[Senate Hearing 109-577]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 109-577
 
VETERANS AFFAIRS DATA PRIVACY BREACH: TWENTY-SIX MILLION PEOPLE DESERVE 
                                ANSWERS

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                     COMMITTEE ON VETERANS' AFFAIRS
                          AND THE COMMITTEE ON
                           HOMELAND SECURITY
                        AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                       ONE HUNDRED NINTH CONGRESS

                             SECOND SESSION

                               __________

                              MAY 25, 2006

                               __________

       Printed for the use of the Committee on Veterans' Affairs


 Available via the World Wide Web: http://www.access.gpo.gov/congress/
                                 senate


                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
28-754                      WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON VETERANS' AFFAIRS

                      Larry Craig, Idaho, Chairman
Arlen Specter, Pennsylvania          Daniel K. Akaka, Hawaii, Ranking 
Kay Bailey Hutchison, Texas              Member
Lindsey O. Graham, South Carolina    John D. Rockefeller IV, West 
Richard Burr, North Carolina             Virginia
John Ensign, Nevada                  James M. Jeffords, (I) Vermont
John Thune, South Dakota             Patty Murray, Washington
Johnny Isakson, Georgia              Barack Obama, Illinois
                                     Ken Salazar, Colorado
                  Lupe Wissel, Majority Staff Director
               D. Noelani Kalipi, Minority Staff Director
                              ----------                              

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   Susan M. Collins, Maine, Chairman
Ted Stevens, Alaska                  Joseph I. Lieberman, Connecticut
George V. Voinovich, Ohio            Carl Levin, Michigan
Norm Coleman, Minnesota              Daniel K. Akaka, Hawaii
Tom Coburn, Oklahoma                 Thomas R. Carper, Delaware
Lincoln D. Chafee, Rhode Island      Mark Dayton, Minnesota
Robert F. Bennett, Utah              Frank Lautenberg, New Jersey
Pete V. Domenici, New Mexico         Mark Pryor, Arkansas
John W. Warner, Virginia
           Michael D. Bopp, Staff Director and Chief Counsel
                   Thomas R. Eldridge, Senior Counsel
             Michael L. Alexander, Minority Staff Director
               Lawrence B. Novey, Minority Senior Counsel
                  Trina Driessnack Tyrer, Chief Clerk


                            C O N T E N T S

                              ----------                              

                              May 25, 2006
                                SENATORS

                                                                   Page
Craig, Hon. Larry E., Chairman, Committee on Veterans' Affairs, 
  U.S. Senator from Idaho........................................     1
Collins, Hon. Susan M., Chairman, Committee on Homeland Security 
  and Governmental Affairs, U.S. Senator from Maine..............     3
Akaka, Hon. Daniel K., Ranking Member, U.S. Senator from Hawaii..     4
    Prepared statement...........................................     5
Lieberman, Hon. Joseph I., U.S. Senator from Connecticut.........     6
Warner, Hon. John W., U.S. Senator from Virginia.................     7
Jeffords, Hon. James M., U.S. Senator from Vermont...............     8
Murray, Hon. Patty, U.S. Senator from the State of Washington....     8
Isakson, Hon. Johnny, U.S. Senator from Georgia..................     9
    Letter from Richard F. Smith, Chairman and Chief Executive 
      Officer, Equifax, Inc......................................    10
Lautenberg, Hon. Frank R., U.S. Senator from New Jersey..........    10
Thune, Hon. John, U.S. Senator from South Dakota.................    11
Burr, Hon. Richard M., U.S. Senator from North Carolina..........    12
Obama, Hon. Barack, U.S. Senator from Illinois...................    13
Salazar, Hon. Ken, U.S. Senator from Colorado....................    14
    Prepared statement...........................................    15
Chafee, Hon. Lincoln D., U.S. Senator from Rhode Island..........    16
Pryor, Hon. Mark, U.S. Senator from Arkansas.....................    16

                               WITNESSES

Nicholson, Hon. R. James, Secretary, Department of Veterans 
  Affairs; accompanied by Tim S. McClain, General Counsel, 
  Department of Veterans Affairs.................................    16
    Prepared statement...........................................    22
    Response to written questions submitted by:
        Hon. Daniel K. Akaka.....................................    24
        Hon. Norm Coleman........................................    25
        Hon. Pete V. Domenici....................................    26
        Hon. Lincoln D. Chafee...................................    26
Opfer, Hon. George J., Inspector General, Department of Veterans 
  Affairs; accompanied by Jon A. Wooditch, Deputy Inspector 
  General, Department of Veterans Affairs........................    28
    Prepared statement...........................................    29

                                APPENDIX

Coleman, Hon. Norm, U.S. Senator from Minnesota, prepared 
  statement......................................................    51
Center for Democracy and Technology, prepared statement..........    51
Department of Veterans Affairs, prepared statement...............    53
VA's Notification letter to veterans.............................    53
Press Release: Frequently asked questions on VA's letter to 
  veterans.......................................................    54


VETERANS AFFAIRS DATA PRIVACY BREACH: TWENTY-SIX MILLION PEOPLE DESERVE 
                                ANSWERS

                              ----------                              


                         THURSDAY, MAY 25, 2006

                               U.S. Senate,
                     Committee on Veterans Affairs,
and Committee on Homeland Security and Governmental 
                                           Affairs,
                                                    Washington, DC.
    The Committees met, pursuant to notice, at 10:09 a.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Larry E. 
Craig, Chairman of the Committee, presiding.
    Present: Senators Craig, Burr, Thune, Isakson, Collins, 
Chafee, Warner, Akaka, Murray, Obama, Salazar, Lieberman, 
Carper, Lautenberg, Pryor and Jeffords.

 OPENING STATEMENT OF HON. LARRY E. CRAIG, CHAIRMAN, COMMITTEE 
         ON VETERANS' AFFAIRS, U.S. SENATOR FROM IDAHO

    Chairman Craig. The Committee will be in order.
    I will ask the Secretary to sit down, take a deep breath 
and collect his thoughts. He has just come from a hearing in 
the House. Then we would appreciate photographers and media 
keeping it down as much as you can in the front. Thank you.
    We have an announced vote at or around 20 after, so we will 
attempt to get opening statements as much as we can prior.
    Good morning, ladies and gentlemen. On behalf of Chairman 
Collins, as well as the Ranking Members of the two Committees, 
Senator Akaka of Veterans' Affairs and Senator Joe Lieberman of 
Homeland Security and Governmental Affairs, I want to welcome 
all of you to this joint hearing this morning.
    First, I want to thank all of the Members of our two 
Committees for their willingness to participate jointly in this 
important hearing. I think the American public should 
understand that while this hearing is about the Department of 
Veterans Affairs and the compromising of sensitive personal 
information about our veterans, the issue of data security is a 
concern all across Government.
    As I said on the Senate floor just 2 days ago, nearly every 
agency of the Federal Government maintains sensitive 
information on millions of American citizens. Most of this data 
is not of the classified nature. Rather, it is information 
compiled simply to carry out the mission and programs of 
various agencies.
    For example, the Federal student financial aid form 
requires that you provide your name, address, Social Security 
number, date of birth, information of your parents, and their 
addresses, along with many other things. Clearly, the release 
of that data would be as devastating to the privacy of millions 
of students and their families as VA's breach was to millions 
of America's veterans and their families.
    Still, we are here today to talk about what the Secretary 
of Veterans Affairs announced to the Nation this past Monday. 
He told my Committee and other Members that an employee of the 
Department downloaded data of nearly 26 million veterans and 
then walked right out the front door with it. Subsequently, the 
data was stolen from this employee's home.
    Mr. Secretary, I must tell you, that is pretty 
unbelievable. How is it that VA's computer system permits one 
person to download the records of 26 million individuals and do 
so without any alert going off to anyone else who has the 
responsibility of the integrity of that system.
    Candidly to me, that is not even the most absurd part of 
the story as I now know it. What is even more important and 
mind-boggling is after he revealed the facts of the theft to 
his supervisor, it took 13 more days for anyone else to 
discover the lost data was on 26 million veterans and their 
families. Then it took 2 more days for the FBI to be notified. 
So somebody lost the names, the birthdates and the Social 
Security numbers of 26 million veterans and their families and 
the FBI knew nothing for nearly 2 weeks.
    Mr. Secretary, I read your statement yesterday in the press 
about the anger you felt at having discovered the lapse in 
security nearly 13 days after it happened. I am glad you are 
angry. You should be. You can only imagine how I and millions 
of veterans felt and now feel.
    I just came from doing C-SPAN. I did call-ins. America's 
veterans across this country are frustrated. The word scared 
was used. The words are we at risk were used. And what do we do 
to protect ourselves?
    Mr. Secretary, I understand the need to spend some time 
with your staff assessing problems and reviewing options, but I 
find it increasingly frustrating that decisions are made 
without the knowledge and the input of a few of us. I think we 
can be trusted. I think you know that.
    Now, before I turn to Chairman Collins for her comments, I 
want to say a word about the employee who took the data home, 
as I now know it. While there is still an ongoing investigation 
as to the situation by the FBI, and I know that will limit some 
statements this morning, as best as I can tell from the 
information I have thus far, this person is a dedicated Federal 
employee who took work home with the hopes of improving VA's 
operations. Yes, his actions were inexcusable. He knew better 
than to take information home, or I hope he did. I hope policy 
suggested he should not or insisted he should not. He knew 
better than to take information home. And yet, a terrible lapse 
in judgment, and now he is faced with the serious consequences. 
But at least he told his supervisors and the law enforcement 
right away, which is more than we have been accorded.
    I am not going to lose sight of the actions of everyone 
else in this situation. There were many lapses in judgment from 
many people. I hope this hearing today will shed some light on 
the shortcomings in VA's data security programs and on what 
needs to happen to ensure such a major breach never occurs 
again.
    Also, I think our discussion will heighten the awareness of 
many other agencies across our Government to the vigilance 
about data protection and information security. As I said 
earlier, students, farmers, and others who seek Government 
assistance deserve our best efforts to protect their critical, 
vital, private information.
    Most importantly, I hope today's hearings will provide 
millions of veterans and their families the assurance they 
deserve to have, that you are doing everything possible, Mr. 
Secretary, and we will do the same.
    Thank you for being with us.
    Chairman Collins.

OPENING STATEMENT OF HON. SUSAN M. COLLINS, CHAIRMAN, HOMELAND 
SECURITY AND GOVERNMENTAL AFFAIRS COMMITTEE, U.S. SENATOR FROM 
                             MAINE

    Chairman Collins. Thank you, Mr. Chairman.
    First, let me begin by commending you for your leadership 
for seizing the initiative for suggesting this joint hearing. I 
and the Members of the Homeland Security Committee are very 
pleased to join you in this effort to quickly address a very 
serious matter that is of great concern to our Nation's 
veterans, including some 141,000 veterans in my home State of 
Maine.
    We are here today not merely to examine one incident, one 
moment of carelessness--make that recklessness--by one Federal 
employee. The specific incident compels us to confront the 
persistent and pervasive laxity with which the VA safeguards 
the personal information of the veterans it serves.
    For 5 straight years, the VA's Inspector General has 
criticized the Department for inadequate information security. 
On the annual Federal Computer Security Report Card issued by 
the House Government Reform Committee, the VA has received a 
grade of F for 4 of the last 5 years, including each of the 
last 2 years.
    This ongoing failure during a time when identity theft has 
been such a high-profile problem is simply appalling. The 
immediate result of this failure is what appears to be the 
largest theft of Social Security numbers ever. The fact that 
the information also included veterans' names and dates of 
birth means that the stolen data can easily be used to commit 
identity theft and financial fraud.
    The lingering result will be increased doubts among the 
American people about the Federal Government's commitment to 
safeguarding their personal, sensitive information.
    When we think of cyber security, we focus on protecting 
vital information systems against intrusion by criminals or 
terrorists. We now see that all the high-tech fixes in the 
world cannot protect these systems against one employee who 
disregards an established policy, and one agency that does not 
take sufficient measures to ensure compliance with the policy.
    I am also troubled by the VA's response. The burglary that 
led to this potentially massive intrusion occurred on May 3. 
Yet, as the Chairman indicated, it apparently was not reported 
to the FBI for 2 weeks. The American people, and most important 
our veterans, were not informed for nearly 3 weeks.
    Now, some delay prior to disclosure could well be 
reasonable, to allow law enforcement time to hunt for the 
stolen information or to put in place a system to respond to 
the many inquiries from our veterans. However, much of the 
delay in this case appears to be because the VA did not 
promptly investigate the nature and the scope of the data 
breach. It simply appears that the VA did not handle this 
matter with the clear sense of urgency that it required.
    I am also concerned about the initiatives the VA has taken 
to address the immediate crisis. Is it sufficient simply to 
establish a toll-free number for veterans to call? We have 
already heard, in my office and others, that veterans have 
called this number, but have been unable to learn much of 
anything.
    Is it sufficient to just accelerate a schedule of computer 
security training for VA employees? Or should more be done? We 
must ensure that the remedies the VA puts in place, both short-
term and long-term, are real, will make a difference and are 
not merely cosmetic.
    We must also view this incident as a wake-up call to the 
rest of the Federal Government. It is likely that the VA is not 
alone in the potential to suffer a data breach of this 
magnitude. Federal managers must recognize that they are 
stewards of a large amount of personal data on law abiding 
citizens, and they must guard this information wisely or lose 
the people's trust.
    It is tragically ironic that this profound betrayal of 
trust occurs just as the American people are preparing to honor 
our veterans. On this Memorial Day, the pride our veterans 
should feel in their service to our Nation will be dampened by 
anxiety and justifiable anger.
    These are the people who have served our Nation yesterday 
and who serve today. They are brave, patriotic, and devoted to 
duty. They deserve our gratitude and much more. They certainly 
deserve better than this. We owe them our best efforts so that 
the deep problems that this incident has exposed are fixed and 
so that the trust they should be able to have, not only in the 
VA but across our Government can be restored.
    Thank you, Mr. Chairman.
    Chairman Craig. Thank you, Madame Chairman.
    We do have a vote on and it started at 10:16. I suspect we 
can go. So Senator Akaka, if you would wish to go ahead with 
your opening statement, we will get a few more. I would ask 
that we keep these as limited as possible so we can get to the 
Secretary. But please proceed.

      STATEMENT OF HON. DANIEL K. AKAKA, RANKING MEMBER, 
                    U.S. SENATOR FROM HAWAII

    Senator Akaka. Thank you very much, Mr. Chairman, and 
Chairman Collins, for working together for calling this very 
important and timely joint hearing.
    As the Ranking Member on the Veterans' Affairs Committee 
and a senior Member on the Homeland Security and Governmental 
Affairs Committee, I am privileged to sit on two committees 
that have oversight on this issue. Having both Committees 
investigating this matter will allow us to address the 
specifics of the incident involving VA data and work to craft 
safeguards for the entire Government.
    I would like to say, Mr. Chairman, that I want to associate 
myself with the eloquent statement that you made.
    Let me be clear, the specific incident that brings us here 
today happens to involve VA and VA data. It could just as 
easily have involved other departments and agencies. It may be 
wise to have other departments and agencies examine their 
policies on classified and confidential data and the proper use 
and security for such data.
    Shortly after the news that the incident broke, I spoke 
with VA Inspector General George Opfer. He told me his office 
launched a full investigation into the matter which would 
examine all of the facts. I eagerly await his findings as the 
investigation will provide independent information for Congress 
to assess the situation.
    I also wrote to Secretary Nicholson with a number of 
questions and I look forward to his responses today.
    I have a longer statement, Mr. Chairman, but I will not 
read it so we have more time to hear from and question the 
witnesses. I ask that my full statement appear in the record as 
if read. Thank you very much, Mr. Chairman.
    [The prepared statement of Senator Akaka follows:]

      Prepared Statement of Hon. Daniel K. Akaka, Ranking Member, 
                        U.S. Senator from Hawaii

    Thank you Chairman Craig and Chairman Collins for working together 
to call this very important and timely joint hearing. As the Ranking 
Member on the Veterans' Affairs Committee and a senior member on the 
Homeland Security and Governmental Affairs Committee, I am privileged 
to sit on the two committees that have oversight on this issue. Having 
both Committees investigating this matter will allow us to address the 
specifics of the incident involving VA data and work to craft 
safeguards for the entire government.
    Let me be clear--the specific incident that brings us here today 
happens to involve VA and VA data. It could just as easily have 
involved other departments and agencies. Shortly after the news of this 
incident broke, I spoke with VA Inspector General George Opfer. He told 
me his office launched a full investigation into the matter that will 
examine all the facts. I eagerly await his findings as the 
investigation will provide independent information for Congress to 
assess this situation. I also wrote to Secretary Nicholson with a 
number of questions that need to be answered. I look forward to his 
response today.
    I am especially concerned with the manner in which VA handled this 
investigation. Although the breach occurred more than 3 weeks ago, 
Congress and the public were only notified of the incident this week.
    Regardless of whether identity theft actually occurs as a result of 
this incident, anytime the government loses a database of personal 
information, privacy is compromised. We must do all we can do to 
prevent this from ever happening again. The security mechanisms at VA 
are not working if a mid-level VA employee was able to walk out of the 
building with a massive amount of personal information. It seems to me 
that data of this magnitude and importance should be in the hands of 
very few VA employees and should be guarded with the utmost security. 
Thus far, VA has said the employee was not authorized to take the 
information home.
    I am troubled as to how an employee who is not authorized to take 
home the private information of more than twenty-six million veterans 
was still able to do just that. The VA failed to take several steps to 
safeguard this information. For example, VA could have scrambled Social 
Security numbers based upon an encryption formula, whereby access to 
files that translate scrambled Social Security numbers is only possible 
with special authorization. This procedure was not followed in this 
instance, and we need to know why. It is important to note how we came 
to learn about the loss of the data. The VA employee whose computer 
equipment was stolen disclosed this to VA. If the employee had chosen 
not to report the theft immediately, VA and the public could possibly 
still be in the dark about the incident.
    As I said earlier, while today's hearing is focusing on the 
information security practices at VA, I believe the data breach is 
indicative of broader information security and privacy problems 
throughout the government. I understand the problems that agencies 
face, as I have been working on Federal data collection and privacy for 
a number of years. At my request, the Government Accountability Office 
(GAO) conducted several investigations on Federal data mining 
activities and found that Federal agencies are not following all key 
privacy and information security practices. Last week, I introduced 
legislation to strengthen the investigative authority and independence 
of the Chief Privacy Officer at the Department of Homeland Security.
    I believe we need to make sure that all agencies have a strong 
privacy official to ensure that what happened at VA will not happen 
again. Last year, the Office of Management and Budget directed each 
agency to designate a senior privacy official. However, issues remain 
as to whether these individuals are focused on matters other than 
privacy, which may cause a conflict of interest; the training received 
by and the expertise of these individuals; and the enforcement 
authority of the privacy officers in each agency. Having policies and 
safeguards in place will not work if agencies are not following the 
law.
    The incident at VA demonstrates the need to review the Privacy Act. 
I believe it is appropriate at this time, Chairman Collins, for your 
Committee to undertake this review as soon as possible. The 
applicability of the Act in this increasingly electronic age, combined 
with limited remedial action, necessitates that we take a closer look, 
and make sure that the personal information that the government 
collects is properly maintained.
    It is unfortunate that, as the Nation prepares to celebrate those 
that paid the ultimate sacrifice in defense of our freedom, our 
government has breached the trust of its heroes. Our veterans deserve 
much better. I intend to work with all appropriate parties to provide 
real solutions to these glaring problems, not just in VA but across all 
government agencies and departments. Thank you.

            STATEMENT OF HON. JOSEPH I. LIEBERMAN, 
                  U.S SENATOR FROM CONNECTICUT

    Senator Lieberman. Thanks, Senator Akaka. We are going to 
continue going around and hope that Chairman Craig and Chairman 
Collins come back in time.
    I want to thank them and Senator Akaka for holding this 
hearing as quickly as they have, so that we can get some 
answers about this enormous security breach, how it occurred in 
the first place and how we can quickly assist those veterans to 
whom we all owe so much and who have been put at risk by the 
loss of their confidential information.
    The security of Government computer systems and the vast 
databases contained within them is a subject we on the Homeland 
Security and Governmental Affairs Committee have been working 
on for some time.
    As information technology continues to advance by leaps and 
bounds, we must take equivalent leaps and bounds to protect 
against the theft, misuse and abuse of information brought 
together as never before by that technology.
    At various times in our lives we, the American people, are 
required to provide the Government with all sorts of personal 
information. We do so out of necessity and sometimes out of 
choice. But we also, of course, provide it on the basis of 
trust. We, the American people, will not feel comfortable 
sharing that information that the Federal Government needs if 
the Federal Government cannot guarantee that it is kept private 
and secure.
    This latest incident at the VA is just the most recent 
reminder that the Federal Government generally, I have 
concluded, is not doing enough to guarantee that security. 
Three years ago, I asked the Government Accountability Office 
to assess and evaluate Federal privacy protections. GAO looked 
into the privacy practices of 25 Federal agencies and reported 
back that compliance was very uneven and that in nearly one-
third of cases when agencies disclosed personal information to 
non-Federal organizations, the agencies did not have procedures 
in place to ensure that the personal information disclosed was 
complete, accurate, relevant, and timely as required by the 
Privacy Act.
    Last year, Senator Collins and I took the Transportation 
Security Administration to task for violating the privacy of 
thousands of commercial airline passengers when it collected 
and stored personal information about those passengers. Not 
only did TSA violate its own privacy policy, it also failed to 
meet the basic requirements of the Privacy Act, which is law.
    The VA security lapse is particularly troubling to all of 
us. Infuriating, in fact, because of the population of veterans 
that may have been placed at risk. So we are here today to get 
answers to questions and they have really been framed by my 
colleagues who have spoken before.
    So, I will simply conclude by saying, Secretary Nicholson, 
I have great respect for you. I think you know that it is now 
up to you and your Department to restore the American public's 
trust in the VA, which is a good and efficient Department, and 
in the ability of Government as a whole to carry out its duties 
without jeopardizing personal and sensitive information the 
people of this country have and give to their Government.
    As part of that, I hope you will not hesitate to hold 
accountable anyone who was responsible for this failure to 
protect the confidential information of millions of American 
veterans.
    Thank you very much.
    Senator Warner.

               STATEMENT OF HON. JOHN W. WARNER, 
                   U.S. SENATOR FROM VIRGINIA

    Senator Warner. Thank you, Mr. Chairman.
    I want to first say a few words about the Secretary of 
Veterans Affairs. I have known him for a very long time. In 
times like this, when we have literally a very serious problem 
at hand, it is fortunate Jim Nicholson has stepped up for 
continued public service. He has about as distinguished a 
career in the United States military as one can have in 
contemporary times.
    I thank you, my good friend, for calling me very promptly 
on the early morning when this news first became public and 
reassuring me, as I am sure you are going to reassure veterans 
all over America, that you are going to have a total hand on 
the situation to hold accountable those who have perpetrated 
any wrongs or breach of law, and to reassure veterans that we 
are going to protect them to the extent we can.
    If I may say with some modesty, I am a veteran myself of 
World War II and Korea, and I have had a lifetime association, 
as you have Mr. Secretary, with the men and women of the Armed 
Forces who have served. And we must recognize, as my colleagues 
alluded, that technology has gone forward so rapidly. Ten years 
ago, if you were trying to plan a theft like this, you would 
have to have a six-wheeler van to haul the information out. Now 
a simple disk can slide into the pocket. Consequently, we have 
to take measures which keep apace with technology to give the 
security that is required in this situation.
    But I would like to once again say, as this hearing is 
commencing and as people are following it all across the United 
States, you will do a good job, Mr. Secretary. You will get to 
the bottom of this and solve it, because of your deep love, 
respect and affection for America's veterans.
    Thank you.
    I think we should stand in recess until the return of the 
Chair. Do you wish to--good, thank you very much.

             STATEMENT OF HON. JAMES M. JEFFORDS, 
                      U.S. SENATOR VERMONT

    Senator Jeffords. Mr. Chairman, I appreciate your holding 
this hearing on such short notice to examine the frightful 
breach of security at the VA that has led to the loss of 
significant data of millions of veterans. I understand that the 
Government, and in particular agencies such as the VA, who deal 
in direct health of individuals need to have sensitive personal 
information. But the Government therefore has a sacred 
obligation to make sure that this information is secure. This 
is an inexcusable breach of the basic compact of trust between 
the veteran and the VA. I am a veteran myself.
    The FBI must get to the bottom of how this happened and 
take immediate measure to ensure that it never happens again. 
We owe our veterans nothing less.
    I look forward to your testimony, Mr. Secretary, and hope 
you will give us reason to be reassured that the VA is taking 
immediate action to address this horrendous problem.
    Thank you, Mr. Chairman.
    The Committee will now stand in recess until the Chairman 
returns.
    [Recess.]
    Chairman Craig. The Committee will be back in order.
    Mr. Secretary, thank you for standing down for a few 
moments while we went to vote.
    Now let me turn to Senator Murray.

                STATEMENT OF HON. PATTY MURRAY, 
                  U.S. SENATOR FROM WASHINGTON

    Senator Murray. Let me thank Chairman Craig and Collins, as 
well as our Ranking Members Akaka and Lieberman, for calling 
this very important hearing today.
    Simply put, this is really a disaster. Our phones are 
ringing off the hook with veterans from all across the country 
who feel that their privacy has been violated and they are 
really losing faith in the VA. We have 85-year-old veterans who 
do not know the first thing about credit checks, and they are 
being told that their identity has been compromised and they 
really do not know what to do. We need to find a way to provide 
assistance for all of our veterans and give them the peace of 
mind that they deserve.
    Now, I know that some say that this is just an isolated 
incident, that this is an accident caused by one employee at 
the Department of Veterans Affairs, but Mr. Secretary, I have 
to tell you, from where I sit, this seems like just another 
demonstration of the agency's incompetence.
    As Chairman Collins said, the VA was told time and again by 
the IG that it had weaknesses in its information security 
systems. The VA was warned about the lack of protection for 
veterans' sensitive health care and benefits information, and 
these warnings seem to have gone unnoticed by leadership within 
the VA.
    I hope we hear this morning from you, Mr. Secretary, about 
how this happened, why it took so long to tell our veterans 
that their information was compromised, what we are going to do 
to rectify this situation and what steps you are taking to 
ensure that it never happens again.
    Again, as we have discussed before, these Committees and 
this Congress have instilled in you the responsibility to fight 
and defend our veterans. I know that all of our veterans need 
you to be their greatest advocate.
    I am very disappointed by what has transpired and I hope 
that this agency really now rises to the occasion under your 
leadership and show all of us here and the millions of veterans 
that are at risk that you are here to protect them even from 
your own agency's mistakes.
    Thank you, Mr. Chairman.
    Chairman Craig. Thank you, Senator.
    I note that statement was made in under 3 minutes. I 
appreciate that very much and would hope that our colleagues 
would attempt to adhere to that so that we can get to the 
Secretary.
    Let me turn to Senator Isakson.
    Johnny.

               STATEMENT OF HON. JOHNNY ISAKSON, 
                   U.S. SENATOR FROM GEORGIA

    Senator Isakson. Thank you, Mr. Chairman, and I will be 
brief.
    I thank you and Chairman Collins for calling this hearing.
    Mr. Secretary, I can empathically identify with the 760,000 
veterans in Georgia who are probably on this list, because a 
year ago I was notified that my information had been lost or 
stolen by an American corporation and I know how I felt. I also 
know how they responded. And I hope we will and the 
Administration will respond swiftly to ensure the veterans are 
protected and they get the information they need.
    To that end, Mr. Chairman, I would like to ask unanimous 
consent to submit a letter for the record.
    Chairman Craig. Without objection.
    [The letter referred to follows:]

                                              Equifax Inc.,
                           Peachtree Street, Georgia, May 24, 2006.
Hon. Johnny Isakson,
U.S. Senate,
Washington, DC.
    Dear Senator Isakson: At Equifax, we honor the enormity of our 
veteran's contribution to the success and security of our great 
country, and are pleased to assist them in any way possible. Upon 
learning of the data breach at the Veterans Administration Office, 
Equifax immediately developed a special assistance page on our 
Equifax.com website. This page is designed to educate and assist our 
veterans on identity theft, and the ways in which they can safeguard 
their personal, information. This special assistance page includes the 
following:
    1. How to place an initial fraud alert on their credit file. This 
will alert creditors of possible fraudulent activity and request they 
contact the veteran prior to establishing credit in their name.
    2. How to request a free copy of their credit file 
atannualcreditreport.com, or by phone or mail.
    3. A special offer for Equifax's Credit Watch products available to 
veterans at a 50 percent discount until June 30, 2006. Credit Watch, 
will monitor the veteran's credit file and alert them to changes that 
could be early warning signs of identity theft.
    We look forward to continuing to work with the Veterans 
Administration Office to assist our veterans.
            Sincerely,
                                          Richard F. Smith,
                Chairman and Chief Executive Officer, Equifax, Inc.

    Senator Isakson. The Equifax Corporation out of Atlanta, on 
the day of the announcement, notified the VA and all veterans 
of a hotline, affording them immediate access to a free credit 
report, and offered them a 50 percent discount on 1 year's 
credit card service to monitor their credit. Mr. Richard Smith, 
who is the CEO of that company, was in Washington yesterday. I 
had the chance to talk to him and I thanked him personally for 
their voluntary effort. But I think it is important that the 
agency come together with a seamless policy to protect all 
veterans.
    Lastly, Mr. Chairman, I want to commend you on your 
statement with regard to this being a wake-up call. As terrible 
as this loss of information is, just think if the Social 
Security Administration or the IRS and all their computer data 
information did not have a good security system.
    So I hope as we work to raise the level of interest in this 
issue and hold the VA accountable, we will make sure we are 
checking with every agency of the Government and making sure 
they are redoubling their efforts to ensure this does not 
happen in any other agency as well.
    I yield back the balance of my time.
    Chairman Craig. Thank you, Senator.
    I am proceeding on the order with which Senators first came 
to the Committee, and I will turn to Senator Salazar.
    Excuse me, he is not here.
    In that case, it is Senator Lautenberg.

            STATEMENT OF HON. FRANK R. LAUTENBERG, 
                  U.S. SENATOR FROM NEW JERSEY

    Senator Lautenberg. Thanks, Mr. Chairman, and I will join 
the race to the 3-minute mark and see if I can rush through.
    Madame Chairman and our guest Chairman, thank you very much 
for arranging this joint hearing on such short notice. I 
appreciate the opportunity to learn about this alarming breach 
of security that has compromised the personal information of 26 
million veterans and families.
    I served at an earlier time and the records regarding my 
service and those who served at my time were destroyed in a 
fire in St. Louis in the Veterans Administration facility. So 
it does not install a lot of confidence when we see what has 
happened now.
    In the next few days, we are going home for Memorial Day, a 
day we want to honor our veterans and their service. But this 
week we learned that the Government has failed them, put them 
at risk, at significant risk. Our veterans deserve the best in 
health care and other services. But what they got in this case 
is a security breach that puts them at risk for theft of their 
identity.
    In recent years, we have all learned that identity theft 
has serious consequences for its victims. This incident, 
involving the VA, is the largest breach of Social Security 
numbers ever and it is appalling that something could happen. 
To make matters worse, the VA's response to the crisis has not 
been satisfactory. As a matter of fact, it really destroys 
confidence in the functioning of the VA.
    They have a call center in New Jersey and veterans who call 
there do not think the VA call center is very helpful. These 
veterans will probably have to take some steps themselves to 
make sure that their credit information is not compromised and 
that they are not subjected to deep losses as a result.
    We should make it simple for them as much as we can. And 
that is why I am joining Senator John Kerry in supporting his 
bill to help veterans to stay informed about their credit 
status in the aftermath of this incident.
    Again, thank you very much, Mr. Chairman and Madame 
Chairman.
    Chairman Craig. Senator, thank you very much. Now let me 
turn to Senator Thune.
    John.

                 STATEMENT OF HON. JOHN THUNE, 
                 U.S. SENATOR FROM SOUTH DAKOTA

    Senator Thune. Thank you, Mr. Chairman and Madame Chair.
    I appreciate, as well, very much your holding this 
emergency hearing to deal with the theft of personal 
information for millions of our veterans, and I want to thank 
Secretary Nicholson for appearing today.
    Mr. Chairman, I share your commitment to understand all the 
facts of this case before taking action, and I hope this 
hearing will generate light that we can use to do that.
    Having said that, this breach of information security at 
the VA is causing a lot of anxiety across the country among our 
veterans. And they are rightfully demanding that we act quickly 
on this issue. I have many veterans in my State of South Dakota 
who are justifiably concerned about identity theft, and they 
deserve to have peace of mind about their privacy.
    That is why we have to work quickly here on these 
committees to learn all the relevant facts and then take the 
appropriate action. And that, I think includes, in the short 
term, finding out the exact proportions of the problem and 
developing a proportionate remedy. Also, looking at the long 
term, at what we can do to make sure that this thing never 
happens again.
    As a number of Members of the Committee have already noted, 
the IG's most recent strategic plan indicated that one of the 
strategic goals was in the area of information management. It 
also noted many of the challenges the VA faces in the privacy 
of and the security of the information it manages. The 
strategic plan further states that information systems security 
has been identified as a material weakness as early as 1998 
within the VA.
    And then there is this key passage on page 58, which I want 
to just read for you,

          The potential vulnerability of Federal information systems 
        cannot be overestimated. Presently, VA systems are not 
        protected from authorized access, risk of potential exposure, 
        loss of sensitive data, fraudulent claims and disruption of 
        critical activities remain. Security over VA IT resources needs 
        to assure that only authorized users access VA resources and 
        only authorized use is made of VA resources. Legal requirements 
        such as the Privacy Act, the Federal Information Security 
        Management Act of 2002, and the Health Information Portability 
        and Accountability Act of 1996 impose detailed duties on the VA 
        to protect sensitive medical and personal information it 
        maintains on veterans, their families and its employees.

Clearly, what the Inspector General was concerned about in 
terms of information security has now become a reality that we 
must deal with. I believe that this event occurred at least in 
part because many of the VA's IT systems are compartmentalized 
within the VA's three administrations: health, benefits and 
cemeteries; and there is not a uniform policy in terms of 
information security across the entire VA.
    That is why, Mr. Chairman, I introduced a bill, last fall, 
to improve the management of IT within the VA. My bill would 
provide for the VA's Chief Information Officer to have 
authority over resources, budget and personnel related to the 
support function of information technology. An identical bill 
has passed the House. I hope that this will give us an 
opportunity to pass it in the Senate.
    I appreciate again, Mr. Chairman, your holding this 
hearing. We are here to understand the entire context of this 
situation and then to work on both short-term and long-term 
solutions. We must do all that we can to ensure the information 
privacy of our veterans who have sacrificed so much for all of 
us.
    So thank you again and I look forward to the testimony.
    Chairman Craig. Senator, thank you.
    Senator Burr.

              STATEMENT OF HON. RICHARD M. BURR, 
                U.S. SENATOR FROM NORTH CAROLINA

    Senator Burr. I thank both the Chairs.
    Mr. Secretary, Senator Isakson and I have something in 
common, in the fact that we both participated in this before 
from the standpoint of our records being lost. Mine happened to 
be a stolen laptop with my pertinent information from the 
accounting firm that does my taxes. I remember vividly getting 
the call and being walked through exactly what they were doing 
to make sure that they minimized what was a huge mistake.
    Fortunately, I have never had any repercussions from that 
over the several months that I have gone through. I am sure we 
can find a number of ways to tongue lash the system, and you 
and the Administration.
    Let me suggest to my colleagues, that is not what we are 
here to do. We are here to figure out--to work with you--to try 
to figure out how to remediate a problem that we do not know 
the scope of yet, to once again remind the Veterans 
Administration and every branch of Government that it is 
unacceptable to have the delay in notification to the Congress, 
to the Federal law enforcement folks, that these are policies 
that we need to look at, that this cannot be something we make 
up on the go.
    I certainly commit myself to you and to the Chairs to work 
aggressively to find how we can adopt a policy that we all feel 
confident is structured in a way that minimizes the risk of 
this in the future.
    But more importantly, a policy that we can communicate to 
all concerned of exactly what we do if it ever does. I think 
the belief that we can assure with 100 percent accuracy that we 
can eliminate this is a dream. We cannot. That is why it is 
just as important that we understand that we need a policy in 
place that everybody understands that helps us to remediate 
this.
    Once again, I do want to say publicly to you that it is 
unacceptable to have had a 60-day delay or a 15-day delay 
between the time that notification went out to the 
Administration, the Congress and the FBI.
    My hope is that through this hearing, it is the start of 
the road to a recovery from where we are.
    I thank the Chairs.
    Chairman Craig. Senator, thank you very much.
    Senator Obama.

                STATEMENT OF HON. BARACK OBAMA, 
                   U.S. SENATOR FROM ILLINOIS

    Senator Obama. Thank you very much to the Chairs for 
holding this hearing. I will try to be brief.
    This episode raises so many questions, but I think maybe 
the most poignant one was raised by Sonny McQueen, a DC area 
veteran. He said, ``How else can the country let us down?'' And 
I think that is a feeling that may be pervasive among a lot of 
veterans.
    I hope this hearing is the first step toward answering some 
of those questions. As has already been noted, why did it take 
2 weeks for the VA to notify the FBI? That was a 2-week head 
start for criminals to potentially wreck havoc. Why did the VA 
wait nearly 3 weeks to notify the veterans who were at risk? 
That is a policy issue.
    I have no doubt, Mr. Secretary, that you are as outraged as 
we are about this problem. But I am concerned about what is it 
structurally inside the VA that is preventing information from 
being dealt with properly? And what is preventing the VA from 
being forthcoming to veterans and the American people?
    We have a duty to make this right. The average identity 
theft victim spend 40 hours, apparently, to clean up his or her 
finances after something like this happens. So as a first step, 
I am hoping that the VA is going to be thinking about how it is 
going to provide credit monitoring and counseling services to 
the veterans who may be affected. This is a problem that may 
take a lot of time and money to fix, but we are going to need 
to make our veterans whole.
    Beyond that, I think it is important for us to understand 
that, although this may be a mistake of one employee, the 
reality is that this is a system that was destined to failure. 
Just a couple of quick facts. This is a system that scored an F 
in information security in 4 of the past 5 years on a House 
Committee report card. This is a system that in 2001 allowed VA 
employees in Atlanta to steal $11 million in benefits. The VA 
Inspector General, as has already been noted, has argued for 
years that the VA needed to improve its IT security. The VA 
Chief Information Officer abruptly resigned a month ago because 
the agency was not moving fast enough on its IT reorganization.
    So, we cannot pin this on one individual. This is a 
systemic breakdown. The system is so poorly designed that one 
employee could compromise the entire thing. That raises the 
question how could managers not realize that so many files were 
downloaded and brought offsite? And what steps is the VA going 
to take to secure veterans' data used in other programs?
    I hope that through this hearing we can get to the bottom 
of this fiasco. I think we need to hold VA officials 
accountable. We also need to look forward and try to prevent 
identity theft across the private and public sector. It is 
estimated that 10 million consumers are affected annually.
    I understand that Senators Specter and Leahy are going to 
be looking at ways in that Committee to deal with issues of 
identity theft. I hope that all of us work on this. In the 
meantime, we are going to have to figure out how to clean up 
this mess.
    Thank you very much Mr. Chairman, Madame Chair. I look 
forward to the hearing.
    Chairman Craig. Thank you very much, Senator.
    Again on the order with which Senators came to the 
beginning of the hearing, let me turn to Senator Salazar and 
then to Senator Chafee. Thank you.
    Ken.

                   STATEMENT OF KEN SALAZAR, 
                   U.S. SENATOR FROM COLORADO

    Senator Salazar. Thank you very much, Chairman Craig and 
Ranking Member Akaka and Chairman Susan Collins and Ranking 
Member Lieberman, for holding this hearing.
    Let me just say I think my colleagues have stated the 
concerns that we all share. And I know that Secretary Nicholson 
has also stated his concerns and how appalled he is about what 
has happened here with the records of 26.5 million veterans. It 
is a huge issue that we need to address and we need to address 
effectively to make sure that we prevent this kind of thing 
from ever happening again.
    Secondly, we need to make sure that we are taking every 
step in the world possible to safeguard the getting out of this 
information, from where ever this information happens to be 
today.
    But I also think it calls into question, even beyond the 
VA, what is happening with respect to all other Government 
agencies that have huge amount of information and the 
safeguarding of that information in the new kind of technology.
    I was thinking about 26.5 million names and records related 
to 26.5 million names. You know, 20 or 30 years ago you would 
never be able to put that into any kind of a file on a laptop. 
Well, that has all changed. And I think part of what we are 
seeing here is somehow the policies and oversight of 
information within our Government has not kept pace with the 
new technological capacities that have been developed with the 
computer capacities that we currently have.
    So I look forward to working with you, Secretary Nicholson, 
to get us to a solution that will address the issue within the 
VA, but also I think for all of us in Government, we need to 
understand that this is an issue that also goes beyond the VA.
    Thank you and I have a more formal statement for the 
record, Mr. Chairman.
    Chairman Craig. Without objection, it will be a part of the 
record.
    [The prepared statement of Senator Salazar follows:]

   Prepared Statement of Hon. Ken Salazar, U.S. Senator from Colorado

    I want to start by thanking Chairman Craig, Chairman Collins, 
Senator Akaka, and Senator Lieberman for bringing together this 
critical hearing on such short notice. As we all know, one of the 
central questions in this troubling incident relates to whether or not 
the VA could have responded more quickly to the news that the personal 
information of 26.5 million veterans had been compromised. In light of 
those concerns, I believe it is imperative for Congress to act as 
quickly as possible to address this situation, and I hope today's 
hearing will set an example.
    I also want to thank today's panelists for agreeing to come before 
our committees today to discuss this important matter. I realize that 
many of you had to change your plans to be able to be here. But our 
veterans weren't planning on having their information put at risk, 
either, and it's important we do everything within our power to protect 
them during what must be a worrisome time. So, thank you.
    I am extremely troubled by what we learned earlier this week from 
the Department of Veterans' Affairs. First and foremost, I share the 
concern of our Nation's veterans about the potential for misuse of 
their names, birthdates, and Social Security numbers, and the 
consequences--both personal and financial--that could result.
    What is most troubling to me is the nature of the information that 
has been compromised. This is not like losing your keys or your credit 
card, where you can change your locks or your account information. 
These are the fundamental keys to a person's identity, and they could 
be used to open a bank account, take out a loan, obtain lines of 
credit, buy property--and the list goes on. The lives of millions of 
our Nation's veterans could be turned upside down as a result of this 
security lapse.
    Second, this incident raises serious questions about the gaping 
holes in security that exist at VA, and about why more hasn't been done 
about them in recent years. We have known that VA's security safeguards 
are insufficient for years, and yet very little has been done to 
prevent the kind of theft we saw earlier this month. We need to know 
why, and we need to know what the VA plans to do now to ensure this 
kind of nightmare never happens again.
    Finally, as I have mentioned, we need to know more about how this 
event and VA's response to this event unfolded, and why the department 
did not act more quickly to notify law enforcement, Congress, and most 
importantly, our veterans.
    I look forward to working with my colleagues to address this issue. 
I have written to VA urging the department to do everything it can to 
protect our veterans and make sure it doesn't happen again. I am also a 
cosponsor of legislation introduced by Senator Kerry that would require 
VA to provide 1 year of free credit monitoring to affected individuals, 
and one free credit report each year for 2 years thereafter.
    Our Nation owes a debt to our veterans that can never be fully 
repaid. It is deeply concerning to me that the very agency responsible 
for providing these veterans with the care and services they have 
earned failed to protect their most basic personal information. For 
that reason, I am hopeful that we can get to the bottom of some of 
these issues today.
    Thank you.

    Chairman Craig. Senator Chafee.

             STATEMENT OF HON. LINCOLN D. CHAFEE, 
                 U.S. SENATOR FROM RHODE ISLAND

    Senator Chafee. Thank you, very much, Mr. Chairman. 
Welcome, Secretary.
    I share my colleagues great, great concern about what 
occurred and want to work with you, after appropriate 
investigations and reviews are done, to any legislative fixes 
or funding concerns you might have to rectify the situation.
    I noticed in your opening statement, no specific requests 
at this point. But maybe after further reviews and 
investigations, there will be some concrete requests. I look 
forward to working with you on that, and also with Inspector 
General Opfer.
    Thank you, Mr. Secretary. Thank you, Mr. Chairman.
    Chairman Craig. Senator, thank you.
    Senator Pryor.

                 STATEMENT OF HON. MARK PRYOR, 
                   U.S. SENATOR FROM ARKANSAS

    Senator Pryor. Thank you, Mr. Chairman.
    I think most of our colleagues here have covered my 
concerns with the VA and the bad news that we received in the 
last few days regarding the VA. But I do think that this is a 
reminder again, for Members of the Senate and Members of the 
House, that we need to act. And we need to spend time working 
through solutions for this so that the American public can 
protect itself.
    One thing we passed last year, I guess or in the last 
several months, in the Commerce Committee is a security freeze 
bill. Basically what that would allow Americans to do is work 
through a credit bureau and freeze their financial information 
so that someone could not tap into that, get credit cards, 
loans, et cetera, in their name without their permission.
    So, here you have a breach of 26-whatever million veterans 
and the security freeze would allow every person, if they chose 
to, to protect themselves in that way. So I think it is a good 
common-sense solution. It is something that has been through 
the Committee. Hopefully, Senator Frist and Senator Reid will 
work out some time on the floor. I would love to have you all 
look at it when it gets to the floor. I think it is something 
that once you understand what it does and once you see it, you 
will realize the American public would really like to have this 
option to protect themselves against things like this.
    Thank you, Mr. Chairman.
    Chairman Craig. Thank you.
    Mr. Secretary, again welcome to the Committee. Please tell 
us you are mad as hell.

       STATEMENT OF HON. R. JAMES NICHOLSON, SECRETARY, 
DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY TIM S. McCLAIN, 
        GENERAL COUNSEL, DEPARTMENT OF VETERANS AFFAIRS

    Secretary Nicholson. You can count on that, Mr. Chairman.
    Chairman Craig. Thank you.
    Secretary Nicholson. Mr. Chairman, Members of the 
Committee, I appreciate having this opportunity to appear 
before you to talk about this devastating occurrence that has 
happened in my agency and come to my attention only recently 
and was announced to the veterans and to the public and to the 
Congress this past Monday.
    I am the person ultimately responsible to our veterans. And 
therefore, I am the person responsible for this situation. This 
responsibility rests on me.
    A VA employee, a data analyst, took home electronic data 
files from the VA. He was not authorized to do so. His house 
was burglarized and the data were stolen. This happened on May 
3rd.
    If this were not bad enough, I was not notified about this 
event until May 16th. So I can tell you, as a 34-year veteran 
myself, I am mad as hell. I am outraged by all of this. I am 
outraged that this employee would do this so recklessly. And I 
am outraged that I was not notified of it sooner.
    But I still must carry on and lead the efforts needed to 
get to the bottom of this and take the corrective actions to 
see that this does not happen again. My compass for this is the 
veterans. I feel so badly for them and what they are going 
through potentially and the anxiety that this is causing and 
what it could cause.
    As has been said, these stolen data contained the 
information, including the names and date of birth, for 26.5 
million veterans and some spouses. In addition, that 
information, plus Social Security numbers, were available for 
some 19.6 million of those veterans, of those 26.5 million. 
Also included possibly were some numerical disability ratings 
and the diagnostic codes that identify their disability.
    It is good to note that the data did not include any VA 
electronic health records. Neither did it contain explicit 
financial information, although knowing a disability rating 
code could lead one to compute at least what that compensation 
payment was.
    On May 3rd this employee's home was broken into and local 
law enforcement was notified immediately. They report that they 
think this was a routine breaking and entering. That is, it was 
not a targeted burglary. It was a random burglary.
    The employee has been placed on administrative leave 
pending the outcome of this investigation, with which he is 
cooperating.
    As I have said, I am a veteran and this is just 
incredulous. I am so damned mad at the loss of our veterans 
data and the fact that one person could put all of us at risk, 
one person in violation of VA policies.
    I am just as mad and disappointed that I was not made aware 
of this before I was.
    So, I am upset about the timing of our response. I will not 
tolerate inaction and poor judgment when it comes to protecting 
our veterans.
    Appropriate law enforcement agencies, including local 
police, the FBI, and the Inspector General, have now launched 
full-scale investigations. Authorities believe it is unlikely 
the perpetrators targeted the items stolen because of any 
knowledge of the data contents. It is possible that the thieves 
remain unaware of the information they possess and how to make 
use of it.
    Because of that, we attempted to not be too specific about 
the description of the equipment stolen, the location from 
which it came and other information in general. We do not want 
to provide information to the thieves that might be more 
helpful to the nature of what they have and we still hope this 
was a common theft and that no use will be made in this VA 
data.
    From the moment I was informed, the VA began taking all 
possible steps to protect and inform our veterans. However, 
there were those in the law-enforcement community who wanted me 
to wait longer before announcing this theft, so as to pursue 
leads and to keep the burglars in the dark. I chose to inform 
our veterans nevertheless, but limiting the details of where 
and when initially so as not to tip our hand to the robbers.
    Whether it is one veteran or the numbers we are talking 
about here today, the VA needed to act in a manner that 
maintained a balance between protecting them and informing the 
perpetrators. I chose to get the information out at that point 
to the veterans, in spite of the continuing investigations.
    Another very disturbing aspect of this is that although it 
happened on May 3rd, and this employee informed his boss of 
this fact on that day, as I said, I was not made aware until 
May 16th. Equally disturbing is that Federal law enforcement 
head and investigating agencies were not informed immediately 
either. Local were, but not Federal. It was not until May 10th 
that the VA IG became aware of it.
    I cannot explain these lapses in judgment on the part of my 
people. Most of them are really great, hard-working people. It 
makes me so angry and disappointed. And after the IG finishes 
his investigation as to exactly what happened, I plan to take 
decisive actions. I have to.
    The VA now has also begun a relentless examination of our 
policies and procedures to find out how we can prevent 
something like this from happening again. We will stay focused 
on the problems until we get them fixed. I have formed a 
special task force to examine comprehensively all of our 
information programs and policies to bring about a ringing 
change in the way we do business.
    I have begun recruiting to see if I can find the right 
individual to come into our agency to be the personal 
information security czar, if you will, who has nothing else in 
his or her portfolio, to focus on that and report directly to 
me.
    As has been stated here, ever since 1999 the VA has gotten 
low marks from the IG on its information and cyber security 
programs. Last year the GAO flunked the VA on its cyber 
security system. This has got to change.
    This situation is exacerbated by the fact that the 
Assistant Secretary for IT, who had been at the VA for about 
2\1/2\ years, has just recently resigned. He had come to the VA 
from the private sector, from Dell. He has returned to the 
private sector. He did a very good job and I will say that I 
think we are off to a real solid start in the IT transformation 
that we are doing.
    And this is beyond the scope here, but VA has gotten 
decentralized down literally to almost clinics, of which there 
are 900. We are pulling this back into a centralized format in 
this major IT transformation that we are in. And that is 
launched. But as is painfully evident, we have a great deal to 
do.
    I was also pleased that just yesterday, President Bush 
announced his intention to nominate a brilliant, recently 
retired Navy Admiral that we have recruited to come into our 
agency to head up our Office of Policy and Planning, which is 
the office in which this transgression occurred. We hope to 
have him on board very soon.
    Additionally, we are taking direct and immediate action to 
address and alleviate veterans' concerns and to regain their 
confidence. Those actions include that we have directed all VA 
employees to complete the VA Cyber Security Awareness Training 
Course and a separate General Employee Privacy Awareness course 
and to do so by June 30th of this year.
    I have also directed that a memo be issued requiring all VA 
employees to sign annually an employee statement of awareness, 
including their awareness of the Privacy Act, their awareness 
as to unauthorized disclosing or using directly or indirectly 
information obtained as a result of their employment in the VA, 
which is of a confidential nature or represents a matter of 
trust, or other information so obtained of such a character 
that its disclosure or use would be contrary to the best 
interest of the veterans and of their awareness of the loss or 
damage or unauthorized use of Government property or its 
carelessness or negligence in its use therein.
    Additionally, the Department will immediately be conducting 
an inventory and review of all current positions requiring 
access to VA data.
    This, I think, is a very important point because, as it 
turns out, we do not know anything about these people. The 
person who took this data home, the last that I can tell, had a 
background check, just a National Agency and Inquiries Check, 
32 years ago. Yet, we entrust this kind of data to people.
    And I might say, by the way, and this is not said in anyway 
as some kind of an excuse, but this man or others, they do not 
have to carry this data out. They can send it out. If they have 
Internet Explorer on their computer, they can send it to their 
account and then get on their own computer and receive it.
    I also would tell you, and please, this is not said in any 
way to excuse or mitigate what happened thus, but I am holding 
in my hand a hard drive. This is unrelated to the equipment in 
this incident. But that data that we are talking about for 
these 26.5 million veterans is 5 gigabytes. This little thing 
right here, that slips so easily into my vest pocket, holds 60 
gigabytes. We could have 12 times the data that is the subject 
of this pain that we are in on this thing, this little hard 
drive.
    This, as you probably all know, which most people that use 
these use them as a key chain, and call them most commonly a 
thumb drive, this would hold about three-quarters of the data 
that we are talking about, this size. Most people that use 
these in my agency have them hanging around their neck with 
their ID card and walk in and out.
    There are lots of things that we are going to have to do as 
an agency, and I think as a Government. But the key, it seems 
like to me, is going to be the law. And by the way, this person 
did not violate any law, because there is no law. We have 
internal policies against what he did. But he did not violate 
the law, as near as I can tell.
    And we are going to have to--for people that have access to 
this kind of data, we are going to have to know something about 
them. If they were in the military and they were privy to 
confidential information, they would have a background 
investigation. And a lot of that, you read in the paper what we 
are giving them access to.
    So, I am proposing that we are going to do an updated 
National Agency Check on those. And for those that have special 
access, request a minimum background investigation.
    I have directed the Office of Information and Technology to 
publish by June 30th a VA directive and revisions to security 
guidelines for single user remote access developed by the 
Office of Cyber and Information Security. This document will 
set the standards for access, for use and information security, 
including physical security and reporting.
    We are working with Members of the Congress, the VSOs and 
the news media and other agencies to ensure that other veterans 
and their families are aware of this situation and the steps 
that they may take to protect themselves for the misuse of 
their personal information.
    We are coordinating with other agencies to send individual 
notifications to all 19.6 million individuals whose Social 
Security numbers were stolen. That is, we are going to send a 
letter to each of these people, instructing them and asking 
them to be both vigilant in order to detect any signs of 
possible identity theft and how to protect themselves.
    As you know, in the meantime, they can go to the Internet 
portal we have established, which is www.FirstGov.gov, for 
information on this matter. And this is a Federal site that is 
capable of handling a great amount of traffic.
    Additionally, we have set up a manned call center that 
veterans can use to get information and learn more about 
consumer identity protections. You can reach that with a toll-
free number of 1-800-333-4636. It operates 14 hours a day and 
will as long as it is needed. It can handle 20,000 calls per 
hour. By the end of the day yesterday, concerned veterans had 
made a total of 105,753 calls to this number.
    I do want to acknowledge the significant efforts of 
numerous Government agencies in assisting the VA to prepare for 
the announcement last Monday. Agencies at all levels pitched in 
to ensure that our veterans had information on actions that 
they could take with respect to their credit. Hundreds of 
people worked around the clock, that is they worked through the 
night, in helping to set up these call centers and get the 
messages composed and out and did a yeoman's job. I want to 
thank each of them and these agencies for their efforts on 
behalf of our veterans.
    The three national credit card bureaus have established 
special procedures to handle inquiries and requests for fraud 
alerts from veterans. Experian and TransUnion have placed a 
front-end message on their existing toll-free fraud lines, 
bypassing the usual phone tree with instructions for placing a 
fraud alert. Equifax has set up a new toll-free number for 
veterans to place fraud alerts.
    The new procedures became operational on Tuesday. The 
bureaus report a spike in phone calls, 171 percent of normal, 
and in requests for free credit report through the annual free 
credit report web site.
    The Federal Trade Commission also experienced high call 
volumes about the incident earlier this week.
    On Monday, the Office of Comptroller of the Currency 
notified its examiners of this theft. On Tuesday, the Office of 
Comptroller posted an advisory on an Internet network available 
to its banks and instructed the examiners to direct their banks 
to the advisory. It explains what happened and asks the banks 
to exercise extra diligence in processing veterans' payments. 
The advisory also reminds banks of their legal obligations to 
verify the identities of persons seeking to open new accounts 
and to safeguard customer information against unauthorized 
access or use and attaches a summary of relevant regulations.
    I briefed the Attorney General and the Chairman of the 
Federal Trade Commission, the co-chairs of the President's 
Identity Theft Task Force, shortly after I became aware of this 
occurrence. They have been very cooperative. Task Force members 
have already taken actions to protect the affected workers, 
including--excuse me, to protect the affected veterans, 
including working with the credit bureaus to help ensure that 
veterans receive free credit reports that they are entitled to.
    Additionally, the Task Force met on Monday to coordinate 
the comprehensive Federal response to recommend further ways to 
protect affected veterans and increase safeguards to prevent 
the recurrence of such incidents. On Monday following the 
announcement of this incident, I also issued a memorandum to 
all VA employees. The purpose was to remind them of the public 
trust that we hold and to set forth the requirements that all 
employees complete their annual general privacy training and 
cyber security for this current year by the end of next month.
    Following that, all will be required to sign a statement of 
commitment and understanding which will acknowledge the 
consequences for noncompliance.
    Information security is challenging business and ultimately 
it depends on the integrity and the ethics of the workforce. As 
has been said here, as technology has advanced, it has become 
possible to store vast quantities of data on devices no larger 
than one's thumbnail.
    All of us carry a cell phone, a BlackBerry or a personal 
digital assistant, and each of these contains vast quantities 
of data. Someone intent on taking this data and using it 
inappropriately has many opportunities to do that.
    It is also the fact that great numbers of people in this 
agency and in this Government telecommute. For example, 
yesterday I was talking to an employee of ours who is an 
information technology specialist. And he told me of needing 
some medical records. He asked for them to be burned onto a CD, 
and that was done and it was delivered to him very promptly and 
neatly.
    And so he wrote the person an e-mail back saying thank you 
for this prompt, efficient work. He said, ``By the way, where 
do you work here in the central office? Maybe we could have a 
cup of coffee some time.'' And the person responded by saying, 
``I do not work in the central office. I work in South 
Dakota.''
    It illustrates how far-flung and distended some of this has 
gotten. We need obviously to know who they are, know what kind 
of people they are out there with this data, and absolutely get 
better control over it.
    And I promise you that we are going to do everything in our 
power to structure a regime at the VA that makes clear what is 
proper in the use of data by our employees and train our 
employees in those policies and enforce them.
    We have already begun discussions regarding the immediate 
automatic encryption of all sensitive information. We will also 
work with the President's Task Force on Identity Theft. I am a 
member of the Task Force. And it will help to structure 
policies that will be put in place throughout the Government to 
help ensure that situations such as this do not occur at other 
agencies.
    In summary, Mr. Chairman and Members of the Committees, I 
want to say that the VA's mission is to serve and honor our 
Nation's veterans, and we take it very seriously. I am also 
proud to say that most of the 235,000 people that work there 
are terrific and take it seriously and are dedicated to our 
veterans. So, I am so saddened by what has happened here, in 
this case by one person, and the anxiety and concern that this 
is causing to our veterans and our families because they have 
enough to deal with.
    We honor the service of our veterans and we consider it a 
privilege to work for them at our agency. I want you and them 
to know that we are and are going to work hard to keep this 
most awful thing from happening again.
    Thank you.
    [The prepared statement of R. James Nicholson follows:]

       Prepared Statement of Hon. R. James Nicholson, Secretary, 
                     Department of Veterans Affairs

    Mr. Chairman and Members of the Committee:
    Thank you for the opportunity to appear before you today to explain 
a devastating situation.
    A VA employee, a data analyst, took home electronic data files from 
VA. He was not authorized to do so.
    These data contained identifying information including names and 
dates of birth for up to 26.5 million veterans and some of their 
spouses. In addition, that information, plus social security numbers, 
was available for some 19.6 million of those veterans. Also possibly 
included were some numerical disability ratings and the diagnostic 
codes which identify the disabilities being compensated.
    It is important to note that the data did not include any of VA's 
electronic health records. Neither did it contain explicit financial 
information, although knowing of a disability rating could enable one 
to compute what that implied in terms of compensation payments.
    On May 3, the employee's home was broken into in what appears to 
local law enforcement to have been a routine breaking and entering, and 
the VA data were stolen. The employee has been placed on administrative 
leave pending the outcome of an investigation with which I understand 
he is cooperating.
    I am outraged at the loss of this veterans' data and the fact an 
employee would put it at risk by taking it home in violation of VA 
policies. However, the employee promptly reported the theft to the 
local police and to the Department of Veterans Affairs. But it was not 
until May 16th that I was notified. I am gravely concerned about the 
timing of the Department's response once the burglary became known. I 
will not tolerate inaction and poor judgment when it comes to 
protecting our veterans.
    Appropriate law enforcement agencies, including local police, the 
FBI and the VA Inspector General's office, have launched full-scale 
investigations into this matter. Authorities believe it is unlikely the 
perpetrators targeted the items stolen because of any knowledge of the 
data contents. It is possible that the thieves remain unaware of the 
information they possess or of how to make use of it. Because of that, 
we have attempted to describe the equipment stolen, the location from 
which it was stolen and other information in very general terms. We do 
not want to provide information to the thieves that might be 
informative as to the nature of what they have stolen. We still hope 
that this was a common theft, and that no use will be made of the VA 
data.
    From the moment I was informed, VA began taking all possible steps 
to protect and inform our veterans.
    In our post-disclosure assessment, we have seen the gaps between 
what we said and the way we are seen.
    VA has begun a top to bottom examination of our business, policies, 
and procedures to find out how we can prevent something like this from 
happening again. We will stay focused on the problems until they are 
fixed. In addition, we will take direct and immediate action to address 
and alleviate veterans' concerns and to regain their confidence.
    I have taken the following actions so far:
     I have directed all VA employees to complete the annual 
``VA Cyber Security Awareness Training Course'' and complete the 
separate ``General Employee Privacy Awareness Course'' by June 30, 
2006.
    This includes:
     The Privacy Act;
     Unauthorized disclosing or using, directly or indirectly, 
information obtained as a result of employment in VA, which is of a 
confidential nature or which represents a matter of trust, or other 
information so obtained of such a character that its disclosure or use 
would be contrary to the best interests of the VA or veterans being 
served by it; and,
     Loss of, damage to, or unauthorized use of Government 
property, through carelessness or negligence, or through maliciousness 
or intent.
     I have also directed that all VA employees sign annually 
an Employee Statement of Commitment and Understanding which will also 
acknowledge consequences for non compliance.
    In addition the Department will immediately begin to conduct an 
inventory and review of all current positions requiring access to 
sensitive VA data. The inventory will determine whether positions in 
fact require such access. We will then require all employees who need 
access to sensitive VA data to do their jobs to undergo an updated 
National Agency Check and Inquiries (NACI) and/or a Minimum Background 
Investigation (MBI) depending on the level of access required and the 
responsibilities associated with their position.
    And I have directed the Office of Information & Technology to 
publish, as a VA Directive, the revisions to the Security Guidelines 
for Single-User Remote Access developed by the Office of Cyber and 
Information Security. I have asked that this be done by June 30, 2006. 
This document will set the standards for access, use, and information 
security, including physical security, incident reporting and 
responsibilities.
    VA is working with Members of Congress, the news media, veterans' 
service organizations, and numerous government agencies to help ensure 
that those veterans and their families are aware of the situation and 
of the steps they may take to protect themselves from misuse of 
personal information.
    VA is coordinating with other agencies to send individual 
notifications to those individuals whose social security numbers were 
stolen, instructing them to be vigilant in order to detect any signs of 
possible identity theft and telling them how to protect themselves. In 
the meantime, veterans can also go to www.firstgov.gov for more 
information in this matter. This is a Federal Government Web site 
capable of handling large amounts of web traffic.
    Additionally, working with other government agencies, VA has set up 
a manned call center that veterans may use to get information about 
this situation and learn more about consumer-identity protections. That 
toll free number is 1-800-FED INFO (333-4636). The call center is 
operating from 8 am to 9 pm (EDT), Monday-Saturday as long as it is 
needed. The call center is able to handle up to 20,000 calls per hour 
(260,000 calls per day). Through the end of the day on Tuesday, 
concerned veterans had made a total of 105,753 calls to this number.
    I want to acknowledge the significant efforts of numerous 
government agencies in assisting VA to prepare for our announcement on 
May 22nd. Agencies at all levels of the Federal Government pitched in 
to ensure that our veterans had information on actions they could take 
to protect their credit. Hundreds of people worked around the clock 
writing materials to inform the veterans and setting up call centers 
and a website to ensure maximum dissemination of the information. I 
want to personally thank each of those agencies and those individuals 
for their selfless efforts on behalf of our veterans.
    The three nationwide credit bureaus have established special 
procedures to handle inquiries and requests for fraud alerts from 
veterans.
    Experian and TransUnion have placed a front-end message on their 
existing toll-free fraud lines, bypassing the usual phone tree, with 
instructions for placing a fraud alert. Equifax has set up a new toll-
free number for veterans to place fraud alerts. The new Equifax number 
is 1-877-576-5734. The new procedures became operational on Tuesday. 
The bureaus report a spike in phone calls (171 percent of normal) and 
in requests for free credit reports through the annual free credit 
report web site (annualcreditreport.com). The Federal Trade Commission 
also experienced high call volumes about the incident earlier this 
week.
    On Monday, the Office of Comptroller of the Currency notified its 
examiners of the theft. On Tuesday, OCC posted an advisory on an 
internal network available to its banks and instructed the examiners to 
direct their banks to the advisory. It explains what happened and asks 
the banks to exercise extra diligence in processing veterans' payments. 
The advisory also reminds the banks of their legal obligations to 
verify the identities of persons seeking to open new accounts and to 
safeguard customer information against unauthorized access or use. It 
also includes a summary of relevant laws and regulations.
    I briefed the Attorney General and the Chairman of the Federal 
Trade Commission, co-chairs of the President's Identity Theft Task 
Force, shortly after I became aware of this occurrence.
    Task Force members have already taken actions to protect the 
affected veterans, including working with the credit bureaus to help 
ensure that veterans receive the free credit report they are entitled 
to under the law. Additionally, the Task Force met on Monday to 
coordinate the comprehensive Federal response, recommend further ways 
to protect affected veterans, and increase safeguards to prevent the 
recurrence of such incidents.
    On Monday, following the announcement of this incident, I also 
issued a memorandum to all VA employees. The purpose was to remind them 
of the public trust we hold and to set forth the requirement that all 
employees complete their annual General Privacy Training and VA Cyber 
Security Awareness training for the current year by June 30.
    As technology has advanced, it has become possible to store vast 
quantities of data on devices no larger than one's thumb. All of us 
carry a cell phone, a BlackBerry or a Personal Digital Assistant, and 
each of these contains vast quantities of data. Someone intent on 
taking such data and using it inappropriately would have many 
opportunities to do that.
    I can promise you that we will do everything in our power to make 
clear what is appropriate and inappropriate use of data by our 
employees. We will train employees in those policies, and we will 
enforce them. We have already begun discussions regarding the immediate 
automatic encryption of all sensitive information.
    We will also work with the President's Task Force on Identity 
Theft, of which I am a member, to help structure policies that will be 
put in place throughout the government to ensure that situations such 
as this do not occur at other agencies.
    VA's mission to serve and honor our Nation's veterans is one we 
take very seriously and the 235,000 VA employees are deeply saddened by 
any concern or anxiety this incident may cause to those veterans and 
their families. We honor the service our veterans have given their 
country and we are working diligently to protect them from any harm as 
a result of this incident.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Daniel K. Akaka 
                       to Hon. R. James Nicholson

    On February 11, 2005, Office of Management and Budget (OMB) Deputy 
Director for Management Clay Johnson issued a memorandum directing each 
agency to designate a senior official who would have agency-wide 
responsibility for privacy issues relative to information management.
    Question 1a. Who is VA's senior privacy official? When was this 
position established at VA?
    Question 1b. What training does VA's designated privacy official 
receive? Is this training then passed on to all agency personnel? 
Please provide a copy of the training documents VA provides its 
employees.
    Question 1c. I understand that OMB meets with all the agencies' 
senior privacy officials and their teams to review the status of the 
agencies' privacy programs. Has OMB met with VA's privacy official, and 
if so, do you know what OMB found with respect to VA's privacy program? 
If problems were found, how has VA addressed the problems identified? 
Are the problems identified by OMB still remain at VA?
    Question 1d. If the privacy official has a concern about an agency 
practice or program, what enforcement authority does he or she have? To 
whom does the senior privacy official report?
    Question 1e. What is the working relationship between the VA 
privacy official and Privacy and Civil Liberties Oversight Board?
    Question 2. Recently VA announced the naming of Special Advisor for 
Information Security. What will be the role and responsibilities of the 
Special Advisor? How will the responsibilities and duties of this 
official differ from those assigned to the senior privacy official? How 
will this individual work with the senior official designated for 
privacy issues and the Chief Information Officer at VA?
    Question 3. The Privacy Act does not require the VA to provide 
notice of a data breach. What Federal or state law required the VA to 
notify the public of the data breach?
    Response. VA did not respond to the questions.
                                 ______
                                 
          Written Questions Submitted by Hon. Norm Coleman to 
                        Hon. R. James Nicholson

    The senior VA employee who took the sensitive information home was 
working on a project which involved improving telephone interactions 
between the Department and Veterans. While the employee was authorized 
to have access to this data in connection with the project, the 
employee was not authorized to take the data home to work on it. 
Although the employee received the required training on protecting the 
privacy and security of this kind of information and knew it was 
against VA policy, the employee still chose to take it home.
    Question 1a. How confident are you that other VA employees do not 
similarly have confidential data in their homes? Can we be 100 percent 
confident?
    Question 1b. Would you say it is routine for employees who have 
access to sensitive information to remove it from the VA to work on at 
home? Is it easy to remove this information?
    Question 1c. Is there any way for you to know how many employees 
remove sensitive information from the VA?
    Question 1d. Are employees aware of the penalties for removing 
sensitive information from the VA? Can you tell us what the penalties 
are?
    Mr. Secretary, you found out about the security breech on May 16th, 
yet veterans were not informed until May 22nd. On May 19th, the 
Inspector General and your staff decided not to go public because the 
hotline being established by the FTC to handle veterans' calls had not 
been fully set up. However, when this type of security breech has 
happened in the private sector, consumers have been alerted very 
quickly, often in less than 24 hours.
    Question 2a. Do you still think it was the right decision to wait 
to inform veterans that their information may have been compromised?
    Question 2b. What would have been the downside to making an 
announcement so veterans could begin reviewing their financial 
information while putting information on your website and saying a call 
center would be up and running in a few days?
    Question 2c. Are you getting any feedback on whether the call 
centers are helpful? Is the VA partnering with the Veterans Service 
Organizations to provide information to their members about what 
happened and what they can do to protect this information?
    On May 3rd, the same day as the discovery of the burglary and 
theft, the VA employee called and reported to a supervisor and VA 
security officials the loss of sensitive privacy data. However, Mr. 
Secretary, you did not find out until almost 2 weeks later on May 16th.
    Question 3a. Do you recall your reaction when you found out about 
this?
    Question 3b. Did you inquire why something of this magnitude took 
almost 2 weeks to reach your desk?
    Question 3c. When did you become aware that your Chief of Staff 
knew this information a week earlier?
    Question 3d. Do you know why you were not told at that time of what 
had happened?
    Question 3e. Is it customary for important matters such as this to 
be caught up in bureaucracy for 2 weeks or is there a system in place 
to get things to you quicker? If so, do you know why this information 
did not get to you sooner?
    Since 2001, the VA Inspector General has warned that access 
controls were a ``material weakness'' in the department's security of 
information. Vulnerabilities cited included operating systems, 
passwords, and a lack of strong detection alerts. While this case 
involved a VA employee with authorized access to sensitive information, 
I am concerned the VA is also vulnerable to a cyber-attacker without 
authorized access that breaks into the system and removes sensitive 
information.
    Question 4a. Mr. Secretary, how vulnerable is the VA to a cyber-
attack from someone outside of the VA who has no authorization to any 
VA information?
    Question 4b. Were you aware of the VA Inspector General's reports 
that were critical of the department's information protection systems?
    Question 4c. What actions has the department taken to improve 
information security since you became Secretary in February, 2005?
    Response. VA did not respond to the questions.
                                 ______
                                 
        Written Questions Submitted by Hon. Pete V. Domenici to 
                        Hon. R. James Nicholson

    Question 1. In recent years identity theft has become a major issue 
in this country. Given that the theft of personal information is 
nothing new, what policies and procedures did the Department of 
Veterans Affairs have in place prior to this incident to insure the 
personal data of our Nation's veterans was protected?
    Question 2. It is my understanding that to date there is no 
evidence anyone has illegally used the missing data belonging to 26.5 
million of our Nation's veterans including names, social security 
numbers, and dates of birth. However, I am particularly concerned for 
those veterans who are retired or nearing retirement and who may be on 
a fixed income and therefore less able to respond to the consequences 
of identity theft. How is the VA preparing to minimize the disturbance 
to their lives in the event this stolen information is improperly used? 
Furthermore, what steps has the VA taken to notify the 26.5 million 
veteran's involved in this incident?
    Question 3. In light of this loss of information, I think it is 
clear the Department of Veterans Affairs must take steps to better 
protect sensitive personal data in the future. At this time, what 
changes has the VA implemented or plans to implement to insure veterans 
do not have to face the fear of their personal information being 
misused in the future?
    Response. VA did not respond to the questions.
                                 ______
                                 
       Written Questions Submitted by Hon. Lincoln D. Chafee to 
                        Hon. R. James Nicholson

    Question 1. Members of our military have risked their lives in 
service of our country. Our grateful Nation fully supports veterans 
programs, including medical, educational, employment, and other 
assistance. I too support these important programs. In all times, and 
especially in a time of war, ensuring our veterans receive the best 
medical care is our Nation's duty. Earlier this year, in his budget 
request, the President proposed higher fees and co-pays for certain 
veterans receiving VA assistance. In my view, a policy that leads to 
increased denial of service to veterans is simply unacceptable, which 
is why I cosponsored an amendment to the Budget allocating money for 
the government to cover these costs. Secretary Nicholson, what are you 
doing to make sure quality VA care remains accessible to all veterans 
who need it?
    Question 2. Battlefield medicine has made huge strides in the last 
few decades. The result has been a much higher percentage of wounded 
soldiers living through their initial injuries, able to return home to 
their families. These wonderful advances in medicine deserve our 
praise, but they mean that the VA will be caring for more and more 
injured soldiers as they return home. Many of these injuries, such as 
burns, amputations, blindness, and PTSD, are of the type that will 
require care for a lifetime. How is the VA preparing for an increase in 
the number of veterans who will require long term medical assistance? 
Furthermore, how is the VA making sure it immediately cares for 
returning Iraq War veterans, but does not forget about those older 
veterans who continue to require medical assistance?
    Response. VA did not respond to the questions.

    Chairman Craig. Mr. Secretary, thank you very much.
    As you have noted, the Secretary is accompanied by Tim 
McClain, who is General Counsel for the Department of Veterans 
Affairs.
    You will notice there are two empty chairs. George Opfer, 
Inspector General for the Department of Veterans Affairs, I do 
not know if he was held hostage. At least he was detained in 
the U.S. House of Representatives. And I understand he is en 
route or nearly here. So the moment he arrives, we will allow 
him to make his statement before we go to questions. In the 
meantime, I will ask the Secretary a question.
    Mr. Secretary, you have mentioned, as many of our 
colleagues here have mentioned, that there has been a long 
history of Inspector General review and litany recommending 
greatly improved informational technology security at VA. In 
fact, a grade of ``F'' and the word flunk have been used.
    I do not know if this is the ultimate wake-up call, but it 
most assuredly appears to be.
    Does VA have some legitimate reason why it ignored IT 
security recommendations from the IG for 4 years running?
    Now I know your watch has not been during all of those 
periods of time. But I am greatly concerned that it took 
something like this to begin to unravel the rigidity of a 
bureaucracy that would deny the legitimate approach of an 
overall encompassing IT system that now we must get at the 
business of doing.
    Your reaction.
    Secretary Nicholson. My reaction, Mr. Chairman, is that 
there is no excuse for this. I have been there 15 months and I 
am aware of those previous years' reports and the assessment 
that we got. We did launch this significant change in the way 
that we are going to do IT business by pulling it back and 
centralizing it, which would give us considerably more control 
and accountability. But that is just in the launch phase.
    I also have discovered that there have been directives that 
have been issued by my predecessor to which there has been no 
attention given. There are directives that have come out which 
are called guidelines, which some employees do not interpret as 
being mandatory or operative to them, because they are a 
guideline. I have had that discussion just yesterday with some 
employees in that respect.
    So the whole thing needs to really be tightened up. We are 
on that path, I will say, and give the recently departed CIO 
credit for getting us there. But it is nascent, just starting.
    Chairman Craig. Mr. Opfer, we appreciate your being able to 
make it.
    We will allow you to sit down and take a deep breath, and 
we would ask that you--the Secretary has just completed his 
statement and we were just starting into a round of questions. 
But we want you to make your statements so that the questions 
of my colleagues can be directed to either of you.
    You are accompanied by Jon Wooditch is that correct?
    Mr. Opfer. Yes, sir.
    Chairman Craig. Deputy Inspector General, Department of 
Veterans Affairs.
    So Mr. Inspector General, please proceed with your 
statement, if you would, please.

     STATEMENT OF HON. GEORGE J. OPFER, INSPECTOR GENERAL, 
DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY JON A. WOODITCH, 
                   DEPUTY INSPECTOR GENERAL, 
                 DEPARTMENT OF VETERANS AFFAIRS

    Mr. Opfer. Thank you, Mr. Chairman and Members of the 
Committee. Thank you for the opportunity to testify today on 
the loss of VA sensitive data.
    I am prepared to give a short statement and request that my 
full statement be submitted for the record.
    Chairman Craig. Without objection, it will.
    Mr. Opfer. I am accompanied, as you said, Mr. Chairman, by 
Jon Wooditch, the Deputy Inspector General, and Mike Stanley, 
the Assistant Inspector General for Audits.
    My statement will focus on the incident involving a VA 
employee who took home sensitive data and confidential 
information which was stolen from the employee's home when it 
was burglarized.
    Our involvement in this matter from the IG perspective is 
threefold. One, an ongoing criminal investigation into the 
theft of the data. Two, an administrative investigation. And 
three, a review of the VA policies and procedures for using and 
protecting privacy data.
    In addition to discussing each of these reviews, my 
statement will also provide an overview of the OIG reports that 
have shown the need for continued improvements in addressing 
information security weaknesses in VA and the status of those 
OIG recommendations for corrective action.
    On May 3rd, the home of a VA employee was burglarized. 
According to the employee, information stolen included the 
names, birth dates and Social Security numbers of approximately 
26.5 million veterans that was stored on his personally owned 
computer hardware. The employee said that he routinely took 
sensitive data home to work on and has been doing so since 
2003.
    On Wednesday, May 10th, an Information Security Officer of 
the OIG, while attending a routine meeting at VA, heard that a 
VA employee's home had been burglarized and that VA electronic 
records may have been stolen. Following the meeting, the OIG 
employee gathered additional facts about the incident. On the 
following day, he submitted a written report to alert the 
Office of Investigations of the Office of Inspector General.
    On May 12th, the OIG opened a criminal investigation and 
initiated efforts to locate and interview the employee and 
those others that had information regarding the theft of the 
sensitive data.
    On May 15th, we interviewed the employee. The employee 
advised us that he believed several electronic files containing 
veteran information stored on his personally owned computer 
hardware had been stolen during a burglary. He thought that 
stolen information included the names, birth dates and Social 
Security numbers of approximately 26.5 million veterans.
    On May 16th, we met with the Montgomery County Police 
Department, who had initiated an investigation of the burglary. 
We informed the Montgomery County Police Department of the 
suspected loss of millions of veterans' personal identifiers. 
We learned that the detectives were actively pursuing leads 
developed in a number of recent burglaries in the employee's 
neighborhood.
    On May 17th, we advised the FBI and the Assistant United 
States Attorney of the details of the burglary and the possible 
loss of the data. On the next day, we also faxed a letter 
listing these details to the FBI.
    Since then we have been conducting a joint investigation 
focused on the recovery of the stolen data. To date, we have 
received no indication or information that the data has been 
further compromised.
    In the administrative investigation, our investigation will 
determine if notifications of the incident were made, and if 
those notifications were pursued in an appropriate and timely 
manner. We are developing a chronology of when key staff and 
managers were informed of the incident, what information was 
conveyed to these individuals, and what actions they took.
    As part of the investigation, we will determine if the work 
the employee was performing at home was related to his official 
duties and if he had appropriate authorization to take 
individually identifiable data to his residence. We will also 
determine if the employee complied with relevant policies and 
procedures.
    The recent incident also raises concerns about whether VA 
has adequate policies and procedures in place to protect 
confidential and privileged information maintained in VA 
electronic databases. To address this issue, we have initiated 
a review to determine whether VA has effective policies to 
ensure compliance, whether VA employees are aware of these 
policies, and whether there is an effective mechanism for 
reporting violations and taking appropriate actions.
    The review will identify strengths and weaknesses in VA 
policies. We will make recommendations for improvement to 
ensure the data maintained by VA is protected from unwanted 
intrusion and disclosure.
    In closing, I would like to assure the Committee that this 
matter will remain the highest priority in the OIG until it is 
resolved. I will assure you that all of the resources that we 
have that are needed to complete our reviews in a thorough and 
timely matter will be dedicated to the goal of recovering the 
stolen data and protecting the Nation's veterans.
    Mr. Chairman and Members of the Committee, thank you again 
for the opportunity to appear and to answer any questions.

    Prepared Statement of Hon. George J. Opfer, Inspector General, 
                     Department of Veterans Affairs

                              INTRODUCTION

    Mr. Chairman, Madam Chairman, and Members of the Committees, thank 
you for the opportunity to testify today on the loss of Department of 
Veterans Affairs (VA) sensitive data. I am accompanied by Jon Wooditch, 
Deputy Inspector General, and Mike Staley, Assistant Inspector General 
for Auditing. My statement will focus on the incident involving a VA 
employee who took home sensitive and confidential information, which 
was stolen when the employee's home was burglarized. The Office of 
Inspector General's (OIG) involvement in this matter involves a three-
pronged approach including (1) a criminal investigation, (2) an 
administrative investigation of the handling of this matter once 
reported to the Department, and (3) a review of VA policies and 
procedures for using and protecting privacy data. In addition to 
discussing each of these reviews, I will also provide an overview of 
the OIG reports that have shown the need for continued improvements in 
addressing information security weaknesses in VA, and the status of OIG 
recommendations for corrective action.
    On May 3, 2006, the home of a VA employee was burglarized. 
According to the employee, the information stolen included the names, 
birthdates, and social security numbers of approximately 26.5 million 
veterans that was stored on personally owned computer hardware. The 
employee, a data analyst, was authorized access to sensitive VA 
information in the performance of his duties and responsibilities. He 
said that he routinely took such data home to work on it, and had been 
doing so since 2003.

                         CRIMINAL INVESTIGATION

    On Wednesday, May 10, 2006, our Information Security Officer (ISO), 
while attending a routine meeting at VA Central Office, heard another 
ISO mention that a VA employee's home had been burglarized and that VA 
electronic records may have been stolen. Following the meeting, our ISO 
gathered additional facts about this incident. On the following day, he 
submitted a written report to his supervisor for the purpose of 
alerting our Office of Investigations. On May 12, 2006, a criminal 
investigation was initiated and efforts commenced to identify and 
interview the employee.
    On Monday, May 15, 2006, we interviewed the employee. The employee 
advised us that he believed that several electronic files containing 
veteran information stored on personally owned computer hardware had 
been stolen during the burglary at his home on May 3, 2006. He thought 
the stolen information included the names, birthdates, and social 
security numbers of approximately 26.5 million veterans.
    On May 16, 2006, we met with the Montgomery County Police 
Department who had initiated an investigation of the burglary when 
notified on May 3, 2006. We informed them of the suspected loss of 
millions of veterans' personal identifiers. We learned that detectives 
were actively pursuing leads developed in a number of recent 
residential burglaries in the employee's neighborhood.
    On May 17, 2006, we apprised the Federal Bureau of Investigation 
(FBI) and an Assistant United States Attorney of the details of this 
burglary and possible loss of data. The next day, we also faxed a 
letter listing these details to the FBI. Since then, we have been 
conducting a joint investigation with the FBI and the Montgomery County 
Police Department focused on the recovery of the stolen data. To date, 
there has been no indication that this data has been further 
compromised.

                      ADMINISTRATIVE INVESTIGATION

    We have also initiated an administrative investigation to determine 
if notifications of the incident were made, and if those notifications 
were pursued in an appropriate and timely manner. We are developing a 
chronology of when key staff and managers were informed of the 
incident, what information was conveyed to these individuals, and what 
actions they took. We are also identifying what VA electronic data the 
employee stored at his home, whether the employee had an official need 
for the data, why he took it to his home, and who in his supervisory 
chain approved or had knowledge that he had done so.
    We have interviewed the employee, his supervisors, project 
managers, and co-workers; privacy, information security, and VA law 
enforcement officials; Office of General Counsel attorneys, including 
the General Counsel; and the VA Chief of Staff. We are also reviewing 
electronic mail messages pertinent to the incident; notes and memoranda 
prepared by the employee, General Counsel, and other staff; 
documentation of the employee's access to VA databases; and other 
pertinent documentation.
    According to the employee, he likely had VA electronic data stolen 
during the burglary of his residence, but he was not certain of the 
type and extent of the specific information taken. He said he believed 
it contained approximately 26.5 million veterans' names, social 
security numbers, and dates of birth, extracted from a VA database, and 
possibly other smaller files containing information about individual 
veterans was also taken. We are currently reviewing the computer discs 
he used to take data home to determine what other information may have 
been stolen.
    The employee, a data analyst, had an official need to access the 
records believed to have been stolen. The nature of his work was 
project-focused and involved manipulating large quantities of data to 
address certain policy issues. The employee told us he took the data 
home for work-related purposes. However, none of his supervisors we 
talked to said they were aware that the employee had taken the file 
containing approximately 26.5 million veterans' records to his 
residence.
    As part of our investigation, we will determine if the work the 
employee was performing at home was related to his official duties, and 
if he had appropriate authorization to take individually identifiable 
data to his residence. We will also determine if the employee complied 
with relevant policies and procedures in taking this information home 
and properly protecting it. Our report will identify what breakdowns 
occurred that may have hindered timely notification and follow-up of 
this incident. Based on our investigation, we will make recommendations 
for appropriate action, if warranted.

      REVIEW OF LAWS, REGULATIONS, AND VA POLICIES AND PROCEDURES 
                ON SAFEGUARDING CONFIDENTIAL INFORMATION

    The recent incident raised concerns about whether the VA has 
adequate policies and procedures in place to protect confidential and 
privileged information maintained in VA's electronic databases. Our 
concerns are whether VA policies are adequate to ensure compliance with 
information security laws, the Privacy Act and other confidentiality 
laws and regulations, and to identify and take action when there is a 
violation of law or policy. There are two sets of laws and implementing 
regulations to protect the integrity of confidential data--computer 
security laws and confidentiality statutes. While the intent of both 
sets of laws is the same--the protection of information--the approach 
is different. Computer security laws ensure that the system 
infrastructure on which the data is maintained electronically is 
protected against unauthorized intrusions such as viruses and 
unapproved access. The Privacy Act and other confidentiality laws and 
regulations protect information by limiting access, use, and disclosure 
of records without authorization from the individual about whom the 
record is maintained.
    To address the issues, we initiated a review to determine whether 
VA has effective policies in place to ensure compliance with computer 
security laws, the Privacy Act and other confidentiality laws and 
regulations, whether VA employees are aware of the policies; whether VA 
has adequate procedures in place to monitor compliance with the 
policies; and, whether the policies include an effective mechanism for 
reporting violations and taking appropriate action. Two areas that we 
are addressing in our review are policies relating to the transfer of 
electronic information from an employee's VA computer to his home or 
alternative work site and the impact centralization versus 
decentralization of VA policy has on ensuring that the integrity of VA 
computer systems and the information stored on those systems is 
maintained.
    The review includes identifying and reviewing applicable laws, 
regulations and policies, including Department-wide policies; policies 
issues by the Veterans Health Administration (VHA), the Veterans 
Benefits Administration (VBA), and other VA entities, policies issued 
by local VA facilities; and mandatory training modules. We are also 
reviewing how policies are disseminated to VA employees; whether VA 
employees are aware of the policies, and whether VA procedures for 
identifying, reporting and taking action when data has been improperly 
accessed or improperly used are adequate.
    This review will identify strengths and weaknesses in VA's policies 
implementing the provisions of computer security laws and the Privacy 
Act, and other confidentiality laws. We will also identify strengths 
and weaknesses in ensuring that VA employees are knowledgeable 
regarding their obligation to protect VA computer systems and 
information and that they will be held accountable for violations. We 
will make recommendations for improvement to ensure that data 
maintained by VA is protected from unwarranted intrusion and 
disclosure.

   SUMMARY OF OIG REPORTS ADDRESSING INFORMATION SECURITY WEAKNESSES

    We have conducted a number of audits and evaluations on information 
management security and information technology (IT) systems that have 
shown the need for continued improvements in addressing security 
weaknesses. My office has reported VA information security controls as 
a material weakness in its annual Consolidated Financial Statement 
(CFS) audits since before fiscal year (FY) 2001. Our Federal 
Information Security Management Act (FISMA) reviews have identified 
significant information security vulnerabilities since fiscal year 2001 
that place VA at risk of denial of service attacks, disruption of 
mission-critical systems, and unauthorized access to sensitive data. We 
continue to report security weaknesses and vulnerabilities at VA health 
care facilities and VA regional offices where security issues were 
evaluated during our Combined Assessment Program (CAP) reviews.

Consolidated Financial Statement Audits Continue to Report Information 
        Security as a Material Weakness
    Pursuant to the Chief Financial Officers Act of 1990, the VA 
consolidated financial statements are audited annually. We contract 
with an independent public accounting firm to perform this audit. As 
part of the audit, the contractor follows Government Accountability 
Office methodology to assess the effectiveness of computer controls. 
The contractor conducts audits at VA's three information technology 
centers and selected regional offices and medical centers.
    As part of the CFS audit, IT security controls have been reported 
as a material weakness for many years. A material weakness is defined 
as a weakness in internal control of VA systems that could have a 
material effect on the financial statements and not be detected by 
employees in the normal course of their business. We have reported that 
VA's program and financial data are at risk due to serious problems 
related to VA's control and oversight of access to its information 
systems. By not controlling and monitoring employee access, not 
restricting users to only need-to-know data, and not timely terminating 
accounts upon employee departure, VA has not prevented potential risk. 
These weaknesses placed sensitive information, including financial data 
and sensitive veteran medical and benefit information, at risk, 
possibly without detection of inadvertent or deliberate misuse, 
fraudulent use, improper disclosure, or destruction.
    As a result of these weaknesses, we made recommendations that VA 
pursue a more centralized approach, apply appropriate resources, and 
establish a clear chain of command and accountability structure to 
implement and enforce IT internal controls. We also recommended that VA 
improve access control policies and procedures for configuring security 
settings on operating systems, improve administration of user access, 
and detect and resolve potential access violations. Finally, we 
recommended that VA conform access privileges to the user's level of 
responsibility and position.
    VA has implemented some recommendations for specific locations 
identified but has not proactively made corrections VA-wide. For 
example, we found violations of password policies which management 
immediately corrected, but in following years, we found similar 
violations at other facilities. We also found instances of terminated 
or separated employees with access to critical systems identified at 
various locations which management corrected, only to discover similar 
instances elsewhere.

Evaluations of VA's Information Security Program Have Identified 
        Serious Vulnerabilities for Several Years That Remain 
        Uncorrected
    FISMA requires us to annually review the progress of the 
information technology and security program of the Department and 
report the results to the Office of Management and Budget. As part of 
the FISMA review, we conduct scanning and penetration tests of selected 
VA systems to assess controls for monitoring and accessing systems, and 
reviews of physical, personnel, and electronic security. We visit all 
three major IT centers and selected VHA and VBA sites.
    In all four audits of the VA Security Program issued since 2001, we 
reported serious vulnerabilities that remain uncorrected. These reports 
highlight specific vulnerabilities that can be exploited, but the 
recurring themes in these reports are the need for centralization, 
remediation, and accountability in VA information security. Since the 
fiscal year 2001 report, we reported weaknesses in physical security, 
electronic security, wireless security, personnel security, and FISMA 
reporting. Additionally, we have reported significant issues with 
implementation of security initiatives VA-wide. The status of 
unimplemented recommendations was discussed in subsequent audits.
    The fiscal year 2004 audit once again emphasized the need to 
centralize the IT security program, implement security initiatives, and 
close security vulnerabilities. We recognized that the CIO's office 
needed to be fully staffed, and that funding delays and resistance by 
offices to relinquish their own security functions and activities 
delayed implementation of the fully centralized CIO contemplated by our 
prior recommendations. The CIO's comments to the report referenced an 
April 2004 VA General Counsel opinion that held the CIO lacked the 
authority to enforce compliance with the VA information security 
program as one reason he could not address vulnerabilities. We again 
recommended that VA fully implement and fund a centralized VA-wide IT 
security program.
    In total, the fiscal year 2004 report included 16 recommendations: 
(1) centralize IT security programs; (2) implement an effective patch 
management program; (3) address security vulnerabilities of 
unauthorized access and misuse of sensitive information and data 
throughout VA demonstrated during OIG field testing; (4) ensure 
position descriptions contain proper data access classification; (5) 
obtain timely, complete background investigations; and complete the 
following security initiatives on (6) intrusion detection systems, (7) 
infrastructure protection actions, (8) data center contingency 
planning, (9) certification and accreditation of systems, (10) 
upgrading/terminating external connections, (11) improvement of 
configuration management, (12) moving VACO data center, (13) 
improvement of application program/operating system change controls, 
(14) limiting physical access to computer rooms, (15) wireless devices, 
and (16) electronic transmission of sensitive veteran data. As of May 
23, 2006, all recommendations from this report remain open.
    Finally, in fiscal year 2006, after Congress mandated full 
centralization of IT security under the CIO, as we advocated in our 
reports since 2001, VA is now moving out on a truly empowered 
centralized CIO. We have provided our draft fiscal year 2005 audit 
report to the Department and are working with the Department to resolve 
all outstanding recommendations. We have grouped our recommendations 
into two categories--the CIO's authority under centralization and 
longstanding vulnerabilities. With a centralized CIO with direct line 
authority to implement the needed fixes, we believe VA has a unique 
opportunity to successfully address all the vulnerabilities and 
weaknesses discussed in our reports since 2001.
    We believe centralization is essential because standardization is 
the key to fixing VA information security weaknesses. As long as three 
stove-piped administrations and other smaller component organizations 
are free to operate in the IT environment on their own within VA--
accountable not to the CIO but to other line managers who themselves 
are not accountable to the VA CIO--the vulnerabilities cannot be 
effectively resolved.

CAP Reviews Continue To Show Information System Security 
        Vulnerabilities Continue To Exist
    We continue to identify instances where out-based employees send 
veteran medical information to the VA regional office via unencrypted 
e-mail; system access for separated employees is not terminated; 
monitoring remote network access and usage does not routinely occur; 
and off duty users' access to VA computer systems and sensitive 
information is not restricted. We continue to make recommendations to 
improve security and contingency plans, control access to information 
systems, complete background investigations and annual security 
awareness training, and improve physical security controls.
    While individual and regional managers have concurred with these 
CAP recommendations, and our follow-up process confirms actions to 
resolve the specific conditions identified at these sites, we continue 
to find that corrective actions are not applied to all facilities to 
correct conditions nationwide. Consequently, we continue to find these 
systemic conditions at other sites we visit. For example, between FYs 
2000 to 2005 the CAP program identified IT and security deficiencies in 
141 of 181 VHA facilities. We identified IT and security deficiencies 
at 37 of 55 VBA facilities.

                                CLOSING

    In closing, I would like to assure the Committee that this matter 
will remain a very high priority for the OIG until it is resolved. I 
will ensure that all the resources that are needed to complete our 
reviews in a thorough and timely manner will remain dedicated to the 
goal of recovering the stolen data and protecting our Nation's 
veterans.
    Mr. Chairman, Madam Chairman, and Members of the Committees, thank 
you again for this opportunity and I would be pleased to answer any 
questions that you may have.

    Chairman Craig. Mr. Opfer, thank you for being here and 
thank you for that testimony.
    Let me turn to Chairman Collins.
    Susan.
    Chairman Collins. Thank you, Mr. Chairman.
    Mr. Secretary, first let me say to you that I do not doubt 
in any way your personal pain and your sense of outrage over 
what has happened. I know you are sincerely upset and that you 
are dedicated to remedying the problems.
    The chronology that you gave us in your testimony is 
absolutely baffling. This was not a minor security breach. It 
involved personal information about 26 million veterans. And it 
is just inconceivable to me that there were such long delays in 
informing you personally and in informing the veterans who were 
affected.
    The concern I have, however, with your testimony, is that 
you seem to be saying that it was just one employee. It was one 
employee who breached the trust of our Nation's veterans. But 
in fact, it is not just one employee. You have a high risk 
vulnerable system that has been identified time and again as 
vulnerable.
    I have a stack of just some of the reports from OMB, from 
the House, from the GAO, from the Inspector General's office. 
Over and over again, it is the same warning, the same 
conclusions, the same recommendations.
    For example, in this 2003 annual audit by the IG, it 
states, ``The security vulnerabilities identified represent an 
unacceptable level of risk.'' And then the IG goes on to make 
many recommendations.
    But here is what is most startling to me. For almost every 
recommendation, there is a notation that says the following: 
``This is a repeat recommendation from the fiscal year 2001 and 
2002 information security audit.''
    Similarly, a report by the IG just last year states,

          Our last four annual audits, as well as this year's, continue 
        to show significant security vulnerabilities. We continue to 
        find that the VA systems remain vulnerable to unauthorized 
        access and misuse of sensitive information and data.

It seems to me that you and the leaders in your Department were 
on notice. Were you aware of these repeated audits and reports 
that identified such serious vulnerabilities?
    Secretary Nicholson. Yes, I was, Senator Collins.
    And as I said earlier, that is one of the compelling 
reasons that we have really taken the steps we did to 
centralize our systems, our information system, so that we have 
tighter central control over these. Because it has gotten very 
decentralized, very loose and undisciplined. We have really 
taken some very significant steps, and there is just a change. 
I mean, the reassignment of thousands of people, the 
rebudgeting, the creation of a career field for IT personnel at 
the VA, which had not existed.
    But it is just underway. But it has taken, in response to 
this situation that was very evident, and other deficiencies 
that have existed there which are not germane things like 
business accounting, inventory control reports and so forth, 
that you get out of a centralized IT system that the VA has 
just gotten away from over the last couple of decades.
    Chairman Collins. Mr. Opfer, are you satisfied with the 
response to your office's recommendations?
    Mr. Opfer. Senator Collins, I have recently been appointed 
to the Inspector General since November. Jon Wooditch is the 
Deputy Inspector General, who also served as Acting IG, and has 
much more familiarity with the series of reports over the 
years. I am going to refer to Jon to respond to this.
    Chairman Collins. Mr. Wooditch.
    Mr. Wooditch. Thank you.
    No, we have not been satisfied with the response in the 
past. As you mentioned, we have repeated these recommendations 
year in and year out. The IT system has been considered a 
material weakness in the Department for 5 straight years.se on.
    In the last report that we put out, which was March 2005 of 
fiscal year 2004 activities, we listed 16 recommendations and 
many of those are repeat recommendations.
    I would like to add that in Mr. Opfer's statement for the 
record, we do recognize that Congress took efforts this year to 
centralize IT in the VA. We think that presents a very unique 
opportunity now for VA to address these recommendation.
    Chairman Collins. Thank you, Mr. Chairman.
    Chairman Craig. Thank you, Madame Chair.
    Senator Akaka.
    Senator Akaka. Thank you very much, Mr. Chairman, Madame 
Chair.
    Mr. Secretary, VA seems to believe that it is unlikely that 
the lost data will be used by the thief, and you mentioned that 
in your statement. Is that the judgment of law enforcement 
officials?
    Secretary Nicholson. Senator Akaka, if I gave you that 
impression, I did not mean to, that we think it is unlikely. 
What I was trying to say was that we think it was unlikely that 
the burglary was committed to get after that data.
    Senator Akaka. Mr. Secretary, it is my understanding that 
typically VA will scramble Social Security numbers based upon 
an encryption formula. Access to files that translate scrambled 
Social Security numbers is only possible with special 
authorization. Realizing the sensitivity of this data that was 
burglarized, was this data not scrambled?
    Secretary Nicholson. That is correct, Senator Akaka, it was 
not scrambled. There is a requirement for those who are 
authorized to take data home or to work with data at home that 
it should be encrypted, and this was not.
    Senator Akaka. Can you tell me, Mr. Secretary, what years 
of veterans this data covered? Does it date back to 1970 or 
1960?
    Secretary Nicholson. My understanding of it is that it is 
all veterans that were discharged from the services since 1975, 
plus veterans receiving disability compensation from our 
Department. The reason that we have that data is that there is 
a form that--I do not know if you remember--but when you are 
discharged the Department of Defense issues a form called a DD-
214. And that is the record of your service, time, awards, so 
on.
    And we, the VA, are an addressee on a copy of that for 
everybody that gets discharged. All of these veterans in this 
file are not receiving benefits from the VA, but we have them 
in our data file.
    Senator Akaka. I am asking that just so that veterans out 
there realize if they were discharged before that date, that 
their records were not in this 26.5 million data. Thank you.
    Mr. Opfer, can you reveal anything more about the criminal 
investigation that would comfort the Nation's veterans that the 
employee and the data were not targeted?
    Mr. Opfer. Yes, Senator Akaka, without compromising the 
investigation, I can say that the evidence to date indicates 
that the perpetrators of the burglary were specifically 
targeting computer hardware. There were a number of similar 
burglaries in the area where storage devices and computers, 
hardware, CDs, et cetera, were stolen. And it matches the 
similarity of a number of burglaries, including petty change, 
but very valuable items were left in the house. This fits the 
same pattern that Montgomery County Police have been seeing in 
a number of burglaries in the area.
    Also, our investigators have interviewed the employee a 
number of times and have gone to his house. We recovered a 
number of CDs and other equipment that contained VA sensitive 
data that was left in the house.
    So appearing from the similarity of the burglaries, with 
other regular house burglaries, and the fact that VA data that 
we are able to secure was still there, we do not believe there 
was any information that has been developed by the Montgomery 
County Police, the Office of the Inspector General 
Investigators, or the Federal Bureau of Investigation that 
would indicate that that employee himself was targeted for the 
fact that he was in possession of that VA data.
    Senator Akaka. The Secretary did mention that it appeared 
this burglary was at random. What is your reading on that?
    Mr. Opfer. From our conversations with the police and from 
my own experience, I have been in law enforcement since 1969, 
this fits the pattern that would be, that they would do some 
surveillance of residences to see when people come in and out, 
and if you work a routine. And this employee and his spouse 
were on a very regular routine. It fits the pattern of the 
burglaries in that area.
    So, I would say they kind of identified residents who would 
be vulnerable during certain periods of time and then committed 
those crimes.
    Senator Akaka. Thank you very much, Mr. Chairman.
    Chairman Craig. Danny, thank you very much.
    Senator Murray.
    Senator Murray. Mr. Secretary, I am trying to reconcile the 
numbers here. You are talking about 26.5 million records 
compromised. We have about 25 million veterans who are alive in 
the U.S. today. Six million of them are enrolled in the VA. So 
I want to get something straight. Does the lost data include 
spouses of veterans that would account for those number 
misconceptions?
    Secretary Nicholson. Senator Murray, some of the veterans 
on this list would be deceased, but would not have been 
expunged from the rolls, and that explains most of that.
    There were, however, some spouses.
    Senator Murray. Whose spouse has passed away and they are 
in the database?
    Secretary Nicholson. Yes, I am told.
    Senator Murray. That raises two questions. First of all, 
how are you doing outreach to all of these 26.5 million names, 
particularly--I mean, we have had a lot of press about veterans 
themselves. But I am certain that there are spouses out there 
who have no idea that their name is part of this.
    I would like to know if we are getting outreach to them to 
notify them.
    Secretary Nicholson. Well, we are doing all we can to get 
the message out the way we have, through the use of the media. 
And we are preparing a mailing that will go to everyone.
    Senator Murray. To all 26.5 million names?
    Secretary Nicholson. Yes, because we do not know those that 
have died.
    Senator Murray. And the cost of that?
    Secretary Nicholson. We are working on that. We are trying 
to buy envelopes right now, for example. There is not 
immediately available 26 million envelopes.
    Senator Murray. What account are you taking that from?
    Secretary Nicholson. We have been in and asked for 
reprogramming of some administrative money, and that was $25 
million, which was to cover the mailing plus, the cost of the 
phone centers. The mailing itself, we think, will be in the 
range of $10 million to $11 million.
    Senator Murray. That is significant in a very tight budget, 
so I am certain we will be hearing from you on the need for 
additional funds for the VA?
    Secretary Nicholson. You will be hearing from us, I think 
on different levels, because I think we also have things we 
have to do for our veterans with respect to trying to find a 
monitoring system that is practical for watching over this for 
our veterans to try to alleviate the anxiety that they have 
about it, we have something in place to watch, working with the 
three major credit bureaus.
    Senator Murray. I expect this will cost a great deal. I 
want to make sure that our veterans do not get a double whammy 
of not only losing their records, but then being denied 
services because costs are not covered. I want to make sure we 
are providing the additional dollars to cover this. So I hope 
we can hear from you soon.
    Let me ask you, as well, are you reaching out to VSOs to 
help our veterans?
    Secretary Nicholson. Yes, we are.
    Senator Murray. And give them the training that they need 
to deal with this?
    Secretary Nicholson. We have certainly been in 
communication with them. We have not initiated any training 
with them so far. We are trying to use them and they are 
cooperating to be a communicator.
    Senator Murray. I would suggest we look at some kind of 
training for the VSOs. That is usually who the veterans call 
first. And they, I am positive, do not have some of the 
training they need to do that.
    I would also like to ask how you are dealing with veterans 
who do not have access to the Internet, who do not know how to 
use the technology. Many of our older vets who struggle with 
this kind of information, how are we dealing with them?
    Secretary Nicholson. I think that is a very important 
question. I have been talking about that myself. My father was 
a veteran. He did not know how to boot up a computer.
    So we obviously have the phone banks in the mailing that we 
will be sending out. There will be other information that they 
can use and ways to communicate outside of the computer.
    Senator Murray. Have you ever gotten your credit checked, 
as you suggest, on the VA Web site?
    Secretary Nicholson. I have not, no.
    Senator Murray. It is not easy to do. So I am hoping that 
you are looking at additional staff to be able to answer the 
questions and work their way through that. It is not the 
easiest system, particularly for anybody, but for our vets who 
are personally worried right now, as well.
    Mr. Chairman, I also think we need to be very conscious 
that we are reaching out now to 26.5 million veterans. We have 
about 5 million who are using VA services now. We are 
essentially notifying 20-some million veterans that they are 
eligible for services. There will be the impact. We have a 
responsibility to make sure they get the services they need.
    And I hope we are looking critically at the impact on our 
budget, not only for the outreach, the additional training, 
making sure everybody gets the information they need, but also 
on the impact to our VA budget as more veterans are notified 
that they do have access to services.
    Chairman Craig. Senator, thank you for that concern. It is 
our concern. It is the Committee's concern. Obviously, by 
actions taken, it is the Secretary's concern.
    We will monitor it closely as this progresses to make sure 
that the resources are available to outreach in the appropriate 
fashion.
    You mentioned widows and it is obvious to me, I think and 
others, that there are widows on this list. This morning I was 
doing C-SPAN on this issue and the call-in and I got a call 
from a widow who was obviously very concerned that in some way 
her financial statements and records might have been 
compromised. So that certainly is a legitimacy to this kind of 
list and the size of the list involved.
    Thank you.
    Secretary Nicholson. Could I comment on that, Mr. Chairman?
    Chairman Craig. Please.
    Secretary Nicholson. My technical people just handed me a 
note that says that the only spouses on that file, we think 
right now, were the spouses in a file of people involved with 
mustard gas. And that involves a number of less than 100.
    Senator Murray. Then the discrepancy between the 25 million 
veterans who are alive today and the 26.5 million records that 
you are talking about, that is 1.5 million people and only 100 
are spouses. Who are these people?
    Secretary Nicholson. They are probably deceased, Senator 
Murray, 1800 veterans die every day in our country.
    Senator Murray. OK, and so does somebody else--I mean, I am 
assuming that their records can be used and compromised, as 
well. Are we notifying relatives or anybody else to be aware of 
that? I am not sure how this technically works, but it does 
raise concerns.
    Secretary Nicholson. What we plan to do is to mail that 
entire list in the hopes that if there is an address and a 
survivor at that address, they will get that notice.
    Senator Murray. If it goes to the person, it will be 
returned, I am assuming, so how would their families know?
    Secretary Nicholson. That is a good question. We will have 
to look at that. Your concern being the use of the identity of 
a deceased veteran.
    Senator Murray. Right.
    Secretary Nicholson. That is a good question, and I cannot 
answer it right now. We will have to look at that.
    Chairman Craig. Those are very legitimate questions.
    I think as you are able to unravel this, Mr. Secretary, it 
becomes very important for all of us, and especially for you, 
to understand those kinds of nuances and details, and that that 
information flow go public. I have to think that is very 
important.
    Thank you, Senator.
    Senator Isakson.
    Senator Isakson. Inspector Opfer, do the Inspectors General 
of the various agencies of the Federal Government ever meet 
together?
    Mr. Opfer. Yes, all the Inspectors General of the agencies 
are members of what is called the President's Council on 
Integrity and Efficiency. We meet formally once a month. And 
the chairman of that is the Deputy Director for Management for 
OMB. And one of the Inspectors General is selected as the vice-
chair. Then there are various committees of the PCIE, the 
Investigations Committee, Audit Committee, and Inspections, 
Evaluations, and Legislative.
    Senator Isakson. I have two suggestions. One is it would 
seem to me the Secretary has outlined his disappointment at 
being notified 13 days after the fact, that we should 
immediately install in the various agencies of the Government a 
rule that any breach of secure information and data is to be 
immediately reported to the person in charge. And I am talking 
about the secretary of the agency. I am not talking about the 
Department.
    Something like this should never go unknown by the boss. 
The Secretary, to his credit, accepted the blame, the buck 
stops here, and I appreciate his doing that. But I also 
acknowledge how tough it is to find out 13 days after the fact 
what you are going to have to take the blame for.
    So I would suggest that you all talk about what ought to be 
a Governmentwide policy, if there is any other breach. All that 
takes is a policy change.
    The second thing is that if, in fact, other agencies have 
information as accessible as the Secretary has described the 
information at the VA is, then I think the inspectors general 
need to make recommendations to the appropriate agency or 
authority, which is probably the Appropriations Committee of 
the U.S. House and Senate, as to what should immediately be 
done to put blocks and security on that information, so it 
cannot be accessed from the outside nor be portable enough to 
be taken out.
    So I would just recommend you do that. That is important. 
We have inspectors general to hold us accountable, to find 
discrepancies, to point things out that we need to do. We have 
a situation here that clearly demonstrates that a couple of 
changes need to be made.
    Any comments you have?
    Mr. Opfer. Yes, Senator. Just on this issue alone, I have 
been contacted by a number of inspectors general of these 
various agencies themselves, and including some deputy 
secretaries of departments. So when we conclude our review, I 
would be willing to discuss that with them and the individual 
things.
    In the normal process, I am a member of the Investigations 
Committee of the President's Council on Integrity and 
Efficiency and also the Inspection and Evaluation. We would 
make this available and make a presentation on to all of the 
inspectors general, including the officials of OMB at the PCIE 
meeting, as well as giving them the reports and briefing the 
appropriate members of the Appropriation Committee on both 
sides of the Hill and the Oversight Committees.
    Senator Isakson. Mr. Secretary, this is really a comment. 
Having had my identification taken, and having been notified by 
the company that lost it or allowed it to get out, I am aware 
of what happens in the private sector. What happens is they 
provide a means of protection for a period of time in the event 
the theft of the information actually gets in the wrong hands 
and is accessed.
    As you are investigating your cost to deal with the mailing 
and with the czar, or whatever else you do in the Department, I 
would suggest that you consider in the hopefully unlikely 
circumstance that if we find this information is accessed, we 
need to know how to deploy immediate security measures for 
these 26.5 million people and what that cost would be.
    From talking with the Chairman yesterday, that type of 
product is available. And its cost, in the volume like this, is 
not as insurmountable as one might initially think.
    So, I think as we are planning for how to prevent this from 
happening in the future, and we are budgeting for notification, 
there should be some investigation by the VA as to what we are 
going to do if the unlikely event happens and the information 
actually gets used inappropriately.
    So, I would appreciate your thinking about that.
    That is all I have, Mr. Chairman. Thank you, Mr. Chairman.
    Chairman Craig. Johnny, thank you very much.
    Senator Thune.
    Senator Thune. Thank you, Mr. Chairman. I appreciate that 
suggestion, as well as some of the others.
    I think a lot of the questions that have been raised today 
are very good questions, particularly with respect to the short 
term, notifying veterans how the agency, the Department intends 
to do that, as well as it just seems like this was a tremendous 
breakdown in the chain of command when it came to reporting the 
incident, considering the magnitude of this breach. So, I think 
the suggestion that my colleague from Georgia made regarding 
the IG and how that is reported is a good one. And it seems to 
me, at least, there has got to be some change in that area, as 
well.
    I am also concerned, obviously there are a lot of short-
term implications to this and many of those have been raised 
and touched upon. I also am concerned about, as well, the long 
term. As has been noted already, many of the reports that have 
been done in the past by the IGs and other agencies of 
Government, watchdog and audit agencies, have suggested 
weaknesses and flaws in the IT system at the VA.
    What I would like, Mr. Secretary, just to get you to 
comment on, is because one of the things that we have been 
talking about a lot up here is centralization of that function 
at the Department, rather than having these compartmentalized 
different databases out there that contain information on our 
veterans.
    I know that recently here the VA CIO, Mr. McFarland, 
resigned because the VA was not moving fast enough on the IT 
organization. My understanding is, as well, that he was brought 
on board specifically because of his expertise as a former 
executive at Dell Computer, and was supposed to be an agent for 
change for the VA when it comes to reform of the IT programs.
    At least the reports I have read suggest that he became 
frustrated beating his head against the wall of the bureaucracy 
at the VA and that, as a consequence, decided to leave. But I 
think it points to this broader question of IT management 
centralization and the privacy of the 26 million records that 
we are talking about today.
    But could you just talk a little bit about the context of 
his departure and your view about whether or not the VA is 
moving quickly enough when it comes to adopting the federated 
model of IT management centralization?
    Secretary Nicholson. I can, Senator.
    It is hard to say what Bob McFarland is feeling when he is 
not here. I had lunch with him shortly before he left, and I 
think that he feels quite satisfied about what he achieved at 
the VA. The statement about his getting tired of bumping his 
head against the wall, I think he got tired of doing what he 
had to do to break through to get done what we were doing.
    It did not become a totally adopted model that Mr. 
McFarland wanted because there is one exception in there, which 
is the developers of IT. These are the people that work to 
customize the applications of software for research going on at 
different hospitals and so on.
    But short of that, he achieved everything he set out to do. 
So, I think he made a monumental contribution to the VA.
    He wanted to get back and spend more time fishing. He 
thought he probably bumped enough heads and wrangled enough 
people doing what he got done, that maybe it was time for him 
to leave. I tried to talk him out of it.
    The important thing though is what he is leaving behind, 
with respect to what is going on now. It gives us a chance to 
be very hopeful.
    Now you ask me are we moving fast enough? I would say to 
that, no. I do not think anything, frankly, moves in the 
Government fast enough. Because there are both the embedded 
cultural resistances to this in the bureaucracy and there are a 
lot of regulations and laws that inhibit speed.
    But having said that, I will say that something very 
important has happened, and that is that the institutional 
resistance that was there to this big change has gone away. 
Those leaders are now very supportive of this and are working 
honestly and harmoniously in getting this done.
    But it involves the reclassification of thousands of people 
and the upheaval and anxiety that goes with that. As I said, I 
think I said, that it also will result in a new career field in 
the VA for information technology, which would give those 
people a chance to go up in their own field without having been 
piggybacked into IT from some other field that they came from. 
So it is a real advantage to them for that, as well.
    We have a team of really young, bright IT people who have 
the responsibility for this implementation. And they are 
underway.
    Senator Thune. I appreciate that, and Mr. Chairman we have 
had this discussion. I hope that you can continue to push the 
pace. I know there is resistance to change in every agency of 
Government and bureaucracy. It is just human nature as much as 
anything else. But the stakes in this debate are so high and 
the relative speed with which this transition has occurred 
seems to me to suggest that we are not doing enough.
    I am glad to hear you say that the culture is changing, 
because I think that is important, too, to recognize that this 
is where we are going. And once you get over that hurdle, then 
how do we get there in the quickest, most efficient way 
possible.
    But this incident obviously focuses a lot of light on the 
importance of that transition happening, particularly in light 
of many of the reports and suggestions and recommendation that 
have come previously that appear not to have been adhered to.
    So, we are obviously all looking for not only trying to 
determine exactly what caused this breach, but also, more 
importantly now, what we must do to fix it. So I thank you, and 
Mr. Chairman I have another question, but I am out of time and 
I think we have a vote on. So I yield back the balance of my 
time.
    Chairman Craig. We do have a vote underway.
    Gentlemen, I do have a couple more questions. I think 
Senator Collins does. We will ask you, if you would please, we 
will be brief. We should be able to get you out of here within 
the next 15 or 20 minutes. I will run and vote and come back.
    So we will ask the Committee to stand in recess until 
Senator Collins returns and then she can bring it to order.
    Thank you.
    [Recess.]
    Chairman Collins [presiding]. The Committee will come back 
to order.
    Mr. Secretary, I do expect some of our colleagues to 
return, in particular the Chairman. While we are waiting for 
that, I am going to proceed to a couple of additional questions 
that I have for you.
    For the past 7 years, it is my understanding that the VA 
and the Department of Defense have been working to achieve the 
exchange of patient health information electronically. The goal 
is to have an interoperable electronic health record.
    In addition, the Department of Veterans Affairs is working 
with the IRS and with the Social Security Administration on 
compiling and comparing some means test income data to ensure 
that non-service connected veterans receiving VA health care 
have the correct eligibility.
    I bring these two projects up because both involve a 
massive exchange of data, personal data, sensitive data in the 
case of the health care and income data. How much confidence do 
you have that there are appropriate safeguards, encryption, 
limits to access the information that is being compiled through 
these two projects?
    Secretary Nicholson. Senator, I would like to tell you that 
I have a lot of confidence, but I am not going to because I do 
not. I think that we have 7.5 million enrolled patients for 
health care at the VA. Every one of them has an electronic 
health record, which is exemplary, and it is one of the main 
reasons, I think, that we are such a very good integrated 
health care provider. It gives portability and safety.
    But I have worries about the fact that people can access 
this from remote stations and whether or not we have the 
controls in place to limit that access, and what are the 
possibilities for the downloading of it?
    Now I know that we have controls and we have codes and we 
have things that protect that. But I am not going to tell you 
that I think that it is what it should be.
    Chairman Collins. That is something that I hope the 
Department will act very quickly to take a look at.
    As I understand it, so far there has been no indication 
that the stolen data has been used for identity theft or 
financial fraud. And of course, all of us are hoping that that 
pattern will hold. There is a concern, however, that con 
artists could take advantage of this situation without having 
access to this data. I would like to give you a scenario that 
my staff had mentioned to me.
    It would be very easy for a scam artist to call up a 
veteran, refer to this loss of data, pretend to be a VA 
representative and ask for the veteran to verify his or her 
Social Security number and date of birth.
    Are you doing anything through your Web site or the 
Veterans Service Organizations to try to educate veterans on 
identity theft, in general, and that they should be very 
careful about giving out information, and perhaps to inform 
them that the VA is not calling to ascertain this information?
    I just worry that even if this information miraculously is 
not misused by anyone, that there are clever con artists who 
could use the fact of this information's exposure to take 
advantage of our veterans.
    Secretary Nicholson. I think it is a good point and we are 
not doing that, to my knowledge. It sounds like something we 
should be and can and will, yes.
    Chairman Collins. I think that would be very helpful and 
maybe it is something--Mr. Opfer?
    Mr. Opfer. Senator, actually you are right on target. We 
have been made aware of something like that yesterday and have 
reported it to the Department senior management. I think that 
needs to be very aggressively put out to the public. But 
something similar like that was reported and I had us bring it 
to the senior level of management. The Chief of Staff is aware 
of it and the other senior officials in the Department.
    Chairman Collins. So your concern is that may already be 
happening?
    Mr. Opfer. Yes, it would be a usual thing to happen in an 
event like this.
    Chairman Collins. It would. I have done work in this area 
on identity theft and the financial fraud and people will take 
advantage and exploit every vulnerability. It would be ironic 
if the stolen information were never used for this purpose, but 
then con artists use the fact of this incident to compromise 
our veterans.
    Mr. Opfer. A recent example of that was the tragedy in 
Fairfax, Virginia a few weeks ago, with the two police officers 
killed. Right before they were even buried, they were calling 
saying that they were calling on behalf of the police 
associations, generating funds. So as you have a tragedy, 
people are ready to come in.
    In my previous experience, I was the Inspector General at 
the Federal Emergency Management Agency. And every time you had 
a disaster, you had the people, as I referred to them the 
vultures, ready to come down.
    Chairman Collins. There are always the fraudulent charities 
that pop up, people who are willing to exploit any tragedy. I 
think the fact that you already have reports of that suggests 
the VA needs to be proactive.
    It seems to me one thing you might want to do with the 
notification letters is to include a flyer on protecting 
yourself from identity theft. The FTC, for example, has 
developed some very good materials on financial fraud in that 
area. So that is something that I would recommend.
    Mr. Secretary, you mentioned that you are working 
cooperatively with the credit bureaus, which I commend you for. 
In addition to educating veterans that they can receive a free 
copy of their credit report, is the VA looking into other ways 
to connect veterans with their credit reports?
    Secretary Nicholson. We are, Senator Collins. We also have 
been looking at some proposals from private sector, proprietary 
companies that are in this business. And our goal would be to 
see if we could create some kind of an overlay over the veteran 
community that could allay some of their fear and anxiety about 
this, knowing that there is somebody watching it and there is 
sort of a continual alert about them.
    It would work with these three major reporting bureaus. 
There are people in that business and we are looking at it. The 
cost of it is something we are not yet sure of, but I am pretty 
confident that given the volume that we have, that we are 
dealing with here, that we could get a pretty good deal, which 
would still be a substantial amount of money. But I think it is 
something that our veterans deserve.
    Chairman Collins. I agree and I am pleased you are pursuing 
that.
    Mr. Secretary, I want to go back to my initial statement to 
you when I said that I found the chronology that you gave in 
your testimony to be baffling. I think you find it to be 
baffling also. And I understand how frustrated and angry you 
must be that it took some 13 days before you were notified of 
such a serious breach.
    What is your theory on that? How do you think it was 
possible for there to be such long delays in bringing this 
incident to your attention? As I said, it was not minor. It did 
not involve just a few records. It is just so obviously urgent 
and serious that it is so hard for me to understand the failure 
of those in the Department to inform you.
    Secretary Nicholson. It is an appropriate question. It is 
difficult for me to answer because some of the people along the 
line are some of the most competent, dedicated people I have 
ever worked with anywhere. It is hard to answer, frankly.
    So I am only speculating. We have discussed it. They feel 
terrible. They have offered resignations. They were trying to 
deal with it themselves and get their arms around it and handle 
it. It is not clear.
    Chairman Collins. Thank you.
    Mr. Chairman.
    Chairman Craig [presiding]. I have one last question and 
before I do that, if you are leaving us.
    Chairman Collins. I do not have anything else. Thank you.
    Chairman Craig. Again, thank you for working with us for 
this joint hearing. I think it is obvious the problem that are 
now appearing in VA, and as we started this hearing, the 
question remains are these same problems system wide? The work 
you are doing in your Committee is critical and important. And 
we will monitor this and work with you to make sure that--you 
never say never, but we ought to have systems in place where 
that argument can at least be placed.
    Thank you very much, Susan.
    Chairman Collins. Thank you, Mr. Chairman. And again, thank 
you for taking the initiative on this very serious problem. I 
have enjoyed working with you on this hearing.
    Chairman Craig. Thank you very much, Madame Chair.
    Mr. Opfer, the Inspector General Act requires you to keep 
the Secretary and Congress fully and currently informed about 
any serious problem regarding VA's operation. In this case, it 
appears that the Secretary was not notified of the massive data 
security breach until 6 days after the IG Office was alerted to 
the incident, and Members of the Congress were not notified for 
several days after that.
    Again, this question has been asked, but for the record, 
given the magnitude of the data security breach, do you believe 
the IG's Office acted with sufficient haste in reporting the 
incident to the Secretary and ultimately to the Congress?
    Mr. Opfer. Yes, I do. Mr. Chairman, let me go through the 
chronology again.
    The IG Office was never notified of the security breach. It 
was a normal monthly meeting when an Information Security 
Officer from the IG was attending. It was not talked about. It 
was mentioned that an employee had some data stolen from a 
burglary at his residence. No information was given to that 
employee of the significance of it.
    He followed up on his own to try to find out what 
information he could. That was on the information of May 10th. 
There was no information given to the IG.
    He wrote it up and gave it to our Office of Investigations 
that went to the Department on Friday, May 12th to try to 
locate this Information Security Officer. The officer was not 
at work. The agents did not just wait. They tried to contact 
him at home. He was on leave. They were not able to contact 
that Information Security Officer that had the information 
until Monday the 15th. That is when they interviewed him, gave 
the preliminary information. We had no knowledge of anything 
other than an employee had some data stolen from the home, the 
residence.
    It was not until we interviewed the employee on the 15th 
that we realized that we had a significant problem developing 
there. That interview went for hours upon hours of interviewing 
the employee. That is where the information came to the IG.
    With the story what he was saying he had access to this 
type of information, that first thing you need to do is ask, is 
it credible? Would an employee have that much access to that 
type of sensitive information? And would he be able to take it 
to his residence?
    The second part was then to look if there were other issues 
with that employee? The investigators went through the 
background, doing name checks, record checks, reviewing his 
official personnel folder, looking at any issues that we may 
have had in the IG's Office, trying to determine, contacting 
their local police. Was there a burglary? Was it reported? Was 
it similar to others? Or was this a staged burglary? Were there 
issues with the employee? His family, with the police?
    It was not until the morning of the 16th of May that they 
spoke to the police. But they had to get to the detective that 
was doing this to see what we had. It was then immediately that 
the agents told the detective of the seriousness of what we 
were looking at, of the possible breach of millions of personal 
identification information.
    On the 16th, they came to me in the morning to brief me. I 
immediately, before he even finished the briefing, got on the 
phone to the Chief of Staff who was with Tim McClain, the 
Counsel, and explained to him what we had. We had a serious 
problem. The information only was coming to us from the 
interview of the agents with the employee.
    On the 16th, in the morning, this was about 9:30, when I 
spoke to the Chief of Staff, he told me that he was aware of an 
incident but did not realize the magnitude of the incident. It 
was after they had the 11 o'clock meeting, that I again spoke 
to the Chief of Staff and told him that I requested that he 
brief the Secretary on the severity of this.
    The Secretary was out of town attending the funeral service 
of former Congressman Sonny Montgomery. The Chief of Staff told 
me the Secretary would be back at 7 o'clock that night and he 
would brief him on it. The next morning, every day from then 
on, I had constant contact.
    So when it came to my attention, the Secretary was notified 
immediately from the Chief of Staff on the 16th.
    On the 17th, we again were confirming and working with the 
Montgomery County Police through the 15th, 16th and 17th. On 
the 17th, this is one day now from when we are verifying that 
we had a serious problem which was verified to us on the 16th, 
not only from the employee's interview, but verified that he 
did have access to this material, we notified the Federal 
Bureau of Investigation both from field office to field office, 
as well as the Acting Assistant Director for Criminal Division. 
So notifications were made in a very serious and coordinated 
effort.
    I had to balance a decision of whether or not to release 
that information. During all of these periods of conversations 
that I was having with senior level officials within the 
Department, I was advising them of my statutory responsibility 
both to Congress and both to notify the appropriate Federal law 
enforcement agencies, which we did within a day.
    The decision not to go public was one, and I kept using the 
phrase we are on borrowed time. As the IG's Office was 
ratcheting this up, as we were going out doing interviews, more 
people were going to become aware of what we are looking at. 
And I was concerned it was going to be released.
    Right from the beginning, on the 17th, I had conversations 
with the Chief of Staff that somehow along the line I was going 
to start these notifications. But the Chief of Staff agreed 
that we needed to be proactive and the Department was being 
proactive to reach out to try to look at what lessons they 
could get from the Federal Trade Commission, the Commerce 
Department, to establish the 800 number, the Web site and all 
these initiatives that went in.
    I had to balance where along the line does that come to 
with what we had as investigative leads which were quickly 
evaporating. We were very aggressively investigating every 
investigative lead that we had. And during that whole period of 
time, I was saying I am coming to the point I cannot justify 
legally or morally not making those notifications relative to 
investigative leads because they just were not there as we were 
knocking them off.
    On Thursday evening, I had a conference call with the 
Secretary, the Chief of Staff and the Counsel, and I do not 
know if anyone else was present. We talked about this. I talked 
about my position that we came to the point now, from the 
Inspector General's position, we should go public. It was time 
to make the notifications.
    We talked about do we balance that with the panic that we 
could cause for the veterans?
    I still said this did not outweigh my obligation and I 
would not delay that notification any longer. I felt from an 
investigative standpoint we have gotten to the point we were 
exhausting all of the leads that were available.
    It was agreed that the next morning I would receive a copy 
of a draft statement making the announcement. My staff 
contacted the appropriate Members of the Committee staff. I was 
prepared to make that notification on Friday.
    And I would like to ask Jon Wooditch then to talk about 
what happened Friday afternoon to try to convince us then to 
hold off.
    Mr. Wooditch. I was contacted by the VA General Counsel, 
who asked us to talk to the Director at the Federal Trade 
Commission because they were not quite ready with the Web sites 
and the hot lines and all of the other tools that they were 
going to use to satisfy the veterans calling in. It seemed to 
be a legitimate request. If we went out prematurely and we were 
not ready to deal with all of the calls that we were going to 
get, it could cause panic.
    So, I agreed to talk to the FTC Director and she convinced 
me that they would work feverishly over the weekend and have it 
done by Monday. Monday it was completed and the Secretary did, 
in fact, make the announcement on Monday.
    Mr. Opfer. I would also add on Sunday, that Sunday, I had 
two telephone conversations with the Associate Attorney General 
asking me if my position was still that. And I said I was 
concerned that we could not wait any longer. And I needed to 
verify, he was going to a meeting at the White House to verify 
that the FTC and all of these operations were going to be in 
place for Monday. He called me back later. He wanted to know, 
from my perspective as lead investigator for the OIG, and we 
discussed that he would reach out to the FBI to see if they had 
any additional leads. I said I was not aware of any, but I 
would reach out again to my supervisor and the agents working 
to see if there were any leads left that would justify 
withholding going public at that point.
    So, I do believe it was done in a timely manner.
    Chairman Craig. I mean, I find that fascinating. I am not 
here to challenge your judgment. I think I have, we probably 
have a better picture of what did and did not happen.
    I would hope that you all collectively look at what you did 
and how you did it with the hindsight you now have. It appears 
to me to be a fascinating case study. I do not know whether I 
am overreacting or under reacting. I do not know whether you 
overreacted or under reacted as it relates to the knowledge you 
had and how you handled the knowledge.
    I know one thing, that it was not until May 22 that I found 
out about it. And I do not believe I or this Chairman can be 
called public. We are not the public.
    Mr. Opfer. I was not talking about that. I was also talking 
about notifying Congress. It was whether or not, even again on 
Sunday I was requested by the Justice Department if I would 
reconsider my position.
    Chairman Craig. And yet, at the same time, I appreciate 
having the tools in place to handle response to an announcement 
of this magnitude. I can hardly question that because obviously 
you were getting a great concern and there is a lot of--as the 
information flows out, there is a growing concern amongst 
veterans as to whether they, in fact, have been compromised or 
not.
    That is part of why we are here today. But it is also why 
we are here to review, and in some instances to criticize.
    I hope that both of you recognize the importance of a 
constructive dialogue that gets us, as I said, not ever having 
this happen again. I do not believe in nevers. They just do not 
exist. But certainly we have had a record of problems here, not 
of this magnitude, and clearly one now that I trust will move 
forward on.
    Certainly this Committee, and I know that Susan's Committee 
will do the same thing. And as we look beyond VA to other 
agencies of Government to make sure that similar protocol and 
certainly similar policy is put in place. And my guess is with 
the legislation that is out there, legislation that will become 
law passed by Congress in relatively short order as it relates 
to these kinds of things.
    Susan, do you have any additional things you want to say?
    Chairman Collins. No, thank you.
    Chairman Craig. Again, gentlemen, thank you very, very much 
for being here this morning and being as cooperative as you now 
are. We appreciate that a great deal as we work our way through 
this. It is a joint effort.
    And Mr. Secretary, I appreciate your responses and 
obviously taking the responsibility that a person in your 
position must take to deal with these kinds of issues.
    But again, you have a cooperating Committee here that wants 
to make sure we deal with this in the appropriate fashion and, 
where necessary, to provide the resources, if necessary, to 
make sure that this goes away as quickly as possible and that 
no veteran is injured.
    Gentlemen, thank you both. Thank you all very much.
    The Committee record will remain open. Several of my 
colleagues have asked to submit questions in writing and, of 
course, we will allow that to happen. We will keep the record 
open for at least 2 weeks.
    Thank you.
    Voice: Will you take a statement from an affected veteran?
    Chairman Craig. I will be happy to visit with you 
afterwards and anything you want to submit to us, we will be 
happy to put in the record.
    Thank you very much.
    The Committee will stand adjourned.
    [Whereupon, at 12:41 p.m., the Committee was adjourned.]


                            A P P E N D I X

                              ----------                              


  Prepared Statement of Hon. Norm Coleman, U.S. Senator from Minnesota

    We are witnessing a disturbing trend in the Federal 
Government recently in which problems have been identified, 
warnings and recommendations have been issued and then no 
action takes place. The news delivered Tuesday that up to 26.5 
million veterans, the very people we have asked to sacrifice so 
much for this Nation, were now vulnerable to identity theft 
because a VA employee was able to just walk out of the building 
with highly sensitive information is appalling.
    Equally outrageous is that after a third-rate burglary took 
place and put veterans at risk on May 3rd , we learned 
yesterday that Secretary Nicholson was not notified of the 
breach for 13 days, and the FBI was not notified for 14 days. 
And if that weren't enough, since 2001 the VA Inspector General 
has reported security vulnerabilities relating to the operating 
system, passwords, a lack of strong detection alerts, and the 
need for better access controls.
    Mr. Secretary, while it was unfortunate you were not 
informed earlier of the burglary, identity theft is not a new 
problem and the blunt assessment the VA was given from its 
Inspector General should have immediately been addressed. It is 
also unfortunate and troubling that while the VA employee who 
was robbed informed the VA of what happened that same day, it 
took the VA 19 days, almost 3 weeks, to inform Veterans that 
they may be at-risk to identity theft.
    Additionally, identity theft and fraud is a national 
problem that has affected more than 10 million Americans and 
this case raises the question of what the Federal Government is 
doing to protect all sensitive information so it does not fall 
into the wrong hands. The Federal Government is responsible for 
maintaining and protecting sensitive information that Americans 
are required to provide for a wide array of reasons, including 
paying taxes, receiving medical and disability benefits, and 
obtaining retirement compensation.
    In order to determine the extent of the vulnerabilities in 
information security across the Federal Government, yesterday I 
sent a letter to the Government Accountability Office 
requesting a governmentwide review of the current policies and 
practices in place meant to protect the sensitive identity 
information of Americans, and whether these policies may allow 
for a similar type of security breach at other Federal 
agencies.
    The bottom line is that American citizens deserve to know 
if their sensitive information is safe.
                              ----------                              


     Prepared Statement of the Center for Democracy and Technology

    The Center for Democracy and Technology is deeply troubled 
by the revelation that the Department of Veterans Affairs 
carelessly allowed the personal data of millions of men and 
women who've served this country to fall into the hands of a 
simple burglar. Yet, it is our view that this breach is not the 
failure of one employee or even one agency. It is symptomatic 
of a larger failure of data management across the Federal 
Government.
    Until we bring the aging laws and policies that protect our 
personal information up to date with modern technology, these 
catastrophic data ``spills'' will only get worse.
    Attorney General Alberto Gonzalez responded to the breach--
the latest in a series of private and public sector privacy 
gaffes--by vowing to closely monitor for any signs of identity 
theft and to aggressively pursue offenders. This is an 
appropriate and necessary response, now that the data has been 
compromised, but it doesn't come close to providing the 
comprehensive protection for personal information expected when 
the Privacy Act was passed in 1974.
    A growing body of research, supported by years of 
Government Accountability Office reports, makes clear that it 
is time to bolster the protections in that law and dramatically 
improve enforcement.
    In 2003, GAO made clear that ``the government cannot 
adequately assure the public that all legislated individual 
privacy rights are being protected.'' This report and others 
made clear that the problem is not with an individual agency 
but rather an endemic lack of leadership from the White House 
and its Office of Management and Budget over Privacy Act 
enforcement. In the absence of strong Administration leadership 
individual agencies have been left to fend for themselves in 
bringing their information practices in line with the Privacy 
Act.
    CDT's discussions with agency privacy officers support the 
GAO findings. One chief privacy officer for a key agency told 
us that half of the agency's Privacy Act systems of records--
the databases most likely to have sensitive information on 
Americans--were simply missing.
    To address these serious concerns, GAO correctly recommends 
that agencies be given better guidance and follow best 
practices. The Office of Management and Budget's Privacy Act 
guidance was written in 1975 and has never been comprehensively 
updated. Technology has evolved enough in the past 3 years, let 
alone the past 30, to warrant a thorough rewrite of that 
guidance. Such a rewrite alone would send a clear message to 
agency heads and privacy officers that they will be held 
responsible for the sensitive data in their care.
    Although renewed leadership on Privacy Act compliance would 
be an important first step, it's also the case that the law 
itself is in need of renovation, given the technological 
revolution that has taken place in the decades since its 
passage. Congress must patch the holes in the aging laws 
intended to protect the personal information that Americans 
entrust to the government before more massive data breaches 
occur.
    Because of the rash of high-profile data breaches in the 
private sector, Congress has focused its legislative efforts on 
establishing data breach rules for the private sector and has 
not given the same attention to the serious privacy and 
security problems in government agencies that collect and 
maintain databases of personal data on Americans. Indeed, only 
one of the data-breach bills under consideration even begins to 
address the Federal Government's use of personal information. 
The measure, S. 1789, The Personal Data Privacy and Security 
Act'' sponsored by Senators Arlen Specter (R-Pa.) and Patrick 
Leahy (D-Vt.) would, among other things, require greater 
oversight over the government's use of personal data and would 
limit the government's ability to augment its data with 
additional information purchased from private-sector companies 
like ChoicePoint. Today, many government agencies are using 
this commercial data in ways that violate the spirit of the 
Privacy Act, but not the letter of the law. These practices 
have encouraged an atmosphere that suggests that the law is not 
as relevant as it was at the time that it was passed.
    Enacting those provisions would be a valuable step toward 
safeguarding our personal data, but Congress should go further 
and enact comprehensive legislation to bring Privacy Act into 
the 21st century. The law, written during the age of the 
mainframe computer, must be updated to respond to new 
technologies. Today, a smart phone can hold as much data as 
computers that occupied an entire room in 1974. Congress can 
start by updating the basic definitions of the Act and limiting 
the routine exemptions on the data.
    As early as 1977, a Congressional commission found that the 
Act's central definition--``systems of records''--was already 
outdated. Particularly on the Internet, where multiple 
databases can be linked, searched, copied and reconfigured, the 
concept simply does not work. Moreover, privacy advocates and 
policymakers have long complained that the ``routine use'' 
exemption is being used in ways going far beyond its original 
intent. That definition also needs to be reconsidered.
    Congress may also want to review the effectiveness and 
applicability of sections of the Taxpayer Browsing Protection 
Act of 1997, which was passed after abuses by IRS employees, 
including improper removal of taxpayer records from the agency, 
were revealed.
    Americans entrust the Federal Government with significant 
amounts of our personal information in order to deliver 
benefits and services. Updating privacy oversight, policy and 
law in this area is the first necessary step to ensuring that 
this information is not simply left vulnerable to common 
thieves.

        Prepared Statement of the Department of Veterans Affairs

    The Department of Veterans Affairs (VA) has recently 
learned that an employee, a data analyst, took home electronic 
data from VA, which he was not authorized to do. This behavior 
was in violation of our policies. This data contained 
identifying information including names, social security 
numbers, and dates of birth for up to 26.5 million veterans and 
some spouses, as well as some disability ratings. Importantly, 
the affected data did not include any of VA's electronic health 
records nor any financial information. The employee's home was 
burglarized and this data was stolen. The employee has been 
placed on administrative leave pending the outcome of an 
investigation.
    Appropriate law enforcement agencies, including the FBI and 
the VA Inspector General's office, have launched full-scale 
investigations into this matter. Authorities believe it is 
unlikely the perpetrators targeted the items because of any 
knowledge of the data contents. It is possible that they remain 
unaware of the information which they possess or of how to make 
use of it. However, out of an abundance of caution, VA is 
taking all possible steps to protect and inform our veterans.
    VA is working with Members of Congress, the news media, 
veterans service organizations, and other government agencies 
to help ensure that those veterans and their families are aware 
of the situation and of the steps they may take to protect 
themselves from misuse of their personal information. VA will 
send out individual notification letters to veterans to every 
extent possible. Veterans can also go to www.firstgov.gov to 
get more information on this matter. This website is being set 
to handle increased web traffic. Additionally, working with 
other government agencies, VA has set up a manned call center 
that veterans may call to get information about this situation 
and learn more about consumer identity protections. That toll 
free number is 1-800-FED INFO (333-4636). The call center will 
be open beginning today, and will operate from 8 a.m. to 9 p.m. 
(EDT), Monday-Saturday as long as it is needed. The call center 
will be able to handle up to 20,000 calls per hour (260,000 
calls per day).
    Secretary of Veterans Affairs R. James Nicholson has 
briefed the Attorney General and the Chairman of the Federal 
Trade Commission, co-chairs of the President's Identity Theft 
Task Force. Task Force members have already taken actions to 
protect the affected veterans, including working with the 
credit bureaus to help ensure that veterans receive the free 
credit report they are entitled to under the law. Additionally, 
the Task Force will meet today to coordinate the comprehensive 
Federal response, recommend further ways to protect affected 
veterans, and increase safeguards to prevent the reoccurrence 
of such incidents. VA's mission to serve and honor our Nation's 
veterans is one we take very seriously and the 235,000 VA 
employees are deeply saddened by any concern or anxiety this 
incident may cause our veterans and their families. We 
appreciate the service our veterans have given their country 
and we are working diligently to protect them from any harm as 
a result of this incident.
                                ------                                

                     VA's Notification to Veterans

    Dear Veteran: The Department of Veterans Affairs (VA) has recently 
learned that an employee took home electronic data from VA, which he 
was not authorized to do and was in violation of established policies. 
The employee's home was burglarized and this data was stolen. The data 
contained identifying information including names, social security 
numbers, and dates of birth for up to 26.5 million veterans and some 
spouses, as well as some disability ratings. As a result of this 
incident, information identifiable with you was potentially exposed to 
others. It is important to note that the affected data did not include 
any of VA's electronic health records or any financial information.
    Appropriate law enforcement agencies, including the FBI and the VA 
Inspector General's office, have launched full-scale investigations 
into this matter. Authorities believe it is unlikely the perpetrators 
targeted the items because of any knowledge of the data contents. It is 
possible that they remain unaware of the information which they possess 
or of how to make use of it.
    Out of an abundance of caution, however, VA is taking all possible 
steps to protect and inform our veterans. While you do not need to take 
any action unless you are aware of suspicious activity regarding your 
personal information, there are many steps you may take to protect 
against possible identity theft and we wanted you to be aware of these. 
Specific information is included in the attached question and answer 
sheet. For additional information, VA has teamed up the Federal Trade 
Commission and has a website (www.firstgov.gov) with information on 
this matter or you may call 1-800-FED-INFO (1-800-333-4636). The call 
center will operate from 8 a.m. to 9 p.m. (EDT), Monday-Saturday, as 
long as it is needed.
    We apologize for any inconvenience or concern this situation may 
cause, but we at VA believe it is important for you to be fully 
informed of any potential risk resulting from this incident. Again, we 
want to reassure you we have no evidence that your protected data has 
been misused. We will keep you apprised of any further developments. 
The men and women of VA take our obligation to honor and serve 
America's veterans very seriously and we are committed to seeing this 
never happens again. Sincerely, R. James Nicholson Secretary of 
Veterans Affairs.
            Sincerely,
                                        R. James Nicholson,
                                     Secretary of Veterans Affairs.
                               __________

                         For Immediate Release

                              May 22, 2006

         FREQUENTLY ASKED QUESTIONS ON VA'S LETTER TO VETERANS

    Question 1. I'm a veteran, how can I tell if my information was 
compromised?
    Response. At this point there is no evidence that any missing data 
has been used illegally. However, the Department of Veterans Affairs is 
asking all veterans to be extra vigilant and to carefully monitor bank 
statements, credit card statements and any statements relating to 
recent financial transactions. If you notice unusual or suspicious 
activity, you should report it immediately to the financial institution 
involved and contact the Federal Trade Commission for further guidance.
    Question 2. What is the earliest date at which suspicious activity 
might have occurred due to this data breach?
    Response. The information was stolen from an employee of the 
Department of Veterans Affairs during the month of May, 2006. If the 
data has been misused or otherwise used to commit fraud or identity 
theft crimes, it is likely that veterans may notice suspicious activity 
during the month of May.
    Question 3. I haven't noticed any suspicious activity in my 
financial statements, but what can I do to protect myself and prevent 
being victimized by credit card fraud or identity theft?
    Response. The Department of Veterans Affairs strongly recommends 
that veterans closely monitor their financial statements and visit the 
Department of Veterans Affairs special website on this, 
www.firstgov.gov or call 1-800-FED-INFO (1-800-333-4636).
    Question 4. Should I reach out to my financial institutions or will 
the Department of Veterans Affairs do this for me?
    Response. The Department of Veterans Affairs does not believe that 
it is necessary to contact financial institutions or cancel credit 
cards and bank accounts, unless you detect suspicious activity.
    Question 5. Where should I report suspicious or unusual activity?
    Response. The Federal Trade Commission recommends the following 
four steps if you detect suspicious activity:
    Step 1.--Contact the fraud department of one of the three major 
credit bureaus: Equifax: 1-800-525-6285, www.equifax.com, P.O. Box 
740241, Atlanta, GA 30374-0241; Experian: 1-888-EXPERIAN (397-3742) 
www.experian.com, P.O. Box 9532, Allen, Texas 75013; TransUnion: 1-800-
680-7289, www.transunion.com, Fraud Victim Assistance Division, P.O. 
Box 6790, Fullerton, CA 92834-6790.
    Step 2.--Close any accounts that have been tampered with or opened 
fraudulently.
    Step 3.--File a police report with your local police or the police 
in the community where the identity theft took place.
    Step 4.--File a complaint with the Federal Trade Commission by 
using the FTC's Identity Theft Hotline by telephone: 1-877-438-4338, 
online at www.consumer.gov/idtheft, or by mail at Identity Theft 
Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW., 
Washington DC 20580.
    Question 6. I know the Department of Veterans Affairs maintains my 
health records electronically; was this information also compromised?
    Response. No electronic medical records were compromised. The data 
lost is primarily limited to an individual's name, date of birth, 
social security number, in some cases their spouse's information, as 
well as some disability ratings. However, this information could still 
be of potential use to identity thieves and we recommend that all 
veterans be extra vigilant in monitoring for signs of potential 
identity theft or misuse of this information.
    Question 7. What is the Department of Veterans Affairs doing to 
insure that this does not happen again?
    Response. The Department of Veterans Affairs is working with the 
President's Identity Theft Task Force, the Department of Justice and 
the Federal Trade Commission to investigate this data breach and to 
develop safeguards against similar incidents. The Department of 
Veterans Affairs has directed all VA employees complete the ``VA Cyber 
Security Awareness Training Course'' and complete the separate 
``General Employee Privacy Awareness Course'' by June 30, 2006. In 
addition, the Department of Veterans Affairs will immediately be 
conducting an inventory and review of all current positions requiring 
access to sensitive VA data and require all employees requiring access 
to sensitive VA data to undergo an updated National Agency Check and 
Inquiries (NACI) and/or a Minimum Background Investigation (MBI) 
depending on the level of access required by the responsibilities 
associated with their position. Appropriate law enforcement agencies, 
including the Federal Bureau of Investigation and the Inspector General 
of the Department of Veterans Affairs, have launched full-scale 
investigations into this matter.
    Question 8. Where can I get further, up-to-date information?
    Response. The Department of Veterans Affairs has set up a special 
website and a toll-free telephone number for veterans which features 
up-to-date news and information. Please visit www.firstgov.gov or call 
1-800-FED-INFO (333-4636).
    (a) CDT is a non-profit, public interest organization dedicated to 
preserving and promoting privacy, civil liberties and other democratic 
values on the Internet and new communications technology. Since its 
founding in 1994, CDT has tracked government information technology 
privacy and security policy to ensure that it has been kept up to date. 
This has included reports and testimony on the Privacy Act, the privacy 
provisions of the E-Government Act and the Federal Information Security 
Management Act.
    (b) GAO, Privacy Act: OMB Leadership Needed to Improve Agency 
Compliance, GAO-03-304 (Washington, DC; June 30, 2003).
    (c) CDT has championed the return of the Chief Privacy Counselor, 
or similar position, to OMB. At the end of the Clinton Administration, 
Chief Privacy Counselor Peter Swire produced regular guidance to 
agencies that, while not comprehensive, at least moved many agencies 
toward positive progress on important privacy matters.
    (d) OMB, ``Privacy Act Implementation: Guidelines and 
Responsibilities,'' Federal Register, Volume 40, Number 132, Part III, 
pp. 28948-28978 (Washington, DC.: July 9, 1975). There has been 
irregular guidance such as that issued on May 22, 2006 (the day of the 
public announcement of the breach).
    (e) Privacy Protection Study Commission, Personal Privacy in an 
Information Society, July 1977. An electronic version is available at 
http://www.epic.org/privacy/ppsc1977report/fPL 105-35.
  

                                  
