he 
could not be here today as he is out of the country on travel 
that was scheduled several weeks ago.
    Taxpayer and employee privacy is of foremost concern to the 
IRS. We are charged with protecting the most critical 
information about virtually every American. Taxpayer data is 
subject to much higher statutory protection and safeguards. 
IRS's security policy guidance requires the mandatory use of 
encryption to protect all taxpayers and other sensitive, 
personally identifiable information that may be contained in 
IRS's computer systems. We continue to update our systems and 
our training so that employees who have access to sensitive 
information are aware of the steps they must take to prevent 
that information from being compromised.
    This job has never been tougher, specifically in an agency 
like the IRS. We have more than 82,000 full-time and 12,000 
part-time employees. We also have a large mobile work force 
that utilizes laptops and other portable storage devices, and 
they are authorized to have taxpayer and sensitive information 
with themselves at locations outside of IRS office space.
    By focusing on both privacy and security, we have made 
significant progress in upgrading our system to respond to the 
security challenges we face in this new age. Consider the 
following: We have achieved the green status on the President's 
management agenda fiscal year 2000 scorecard with over 90 
percent of our major systems having successfully completed 
security certification and accreditation. In early 2004, very 
few of the IRS's major information systems had not completed 
security accreditation.
    We make use of a defense and security approach with over 
100 firewalls and several intrusion detection devices on our 
computer systems. We operate our own computer security incident 
response center that monitors all network activity 24 hours per 
day. There is no evidence that any IRS systems, including the 
master files of all taxpayer data, have ever been successfully 
penetrated or compromised by external attacks. Cracking our 
system requires more than bypassing a single barrier. All IRS 
computers are equipped with multiple data protection tools that 
allow IRS users to encrypt all IRS taxpayer data and all other 
sensitive information that they may have on their computers, 
including their laptops.
    In light of the incident at the VA, the IRS is aggressively 
reviewing all policies, processes and training to ensure IRS 
users know how to use the encryption tools and are aware of the 
penalties of violation of policies. It is important to note 
that the laptops used by all IRS personnel working in the field 
are equipped with software applications that automatically 
encrypt all taxpayer and other personal and sensitive 
information.
    We have also been proactive not only in the area of 
security but also on our commitment to privacy. Almost 1 year 
ago we implemented OMB to designate senior officials to 
privacy. Despite all of this we know that we are still 
vulnerable to computer theft and loss, especially since our 
agents need to use laptops in the performance of their duties 
outside of IRS premises.
    For example, recently an IRS employee checked a laptop as 
checked baggage on a commercial air flight. The laptop did not 
make it to the proper destination. We determined that the 
laptop contained the names, Social Security numbers and dates 
of birth of 291 IRS job applicants and employees. We reported 
this security breach to our Inspector General and law 
enforcement, which are currently conducting an investigation. 
We have attempted to call each of the individuals as 
information was on the laptop, and we also sent a letter to 
inform them of the missing data and to guide them on how to 
watch for suspicious activity. We are also taking additional 
steps to ensure this does not happen again.
    In summary, Mr. Chairman, we at the IRS take privacy and 
security of both taxpayer and employee information as one of 
our highest priorities. We have taken numerous steps to make 
sure that our systems are not breached, but because so much of 
our work is done offsite we have a heavy reliance on laptops 
and other portable mass storage devices. While we remain 
vulnerable to one of those devices being lost or stolen, we are 
making every effort to ensure that any data on such a device is 
encrypted and of no use to anyone.
    The Treasury Department and IRS look forward to continuing 
to work with the committee to ensure we are doing everything 
possible to protect taxpayer information and privacy.
    I appreciate the opportunity to appear today. I'll be happy 
to answer any questions.
    [The prepared statement of Mr. Galik follows:]
    [GRAPHIC] [TIFF OMITTED] 28759.051
    
    [GRAPHIC] [TIFF OMITTED] 28759.052
    
    [GRAPHIC] [TIFF OMITTED] 28759.053
    
    [GRAPHIC] [TIFF OMITTED] 28759.054
    
    [GRAPHIC] [TIFF OMITTED] 28759.055
    
    [GRAPHIC] [TIFF OMITTED] 28759.056
    
    [GRAPHIC] [TIFF OMITTED] 28759.057
    
    [GRAPHIC] [TIFF OMITTED] 28759.058
    
    [GRAPHIC] [TIFF OMITTED] 28759.059
    
    Chairman Tom Davis. I want to thank all of you very much.
    Twenty-six million veterans' records, a million active duty 
records, 300 tax records. And I am just troubled with the 
number and the scope of losses. We have a lot of laws 
protecting secure information. Personal information really 
seems to fall into a different category and maybe we have to 
give it, you know, rethink how we deal with this.
    To all of you, I guess I'd ask, what assurances can you 
give this committee and the American public that personal and 
sensitive data in Federal IT systems are secure to access, 
control staff are being trained in security practices and the 
breaches will be detected quickly and those responsible for 
sloppy data handling will be punished?
    Mr. Johnson. The question is what assurances can we give? 
We need to give them a greater level of assurance than they 
have now obviously. OMB needs to be held accountable for 
ensuring that all agencies have plans that they deem 
acceptable, that OMB and Congress deems acceptable and they 
implement this plan and they do what they say they are going to 
do, and there are various ways of doing that: Reporting 
mechanisms, details of reporting, frequency of reporting. There 
are a lot of mechanisms for doing that.
    I think we are doing more and more of that with the present 
agenda. A lot of our government-wide initiatives, security 
clearance reform. Where we are doing a better and better job of 
holding agencies accountable is for implementing some new way 
of doing business and we need to employ that here to 
everybody's satisfaction. We need to make sure we have a plan, 
agencies have a plan to do what's the right thing and that they 
then follow through and implement that plan as promised.
    Chairman Tom Davis. I mean, Secretary Nicholson, you came 
in with your plan of what you were trying to do proactively to 
prevent this in your agency. Let me ask for the employee who 
was involved, he's terminated at this point; is that correct?
    Secretary Nicholson. That's correct.
    Chairman Tom Davis. What was the lag time of when this was 
stolen and when he notified his superiors? Do you know?
    Secretary Nicholson. He notified his superiors the day that 
he discovered that it had been stolen.
    Chairman Tom Davis. OK. And did they--how long did it take 
to get to you?
    Secretary Nicholson. Thirteen days.
    Chairman Tom Davis. OK. Obviously you are dealing with that 
in your Department, aren't you.
    Secretary Nicholson. Yes, sir.
    Chairman Tom Davis. We don't know what is out there, but 
time is critical in a case like this. Have the police 
department, the local police department been involved in any 
leads on--have they put any pressure into this knowing what's 
at stake?
    Secretary Nicholson. Yes. It's a well-known fact this 
happened in Montgomery County, MD, and the local law 
enforcement people turned to it immediately.
    Chairman Tom Davis. There are a series of burglaries in 
that area.
    Secretary Nicholson. There were a series of burglaries with 
the same pattern, and they believe that these were young 
burglars whose goal was to get computers and computer 
peripheral equipment from other houses like they did this 
house. They took laptops and hard drives, overlooked other sort 
of valuable or semi-valuable things to get this computer 
equipment. They further think that their MO is to take these 
things, clean them up, actually to erase them and fence them 
into a market for college campuses and high schools where they 
pick this stuff up pretty cheap. We have no assurance of that.
    Chairman Tom Davis. All right.
    Secretary Nicholson. By the way, the FBI is intensely 
involved now, as our Inspector General. They have had a few 
leads. They've apprehended a few people who have committed 
these burglaries but they didn't have--we have the serial 
numbers of this equipment and we checked it against some of the 
equipment but it didn't match.
    Chairman Tom Davis. But the answer is the locals with 
Federal help now have intensified what would have been a 
routine investigation. I want to be assured that we are doing 
everything at all levels to try to close this out. That would 
be the win/win if we could close this out, find the 
perpetrators, find the missing disks and be able to bring this 
to closure.
    Secretary Nicholson. Indeed.
    Chairman Tom Davis. Data breach laws at the State level 
which require companies to inform individuals whom the 
organizations exposes a breach of their personal information 
have really improved our understanding of this problem. 
Congress is carrying a national breach standard, but currently 
there is no requirement to notify citizens in the case of a 
breach, the Federal agencies notify when a breach of personal 
information occurs on a Federal Government data base, and what, 
if any, guidelines exist to determine if a breach requires a 
notification? How do you determine what's trivial, and General 
Walker, do you have any thoughts on that and should we consider 
a Federal agency breach notification law?
    Mr. Walker. The answer is yes, I think you should consider 
a Federal agency breach notification law, one that would 
require notification of affected individuals as well as notify 
OMB to obtain an understanding of what might be going on on a 
government-wide basis. I think one has to be careful to make 
sure that you do have some criteria laid out to meaningfully 
differentiate between certain events that don't represent a 
real risk of identity theft. For example, there may have been 
something that was misplaced for a short period of time that's 
been recovered. Obviously, that's not something you want to 
have a broad based notification on. And we would be happy to 
work with this committee to come up with some potential 
criteria. But yes, it is something you need to consider.
    You may well also want to consider whether or not you want 
to require agencies to have certain things. For example, to 
restrict access to certain sensitive information, to have 
mandatory training and monitoring with regard to individuals 
who do have access to certain reporting requirements, which we 
just talked about; and you may also want to think about whether 
or not there need to be tougher sanctions here than might exist 
under current law.
    Chairman Tom Davis. Thank you.
    Mr. Gray. I wanted to say under Social Security if there's 
a data breach, we would always notify. It is part of our policy 
to notify the claimant and work with them.
    Chairman Tom Davis. Mr. Sanders.
    Mr. Sanders. Thank you very much for holding this important 
hearing. Before I get into the thrust of the issue today I did 
want to respond to something Secretary Nicholson said. We 
talked about the improvements in VA health care and I concur 
with you. But, Mr. Secretary, remember just last year your 
administration denied VA health care access to over 250,000 
priority 8 veterans, including those who had fought in World 
War II. You wanted to raise--double the cost of prescription 
drugs for our veterans. You also wanted to increase fees 
substantially, which would probably have thrown hundreds of 
thousands of other veterans of VA health care and the veterans 
organizations also understand that the Bush administration is 
significantly underfunding the VA and the needs of our 
veterans.
    Now in terms of this issue today, it is really difficult to 
imagine with all of the money we spend on security at the 
Federal level every year how what appears to have been a garden 
variety burglary in suburban Maryland could result in a breach 
of the personal information of over 26 million American 
veterans, including, it appears, over 2 million American 
military personnel.
    You know we have about 300 million people in our country. 
What we are looking at is a breach of privacy for approximately 
10 percent of the American population, and if you look at the 
adult population it is probably 15 or 20 percent, at one time, 
an unprecedented and extremely dangerous breach of privacy for 
tens of millions of Americans.
    According to a variety of experts quoted in yesterday's 
Washington Post, this breach could enable the holder of this 
information to, ``create a zip code for where each of the 
service members and their families live and if it fell into the 
wrong hands could potentially put them at jeopardy of being 
targeted.''
    These experts, including those at the Center for Strategic 
and International Studies, have expressed concern that this 
released information could, ``reach foreign governments and 
their intelligence services or other hostile forces, allowing 
them to target their service members and families.''
    One anonymous Defense official quoted in the Post called 
the extent of the battle, ``monumental.''
    This is serious business. I think we all understand that.
    Mr. Waxman and Mr. Davis have raised some very important 
issues. Mr. Secretary, my question for you is, it is obvious, I 
think there is no disagreement here, that we have to make sure 
that this never happens again. We have to do a much, much 
better job in protecting the privacy in the records of all of 
the American people, including those in the military and our 
veterans, but this is my question for you.
    After all is said and done, after hopefully we do all of 
these things, if--and we certainly hope this does not happen--
if there is a breach of privacy, if in fact identity theft does 
happen and if in fact you know how--what a terrible situation 
would be of theft. People spend years and years working to 
recover. I am on the Financial Services Committee. We've heard 
horrendous testimony from people for years and years who have 
tried to clear their names as other people have stolen their 
identities. It would seem to me that given what has happened 
and the responsibility for it at the VA, what are you going to 
do to protect 28 or 30 million Americans whose identity theft 
may be at risk if in fact that happens? Are you going to come 
to Congress and say we will ask for money to make sure that we 
will provide the financial resources necessary and the legal 
resources necessary to protect those tens and tens of millions 
of people whose identity was released?
    Secretary Nicholson. I think that's a very good, very 
important question. And we--so far what we have done, we've 
notified every person whose identity that we have and with the 
cooperation of the IRS because the addresses we do not have we 
matched them against Social Security without a violation of 
their privacy and we were able to--we sent a letter to every 
affected person, and in that letter we give them one notice 
that this has happened and the steps that they can take and the 
steps--and we've coordinated closely with the three major 
credit agencies that there are in the United States who make 
available to every citizen upon a call or an e-mail or a fax a 
free credit check and a credit alert. So that they can 
implement that immediately. If they have any questions about 
how to do that or need assistance----
    Mr. Sanders. And that's fine. I am aware of that. But 
here's the question. If--and we hope it does not happen, but if 
it does happen, you know, the identity theft is a horrible 
thing. We have heard testimony year after year from people who 
have tried to clear their names and convince creditors that 
they have not racked up these bills. It's a terrible 
experience. If that happens, are you going to come before 
Congress and say we have to take responsibility for the 
financial expenses incurred by veterans for the legal expenses? 
Are you going to come before Congress and ask for that help, or 
are you going to let the men and women in our military have to 
cope with this by themselves?
    Secretary Nicholson. I can tell you, Congressman Sanders, 
our No. 1 priority really in everything that we do at the VA is 
the veteran, what's best for our veteran, and we now have 
active service members that we would include in that priority. 
So what unfolds will be guided by that principle.
    We also, I would mention to you, have, and this was not in 
place before this came to the light of day, a new Presidential 
task force on identity theft and very ironically had a meeting 
set for this task force and I serve on it. The first meeting 
was accelerated and met the first day that we disclosed this 
information. And that task force will also consider this 
question because it's a very important question.
    I had a meeting yesterday afternoon with the veterans 
service organizations, leadership, 15 or 20 of them. We had the 
same discussion.
    Mr. Sanders. I think they have initiated a lawsuit against 
you; isn't that correct?
    Secretary Nicholson. One group of them has initiated, 
others have issued statements saying that's not the answer to 
this.
    Mr. Sanders. My hope, Mr. Secretary, is that in fact you 
will do everything that you can, that in case there is identity 
theft taking place that you do everything you can to protect 
financially and legally our veterans, that you will come before 
Congress if you need the money to do that.
    Chairman Tom Davis. Thank you very much. Mr. Gutnecht.
    Mr. Gutknecht. Thank you, Mr. Chairman. I guess I am 
becoming a little more or less confused about this from this 
testimony, because what I've been reading in the papers is 
there was a very serious security breach and that millions of 
names were out there floating in space. What I am hearing 
today, Mr. Nicholson, is that's not exactly the case, at least 
we don't know that yet. Let me review what we've learned today 
to make sure I am on the same page.
    An employee against the policy of the VA took their laptop 
computer home. That laptop computer was stolen. We don't know 
what happened to the data that probably was on that laptop, but 
so far none of that data has appeared in cyberspace as far as 
we know; is that correct?
    Secretary Nicholson. That's correct, Congressman. I just 
would add that they took a laptop, some computer disks and 
downloaded it into a hard drive and the hard drive was stolen 
also.
    Mr. Gutknecht. I am going to be clear on this. Who 
downloaded it or who downloaded it to the hard drive?
    Secretary Nicholson. The employee, the subject employee.
    Mr. Gutknecht. But the people who stole it, we don't know 
what they did with that data?
    Secretary Nicholson. That's correct.
    Mr. Gutknecht. So I think we have to be careful not to get 
too far ahead of ourselves in terms of real damage. So far 
there is no evidence that any of these people have actually 
sustained any real damage; is that correct?
    Secretary Nicholson. That is correct.
    Mr. Gutknecht. And in testimony you said that you are going 
to implement even tougher policies. The employee who was 
involved has been fired. What else has happened in terms of the 
agency not only to sort of cure this problem but to hopefully 
prevent this kind of a problem in the future--not only in your 
department; this could happen in any department, couldn't it?
    Secretary Nicholson. Yes, it could. His--the Acting 
Assistant Secretary in that department has been let go. The 
principal Deputy Assistant Secretary has been let go. We are 
rebuilding that department and the Office of Policy and Plans. 
They have a very bright, recently acquired Navy admiral that 
the President has now announced that we've recruited. We have 
tremendous opportunity in the private sector and he has a great 
background. He's teamed up to come in if confirmed to take over 
to rebuild that department.
    We are reviewing all of our existing rules, regulations and 
laws, and that is another reason I welcome the opportunity to 
come here not because it is pleasant to you in light of what's 
happened, it is my responsibility, but we need to put some more 
teeth into the enforcement of this because the attitude is far 
too laissez faire. And I would add that in the discussion that 
just ensued where we talked about having some teeth in HIPPA 
and not having teeth in FISMA, in HIPPA there is also a 
requirement to disclose to people if their identity has been 
accidentally or intentionally compromised, where there is not 
in FISMA. Let's put it in there. Just another step, and then we 
need to start enforcing some of this so we set some examples.
    Mr. Gutknecht. Let me--I can't resist the opportunity, Mr. 
Gray, I want to come back to a question that keeps coming up 
relative to Social Security, and that is we are having some 
rather heated debates in Washington about illegal immigration. 
And I have heard employers say that one of the real problems we 
have is a lot of people are using false Social Security 
numbers. How does the Social Security Administration deal with 
that because I have heard there may be three different 
employees using the same Social Security numbers. How does that 
not come back to the----
    Mr. Gray. One of the tools that we fielded last year was 
the Social Security number verification system that allows an 
employee who they hire to enter the information into a Web 
based application and verify that person's Social Security 
number really doesn't belong to them to give them a tool in 
making sure that Social Security number and those wages are 
reported correctly. In addition to that, as employers report 
wages throughout the year we do checks to try to make sure that 
we associate the wages appropriately with the person's Social 
Security number.
    Mr. Gutknecht. Are you saying right now we don't have 
multiple employees using the same Social Security number?
    Mr. Gray. No, I am not saying that.
    Mr. Gutknecht. How would you find that out?
    Mr. Gray. When the wage earner--when the employer reports 
come in we can have multiple employers showing multiple wages 
on the same Social Security number. We try to investigate that.
    Mr. Shays [presiding]. I'm going to interrupt. Mr. Waxman 
needs his time before the vote time.
    Mr. Waxman. Thank you, Mr. Chairman. As I understand it, we 
have had on the books since 1974 laws to protect privacy and 
another law in 2002. The General Accountability Office has been 
giving grades to agencies about how well they're doing in 
meeting requirements.
    Isn't that correct?
    Mr. Walker. I think this committee is the one that gives 
the grades. We do, however, look at computer security as part 
of our audit of the financial statements, and that is a 
material weakness area for many agencies.
    Mr. Waxman. In fact, this committee gave the Veterans 
Administration an F in terms of security for this kind of data.
    Secretary Nicholson, you blame this on obviously employees 
being fired, on the culture, on people just not doing what 
they're supposed to be doing, but that doesn't sound to me like 
we are really getting to the heart of it. It is sort of passing 
the buck. Now it sounds like you are also going to seize this 
opportunity to clamp down, and I appreciate that. But I just 
want you to know how bureaucratic it all sounds. We have Mr. 
Johnson from the Office of Management and Budget. You are the 
Secretary. You are Secretary for only a short period of time 
and you blame the fact that an employee had been there for a 
long time. I don't know what relevance that has except we need 
to find out who has access within the VA to the type of 
information that was stolen. Do you know how many people have 
access to this type of information?
    Secretary Nicholson. Congressman Waxman, I don't think I 
could give you right now the exact number, but I will tell you 
that quite a few people do. We have a system of authorized 
telecommuting and teleworking that is a product of 
encouragement of the Federal Government.
    Mr. Waxman. How many VA employees have the capacity to 
download this information unencrypted onto personal computers?
    Secretary Nicholson. Well, the--of the subject information 
it would--I couldn't give you the exact number right now but 
that number would not be real high because this was a--out of 
what is called a BURALS file, which is an acronym for this 
system. He was working on a project at his home and using the 
entire data base. Not many would have that.
    Mr. Waxman. You explained that individual. Do you know how 
many employees have such unencrypted information on personal 
hard drives outside of the VA offices now?
    Secretary Nicholson. Yes. I think that 35, roughly 35,000 
employees of the VA have some level of accessing data and 
working it on laptops or computers at home, much of it through 
the VPM, the Virtual Personal Network.
    Mr. Waxman. That's a large number of people that have this 
information out. You have said that what we need to do is--I 
hope you'll take charge of those 35,000 people or so that had--
--
    Secretary Nicholson. As I said in my testimony, we are 
doing a survey right now to see who all has access, why they 
have access, and what access they have, inventorying the entire 
system.
    Mr. Waxman. The story seems to have changed. First we were 
told only veterans and some spouses were affected and then 
about 50,000, but no more active duty personnel were affected. 
And then on Tuesday we learned that 80 percent of the active 
duty military may have been impacted. Was any medical 
information on any of these veterans, on active duty members 
compromised?
    Secretary Nicholson. No, sir.
    Mr. Waxman. How about disability ratings?
    Secretary Nicholson. Some of them had a disability 
classification index in part of their line. But on the medical 
question there were no--no medical records were compromised in 
this at all. There were about 300 people that we have 
ascertained through the forensic work that we are doing that 
have an annotation, a medical annotation next to their name. 
And I'll give you an example because I looked at all of these. 
One of them said asthmatic. Another herniated disc. It is fewer 
than 300 but nearly 300 have that degree of annotation next to 
their name.
    Mr. Waxman. I see my time has expired. Thank you, Mr. 
Secretary. Mr. Chairman.
    Mr. Shays. Thank you very much.
    I'd first like to ask GAO is this something that should 
have shown up in our radar screen? We can throw bricks at the 
administration and we can throw bricks at the Department. But 
is this something where GAO could have alerted us better? Or 
you did alert us or combination of both? What's an honest 
assessment of why all of a sudden we seem to be outraged and 
shocked by what's happened?
    Mr. Walker. I think both the GAO and Inspector General have 
both in this case been charged with the responsibility for 
auditing personal statements of respected agencies as well as 
U.S. Government overall. There are serious security challenges. 
So many agencies----
    Mr. Shays. Same security channel. Say we are finding 
terrorists, it's more helpful when we are fighting Islamic 
terrorists we know are not from Iceland.
    Mr. Walker. I think the key, Mr. Chairman, we have a lot 
more controls over classified information and taxpayer 
information and, as Secretary Nicholson mentioned, there are 
now sort of the controls under HIPPA for health information. 
There is a gap here, and the gap is with regard to certain 
sensitive information that could end up improperly being 
disclosed, and I think one of the things we need to look at is 
not--clearly agencies should be taking steps on their own but 
Congress may want to consider requiring certain steps.
    Mr. Shays. That's helpful information, but sometimes 
Congress will get blamed. Sometimes Congress will get blamed 
because we didn't do something. We look at the testimony and 
the department head says we have all of the money we needed to 
get the job done. You need to refer to someone.
    Mr. Walker. If I can. Thank you. I've been advised we have 
not issued a report directly on this. However, in the conduct 
of our audits we have noticed weaknesses in this area before so 
it was one of a number of material controls.
    Mr. Shays. But weaknesses specifically with people taking 
information out?
    Mr. Walker. Weaknesses with the potential for information 
to be compromised, not that it actually was compromised.
    Mr. Shays. What strikes me, you know, I heard the Secretary 
say he was outranked. He should be outranked because it is 
beyond stupid to take out sensitive documents. But I have a 
sense that is a common practice. So obviously we've all been a 
little asleep. The department heads have been asleep. The White 
House has been asleep. Congress has been asleep and now we are 
trying to deal with it, and all I wanted to know is there's 
been no specific outlining that we have this kind of problem. 
And you are coming forward and obviously saying we need to deal 
with this issue? You are also saying we have had security. We 
need to maintain security. Mr. Johnson, tell me, when you heard 
that this happened at the Department of Veterans Affairs? Anger 
would probably be one way to describe it, but were you 
surprised or did you start to say, my gosh, you know, is this 
just the tip of the iceberg?
    Mr. Johnson. No. I was surprised. I am told that there are 
dozens of security breaches involving a laptop, for instance, 
nothing, though--a year. None of these involve 26, 27 million 
names. So this is the hundred-year storm of security breaches. 
So the magnitude of it is the alarming thing. There are 
breaches. There will be breaches. And in spite, no matter 
however we spend and how tightly we resecure this, the more we 
secure it, the more responsible, the fewer the number of 
breaches, whenever we have one we need to respond accordingly, 
figure out what caused the problem and deal with it. But it was 
the number of names that was truly alarming to everyone.
    Mr. Shays. If it's anticipated that this was a common 
theft, they weren't really looking for this bit of information 
and that's one of the opinions out there. Is it a strongly held 
opinion on the part of folks that are investigating this?
    Secretary Nicholson. Yes, sir. I would say, Mr. Chairman, 
that it is quite commonly held among the law enforcement 
investigating communities.
    Mr. Shays. Is it something where we can simply offer a 
significant reward to contact a certain person with no--that 
they return this with no prosecution? I mean, because what's at 
stake is so significant. Do we have the capability to say, you 
know, you stole the computer but, by the way, you have 
something that will cost us billions of dollars to deal with 
and provide some incentive for them to return it with no 
prosecution if they do? Do we have the capability to do that?
    Secretary Nicholson. We do not have the capability. That 
was discussed at our hearings in the GAO committee. But I will 
say that a $50,000 reward has been posted by the Montgomery 
County, MD law enforcement community.
    Mr. Walker. As I mentioned earlier, and you may or may not 
have been here.
    Mr. Shays. I was trying to be in a vote.
    Mr. Walker. I understand. I was briefed by my own CIO with 
regard to our own procedures and there are two things that I 
think people can think about in this area right now 
irrespective of whether or not Congress takes any action.
    Specifically to encrypt all sensitive information of the 
type that we are talking about. That doesn't mean encrypt all 
information, but encrypt this type of sensitive information. 
And all--or prevent the ability to download and/or copy certain 
types of sensitive information. Those are things that can and 
should be done now. Because the fact is we are moving to use 
technology more. More and more government employees have 
laptops because they are mobile, because the government is 
promoting Flexiplace and things of that nature. So we need to 
take these steps to minimize the risk.
    Mr. Shays. My Government Reform subcommittee oversees 
Defense and State Department hearings about classified material 
and we had DOD testing that 50 percent should be reclassified, 
50 percent more than we should classify, we had the outside 
group saying we classified 90 percent more than we should. Then 
we had a hearing on all of these sensitive but not classified, 
which anyone could classify, and then we have a breach like 
this which clearly should never have gotten out of someone's 
office. So it blows you away and some of the secret stuff that 
I look at would make you laugh because there is nothing secret 
about it and something like this is huge and it just--when you 
went to look at it in your own operation, did you get a candid 
response from anyone who said, hey, boss, we sometimes take out 
stuff, too, or do you have confidence within your own 
department that this couldn't happen?
    Mr. Walker. I have confidence. We have extensive procedures 
in checks and balances. For example, when we have this type of 
sensitive information, we typically end up having a separate 
hard drive that we lock up. We have computers at GAO. The 
people can only use computers at GAO for this type of 
situation. You could theoretically have somebody who willfully 
and intentionally, however, wants to abuse the system, and 
that's why we've never had that, I might note. But that's why I 
am saying what else can we do to even try to deal with that 
situation. Even if you have all of these other checks and 
balances, that's why I come back to encrypt this type of 
information and/or possibly as a supplement prevent the copying 
and/or downloading of this type of information.
    Mr. Shays. Let me conclude with this and then go to Mr. 
Mica.
    Is the biggest concern that people will be careless or that 
they will actually be devious and go beyond careless? What is 
the big concern? Maybe you could comment as well.
    Secretary Nicholson. I think the bigger concern, Mr. 
Chairman, is carelessness. That's the instant case. This person 
wasn't being deviant. They were working on a project that he 
had been doing that for 3 years, taking the data home and 
working.
    Mr. Shays. How long do you think it's going to take you to 
resolve this problem, not get the information back but make 
sure it doesn't happen again?
    Secretary Nicholson. I think that it won't happen overnight 
but it is very doable and we are under way. It is something 
that absolutely has to be done, but I don't know that you were 
here, but we are going to need some tools for enforcement and 
you were touching on it a minute ago when we require----
    Mr. Shays. I don't want to repeat the record. Yes, Mr. 
Johnson, and I apologize.
    Mr. Johnson. I'd like to point out that--follow up on what 
Mr. David Walker was talking about. It is currently the 
standard that all data, sensitive data on laptops be encrypted. 
That is the standard. It's just not enforced. We don't hold 
agencies, ourselves accountable for that being the case.
    Mr. Shays. Thank you.
    Mr. Mica.
    Mr. Mica. Thank you, Mr. Chairman, and I am not here really 
to beat up on these witnesses. In fact, I know three of them 
fairly well. You have three probably of the most dedicated, 
capable, public servants. Watched Clay Johnson and his 
experience over the years and Secretary Nicholson, incredible 
representative of the United States, and his tenure, and now 
incredible advocate for our veterans. Then I have known Mr. 
Walker since--I don't want to say since he was in diapers but 
for a long time. Although you look pretty old these days, Dave.
    But the problem is not these capable administrators or the 
other witnesses you have. The problem is advances in 
technology, and I would venture to say since you know on this 
disk you have millions and millions of pieces of information 
and pretty soon we'll have it probably in something the size of 
the thumbnail, and I would venture to say that not a day goes 
by that someone from your agencies or congressional staffers 
don't take laptops home or someplace else and we are at risk.
    What we had here was a theft, a criminal act. But we do 
have to keep the laws and the rules up with technology, and 
that's what we are always having trouble with in Congress. 
Laptops didn't even exist. Cell phones, I was in the cell phone 
business and I was a pioneer in 1987, something like that. 
That's not that long ago. So keeping up with it.
    So I have a couple of questions. I left it after a bit, but 
did we do our job? I see that even the President did in August 
2004 a directive that actually directed OMB to take the lead 
here. I did read that--we have two responsibilities. One is 
protecting data and what to protect and then, well, what to 
protect and unprotecting it. And how we protect is so 
important.
    OK. Clay, you were responsible. You're still the lead 
agency in this, in setting the----
    Mr. Johnson. In some HSPD1 identification cards.
    Mr. Mica [continuing]. Security of information for the 
agencies. Did you--have you sent out a--so you have sort of 
taken a lead in this? And then I read that while 20 percent of 
the government systems are certified and accredited, this is 
agency security planning. That means 20 percent are not. Do you 
monitor this? Is that your responsibility?
    Mr. Johnson. Yes.
    Mr. Mica. Who isn't the 20 percent? It says 80 percent of 
the government systems.
    Mr. Johnson. I can get you that information.
    Mr. Mica. I think that's important to find out where the 
gaps are.
    Do you have enough legislative authority to do what you 
need to do to make certain there is compliance? Because I know 
these agencies--we have dozens of agencies and they are all 
going their own way. Do you have enough legal authority from 
the Congress to set standards?
    And then the other thing, too--the important thing here, 
too, is reporting back an incident. And I read you directed 
your staff to have Homeland Security chief information officer 
counsel to identify the appropriate detail and schedule for 
distributing a periodic government-wide incident report. That 
is getting information back on incident.
    Mr. Johnson. Yes, sir.
    Mr. Mica. You pick them, and do you have enough authority 
and do they have enough authority to get compliance? And then 
the concern of the chairman was the timeline of information and 
reporting. Would you answer that elongated question?
    Mr. Johnson. As to the second question, the reason why we 
refer to DHS, they are the cybersecurity office. They are the 
lead on cybersecurity. So that's why this reporting is to them. 
And it's my understanding it is not clear as it needs to be how 
we record different kinds of breaches, and we need to be sure 
that it's real clear----
    Mr. Mica. Do you have a systemwide standard right now? OK, 
a breach has occurred. What's the reporting? Is that----
    Mr. Johnson. We have that now, but the reporting is 
inconsistent and I'm not sure that they're all--it's equally 
clear to all agencies. So we need to make sure that it is.
    Mr. Mica. Do you have the authority to require that? Not 
require; you are just requesting. It is a ``may'' rather than a 
``shall.''
    Mr. Johnson. I don't know. I think of them as being the 
same. But maybe somebody else would think of them differently, 
but----
    Mr. Mica. Again it is nice to beat up--we pass the laws and 
then sometimes we allow you to pass the rules. But we have to 
make certain that somebody has the authority and responsibility 
for this, both the----
    Mr. Johnson. I think one of the things we can do is, in 
general, I think we have the laws and the regulations we need. 
We don't need to assume that, though. We should go and make 
sure that maybe there's--we have 95 percent of what we need but 
we need extra teeth in it, as the Secretary talked about, over 
here and over here. So we need to review that. I bet we'll find 
a couple of additional things we need to do. But the big 
opportunity and the big challenge here is to enforce and be 
held accountable, all of us, for abiding by the laws and 
regulations and processes and procedures and standards that are 
already on the books.
    Mr. Mica. Thank you.
    Chairman Tom Davis. Thank you.
    Mr. Souder.
    Mr. Souder. Thank you.
    What's happened here is basically every conservative's 
nightmare about consolidation of information in the Federal 
Government; what would happen. And I was pleased to see in your 
testimony, and then, Secretary Nicholson, you responded to it 
because you said that in addition to informing all concerned--I 
was a little concerned. Mr. Johnson just said that he didn't 
think there were necessarily new laws, and you've been saying 
we need new laws because, for example, in your statement you 
say this may violate Federal law and could result in 
administrative, civil, or criminal penalties. This is something 
Congress should act on immediately because when we talk about 
disincentives to take things home and to not follow the rules, 
you can sit through seminars but if there's no consequence--so 
I was glad to see you make that point.
    I have one technical followup question to Mr. Gutknecht. 
You said that there is some reason to believe this is a 
computer fencing firm basically. Was the disc inside the 
computer or did they also collect discs that are lying around 
the site?
    Secretary Nicholson. I'm having a little trouble hearing 
you. Was your question----
    Mr. Souder. Regarding the theft, the statement said there's 
speculation that this may be a group of people who basically 
fence computers, steal the computers. But you made the 
statement that the drive--was that in the computer, or did they 
take it in particular, or did they take the other information 
and there may be a secondary market going on?
    Secretary Nicholson. There was a laptop and a hard drive. 
They weren't at that time connected. They took both of those 
and did not take the discs.
    Mr. Souder. So only the discs that were inside the 
equipment are what they have?
    Secretary Nicholson. We don't know--we don't know what was 
loaded in his laptop.
    Mr. Souder. We don't know that the information has been 
stolen----
    Secretary Nicholson. He told us that he had downloaded 
these discs into the hard drive. We obviously don't have the 
hard drive either. That's what was stolen. But we do have the 
discs. And he brought those to us and that's what's been 
undergoing this forensic analysis is the holdings that are, you 
know, developed.
    Mr. Souder. Thank you. Because what that means is that 
somebody has to actively download to do that, and there has to 
be another step in the process here.
    Mr. Johnson, Congressman Sanders raised the question to 
Secretary Nicholson, but those of us who have been here a long 
time know that this is really--a lot have known--the question. 
If indeed we start to identify that in fact this information is 
being used, it is outrageous that many low-income veterans and 
veterans would have to pay for the credit reports. Would OMB 
back up the Veterans Administration in coming to Congress and 
saying look, we need some money because the veterans shouldn't 
have to fund this because it's a government error, not their 
error?
    Mr. Johnson. We agree totally with Secretary Nicholson that 
our highest priority is to find the best way to serve the 
veterans and the active military personnel who are at risk of 
being harmed here, and that means figuring out the best way to 
do that and then doing it.
    Mr. Souder. You agree it's not their financial 
responsibility to try to figure this out; that the government 
made the error, they didn't?
    Mr. Johnson. I would agree with that. But, again, that's 
not just financial response--our responsibility or not. It's 
all the ways we can serve them.
    Mr. Souder. It's broader than that.
    Mr. Johnson. Yes, sir.
    Mr. Souder. But if you don't have--if you're already trying 
to figure out how to cover your health care, you're already 
trying to figure out how to cover your housing, you don't have 
much income, asking to do multiple credit reports to track--
like it's their responsibility that they lost it when it was 
the government's--is a big deal right now.
    Mr. Johnson. Right.
    Mr. Souder. And I wanted to ask Mr. Walker--and this may 
also come back to you, Mr. Johnson--that most identity theft in 
the United States right now isn't related to trying to steal 
the person's full identity, or even for financial purposes. 
It's related to the fact that we have Social Security numbers 
being stolen for illegal--by illegal immigrants who need a job, 
many of them in my district. In 1 month they took down three 
green card manufacturers who were producing with stolen Social 
Security numbers.
    Not only related to this latest with the Veterans 
Administration, but in the other agencies where there's theft, 
do you know, or are there recommended policies, or how do we 
interrelate this theft with ICE, with CBT, with the Coyotes and 
other groups that are networking in large groups of people, 
fencing operations for stolen Social Security numbers? Do we 
have a systemic way of addressing where--if this shows up? 
Because this isn't just going to show up with somebody in a 
bank account somewhere. Maybe it would indirectly, later on in 
a Social Security number; if one of the veteran's Social 
Security numbers are stolen, something is going to come in 
under FICA relatively, you know, down the road here. But it 
seems like one of the first points of contact should be that an 
alert should go out to ICE, and so we're watching whatever kind 
of networks we have where these Social Security numbers might 
pop up.
    Mr. Walker. I'll have to reflect on that, Congressman. I 
will say this: that one of the major problems that we have is 
when Social Security numbers are intentionally or inadvertently 
disclosed, and that provides a basis under which individuals 
who engage in certain other activities that can result in 
identity theft. And I think one of the things we're willing to 
do is to make sure that when you have SSNs, that type of 
information either, A, isn't used for an identifier; or, B, if 
it is, that it's encrypted in some way so that people can't 
attain access to that. Presumably the VA is taking steps to try 
to ascertain whether or not some of this information might be 
compromised, you know, through sampling techniques, through the 
type of communications that you're talking about with selected 
Federal authorities. I think that's important because--that 
they be proactive in that regard. And if it turns out that it 
looks like there are some that have been, and hopefully they 
will never be, but if it turns out, then it comes back to your 
question: What are you going to do for everybody with regard to 
credit reports and credit monitoring? But we may not get to 
that point.
    Mr. Souder. But my question was, really, wouldn't the first 
logical place that you would be trying to track whether this 
has been stolen, looking--since it's the No. 1 reason Social 
Security numbers would be stolen--would be to work with ICE, 
CBP, and looking at illegal immigration, which then the 
secondary tail would be through FICA reports.
    One of my friends--Congressman Gutknecht referred to it--
had four other people on her Social Security account. And when 
she went to apply for a credit card, it was very difficult for 
her with the Social Security Administration to try to prove who 
she was. And if we have all these veterans going through this, 
one of the first places we should look at are who's likely to 
be using these numbers; not just bank accounts, but who's 
likely to be stealing them?
    And I wonder, is that recognized in the government that 
this is the first place we ought to be looking, financial 
services right behind it, Social Security right behind it, but 
this is likely to be the first place it's going to show up in a 
fencing operation for Social Security numbers?
    Mr. Walker. I think you make a very good point. I mean, one 
of the hot debates right now is the immigration debate. To the 
extent that people can get a valid Social Security number, it's 
a way that they might be able to obtain, you know, employment 
and other types of opportunities. So it's a good point that I 
think needs to be followed up on.
    Mr. Souder. Thank you.
    Chairman Tom Davis. Mr. LaTourette.
    Mr. LaTourette. Thank you very much, Mr. Chairman, for 
having this hearing. And to all of the witnesses, thank you for 
coming.
    Just, first, a commercial: A number of committees are 
working in the Congress on data security and H.R. 3997, which 
is the financial services product, would in fact cover this 
situation and would, in fact, provide all of these veterans 
with 6 months of free file monitoring. So I would ask you, Mr. 
Johnson, if you would share that with Mr. Portman. It's the 
only bill that does that.
    But Secretary Nicholson, I appreciate your being here, but 
I need to share a story with you because one of the fights 
we've had on that bill is I've always argued that a data 
security breach is different than identity theft. One doesn't 
always lead to the other. And when you lose a laptop, you don't 
necessarily have to notify everybody about what's going on.
    But I have a constituent. His name is Steven Michael. He's 
33 years old. He lives in Ashtabula, OH. He served for 3 years 
in the Army during the Gulf war, and he receives an $873 
disability check each month from the Veterans Administration 
because he has a heart condition. On June 1st, exactly 1 week 
ago, he withdrew money from his account at a local ATM and 
noticed that his balance didn't reflect the deposit of his 
monthly VA check, which is made through direct deposit. He 
immediately called the VA's 800 number and checked on the 
status of the payment. The automated system said that the 
records couldn't be accessed at this time; so he waited and 
actually spoke to a real live person. He provided his personal 
information to verify his identity and explained that his VA 
disability check wasn't in his account. He was stunned to learn 
that it, in fact, had been put in a new account, his new 
account. He inquired, what new account? The woman from the VA 
said that it was a new account he had on file. He told her he 
had not set up a new account and gave her the last four digits 
of his existing account. Of course, it didn't come close to 
matching his new account. She assured him that the problem 
would be corrected. He asked if he should visit the VA office 
in Cleveland. She asked if he was close, and he said he could 
get in his car. And he then drove 45 minutes to Cleveland. He 
went to the original VA office and provided them with a copy of 
his account. He was told that the numbers were from his old 
account. He stressed that it was his current and only account 
and that his accurate information was entered. He was told that 
it could take 7 days to process.
    He then asked the folks at the VA if this could be related 
to theft of the laptop containing the information that's the 
subject of this hearing. He was given a toll-free number, 800-
333-4636. Mr. Michael is rightly concerned about this, and he 
wonders how his direct deposit form could be changed or why it 
happened on the heels of the reports of the stolen laptop. He 
believes whoever did this must have had his name, address, and 
Social Security number. He doesn't believe this is a simple 
computer glitch because his monthly disability check has been 
deposited in the same account for years. He is even more 
disturbed that his bank informed him that it was possible 
someone phoned in the new direct deposit information to a bogus 
bank account, his new account, in the State of Michigan.
    If you could, Secretary Nicholson, can you give me a sense 
of whether this is possibly related to the stolen laptop or if 
my constituent is another unfortunate victim of identity theft?
    Secretary Nicholson. Or both.
    Mr. LaTourette. Or both.
    Secretary Nicholson. First I would tell you, Congressman, 
that is the first incidence I've heard of that affecting a 
veteran since this has come to light. I would like to get, you 
know, that information and we will follow that up on an 
individual basis. So that is the only one.
    Now, it is a fact that every year in this country, 1 to 3 
percent of the people suffer from identity theft. Last year, 9 
million Americans did, causing them an average of 28 hours of 
time to straighten it out at an average cost of $5,600, almost 
all of which was borne by the affected creditors, not the 
consumers.
    We have been talking to a company that specializes in 
trying to find the derivative source of identity theft, the 
company happens to be called ID Analytics, because we have that 
same concern; because 1 to 3 percent of our veteran population 
are going to be victims of this anyway due to the statistical 
distribution, and we want to know what's sourcing this. So we 
will followup with that one and we have not yet entered into an 
arrangement with this company to monitor this population, but 
we are seriously looking at it.
    Mr. LaTourette. I very much appreciate your answer. And to 
be very, very fair, I will tell you that currently the 
constituent is in our district office filling out some forms 
necessary for the regional office to help. And my caseworkers 
say that they've never seen the VA move so fast--I will tell 
you that--in response to this report.
    And as someone who wrote the identity theft legislation 
here when we reauthorized the Fair Credit Reporting Act, I'm 
well aware of the difficulties and the horrible stories that 
come out of stealing someone's identity.
    But I wanted to bring this to your attention for a couple 
of reasons. One, so you know that you may have one now out of 
these 28 million people. Two, to please ask that you, through 
your offices here, make sure that the folks in Cleveland stay 
on top of this, because obviously this veteran is concerned 
that the two are related. And if they're not related, then I 
think it's good news for the VA. If it is related, I think 
you've got a problem.
    I thank you, Mr. Chairman.
    Chairman Tom Davis. Thank you very much. I just have a 
couple more questions and then if anyone else has one.
    Mr. Nicholson, let me just ask the Secretary, Federal 
telework programs allow employees and contractors to work 
remotely. They're good programs. They're seen as a key 
ingredient of continuity of operations, emergency planning, 
especially for extended periods of disruption, whether it's a 
terrorist attack, avian flu. Was this individual participating 
in an authorized telework program?
    Secretary Nicholson. No, sir. He was not.
    Chairman Tom Davis. Are there steps that should be taken as 
a matter of course to ensure that benefits of teleworks are not 
eroded by the security risk? It gives us a chance to rethink 
that and continue to make it--I believe we want telework to 
grow, but this is a reminder sometimes that there are 
limitations.
    Secretary Nicholson. Yes, I think it does. I think it 
raises to a silhouette that we need to examine this program to 
see that, you know, the abuses are not taking place, we are not 
making it too easy for these abuses. And that is where the 
people thing kicks in as well as the requirements that data be 
encrypted and that we monitor it more closely with enforcement 
for violators.
    Chairman Tom Davis. Mr. Johnson, does OMB have the 
authority and the resources it needs to set and enforce 
government-wide information security programs, or do you need 
additional authority here, do you think?
    Mr. Johnson. In general, I think we have sufficient 
authority, but we ought to review it. We ought to look through 
it.
    Chairman Tom Davis. I think we are willing to give you, in 
light of this, so you seize on every opportunity--if you would 
look at that and come back and make sure we give you the tools 
you need to do it.
    Mr. Johnson. Right.
    Chairman Tom Davis. I know your dedication to this, but I 
want to make sure you've got all the tools.
    And also what's the position regarding the merits of data 
breach legislation requiring agencies to notify affected 
individuals of compromises in their privacy or their personal 
information? If legislation is enacted, what methods should be 
used to determine whether and how to notify individuals with 
security breaches? And will all of you work with us on 
legislation? Obviously, it's a big deal with Social Security 
and IRS.
    General Walker.
    Mr. Walker. We'll be happy to work with you, Mr. Chairman. 
Let me also mention in addition to telework, which you just 
talked about, which could cause increasing risk, even if a 
person is not on telework, they may travel and take their 
laptop with them. In addition to that, they may take work home 
at night or on the weekend, which would not be part of the 
telework. So we need to look at this issue as a separate and 
distinct challenge that has to be addressed irrespective of 
whether they're on telework.
    Chairman Tom Davis. That's a good point. Mr. Johnson, will 
you work with us on this, too?
    Mr. Johnson. I look forward to it.
    Chairman Tom Davis. This is a good wakeup call.
    I guess my last question would be to all of you. In your 
opinions, individually and collectively, do our departments 
provide the CIO and its organizational components with 
sufficient resources to establish and maintain an effective 
agencywide security program? We hold the CIA's feet to the fire 
every year with our scorecards on FISMA. We hold them 
responsible for agency security. Do they actually have the 
authority to get the job done or do you think this is agency to 
agency?
    General Walker, let me ask you first. You kind of have a 
government-wide perspective.
    Mr. Walker. I think there are variances by agency. I mean, 
one of the keys is that under the legislation, the CIO is 
supposed to be reporting directly to the agency head. Is that 
happening in form or is that happening in substance? Obviously, 
there are different levels of resource allocations, not only 
financial resources but human resources. Do they have enough 
people with the right kind of skills and knowledge to be able 
to get the job done?
    The example I gave earlier when this issue came up, I 
pulled the CIO in my office and talked to him directly about 
what are we doing and everything else we need to do. I don't 
know if that happens----
    Chairman Tom Davis. Let me just get each agency to just 
respond briefly. I mean, how is the relationship with the CIO? 
Do they have the authority they need in your agency?
    Mr. Gray. From the Social Security Administration I think 
they do have the authority--that our CIO does have the 
authority he needs to do the job effectively. I think we also 
have the resources we need within the agency to do that.
    Mr. Galik. Yes, Mr. Chairman, I agree. I think the CIO does 
have that authority and our organization has a direct link to 
the Commissioner of the IRS to pursue anything that needs to be 
pursued.
    Chairman Tom Davis. Mr. Secretary.
    Secretary Nicholson. I would say, Mr. Chairman, the answer 
to VA is no; that the CIO has not enough authority to go with 
his responsibility. But that is in transformation as of last 
October. And we're centralizing the IT function, creating a new 
career field where it has been decentralized out into these 
hundreds of hospitals and the other facilities. We're pulling 
that back in. So that is really progressing and we'll cure 
that.
    Chairman Tom Davis. You've only been there a short time but 
I appreciate the headway you're making there.
    And, Clay, let me just ask you, I mean government-wide you 
see the variance too. You have Karen Evans, I think, in your 
shop that helps oversee this. I know what we need to do and how 
you foster that relationship between the CIO and the agency 
heads; but wouldn't you agree with me that is very critical in 
all of these areas?
    Mr. Johnson. It's critical. I don't think we have a 
resource problem, which is another question you asked. We spend 
$65 billion a year on IT; $4.5 billion of that is on security. 
So we're spending a lot of money on this. The question is are 
we backing it up with the kind of determination that the 
Secretary has demonstrated here to really make that stick, is 
the key.
    Chairman Tom Davis. Let me thank all of you for your time 
here, answering a lot of questions. There's a lot of anxiety 
over this, and we'll continue to monitor it. But you've been 
forthcoming today with your answers and we appreciate it.
    The hearing's adjourned.
    [Whereupon, at 12:33 p.m., the committee was adjourned.]
    [The prepared statements of Hon. Charles W. Dent, Hon. Jean 
Schmidt, Hon. Elijah E. Cummings, and Hon. Wm. Lacy Clay 
follow:]
[GRAPHIC] [TIFF OMITTED] 28759.060

[GRAPHIC] [TIFF OMITTED] 28759.061

[GRAPHIC] [TIFF OMITTED] 28759.062

[GRAPHIC] [TIFF OMITTED] 28759.063

[GRAPHIC] [TIFF OMITTED] 28759.064

[GRAPHIC] [TIFF OMITTED] 28759.065

[GRAPHIC] [TIFF OMITTED] 28759.068

[GRAPHIC] [TIFF OMITTED] 28759.069

                                 
