[Congressional Record (Bound Edition), Volume 152 (2006), Part 7]
[Senate]
[Pages 9105-9106]
[From the U.S. Government Publishing Office, www.gpo.gov]




                      BREACH OF SECURITY WITHIN VA

  Mr. CRAIG. Mr. President, I come to the floor of the Senate briefly 
this evening to visit with my colleagues about an issue that we all now 
know about to some degree; and that, of course, is the very serious 
breach of security that occurred within the VA earlier this month.
  My office, like yours, is lighting up with phone calls from concerned 
veterans wanting to know how this could happen and what type of risk 
they are facing.
  So I thought I would take this moment, as the chairman of the 
Veterans Affairs Committee in the Senate, to visit with my colleagues 
about it: No 1, to lay out the facts as we know them--they are limited 
because this is an ongoing investigation and, therefore, the FBI has 
denied VA the right to talk in any great detail about this breach of 
security--and, No. 2, to provide all of you with some context in which 
to think about this issue.
  First, what we know is that the information was taken to the home of 
a VA employee in violation of VA policy. We also know that the employee 
who took the information was authorized to view it. So this was not a 
case of unauthorized personnel looking at sensitive information. We 
also know that the employee was the person who brought the loss of the 
information to the attention of VA officials.
  So what we have is an employee, authorized to view information, who 
took the information home, apparently to do work in violation of agency 
policy, and then immediately informed the agency when the theft of the 
data became apparent.
  Certainly, the employee should face some consequence for his or her 
action. Obviously, he or she should have known not to remove that type 
of information from VA's protected data system. However, at this point, 
the actual removal of the data does not appear to be a crime at all.
  Of course, the FBI is still investigating whether any criminal 
behavior occurred. At this point, they do not suspect any foul play on 
the part of this longtime Federal employee. Rather, they only suspect a 
random act of burglary at the employee's home that, unfortunately, 
compromised this very important information.
  I must tell you that I struggle--a little--with the question of 
whether VA, or any Government agency, should keep information like the 
type that was lost without any real reason to do so. But I also know 
that when Americans contact their Government or veterans file a claim, 
they expect, in this day and age, that they will have their 
information. So there is a disconnect with what we expect and the 
security we expect it to be held with or if that information should be 
held at all.
  So given the expectations of our consumers, in this case our 
constituents, I think we need to make sure we have a uniform set of 
guidelines for training our employees all across Government, and that 
then we work on putting in place a system with enough checks and 
balances to be sure that no employee can abuse information data bases 
of any agency.
  Frankly, this problem is not likely limited to VA. Many Federal 
agencies keep records on citizens that contain sensitive information. 
It is not just IRS or HHS. There is information maintained by the 
Department of Education, that comes from the free application for 
Federal student loans or the Department of Agriculture, which provides 
crop assistance plans and crop insurance and a variety of other kinds 
of things.
  All of these agencies have names and addresses and Social Security 
numbers. They must be secure. At the same time, we need employees who 
can use that information for legitimate purposes to serve our 
constituencies in a timely fashion.
  All of this will require thoughtful balancing on the part of this 
Congress. We have to balance every doctor's need to see a veteran's 
medical records with the legitimate concern that one too many nurses on 
the floor have access to those records for no reason.
  I hope what took place at the VA a few weeks ago is only an isolated 
incident of bad judgment by a dedicated employee seeking to do a little 
work at home on his or her own time. But we must not ignore the fact 
that it appears, at this time, that getting that information to his or 
her home was very easy. That cannot be tolerated because it may well 
have been a breach of policy but not a violation of law.
  So my committee will hold hearings this Thursday with VA officials to 
examine what their policies and practices are with respect to sensitive 
information and how we can assure that a breach of security such as 
this does not happen in the future.
  We will also be asking the right questions about the security of 
veterans themselves and if VA is doing all they possibly can do at this 
time now, along with the IRS and the Social Security Administration, to 
make sure that veterans whose names were on that list--some 26 million, 
of which 19 million had critical information--be treated fairly and 
responsive to assure, if we can, the protection of their information 
base.
  It is fundamentally important that our Government and the Veterans' 
Administration respond as quickly as they can. And there is every 
indication, at least at this moment--which our hearing, I trust, will 
bear out--that

[[Page 9106]]

they are moving in the right direction to assure that.
  This may have been the largest breach of ID in our Nation's history. 
We need to make sure, as a Congress and as a Senate, that this cannot 
happen in the future and that there are exacting guidelines to assure 
this will not occur. In a day of electronic data and access that is 
unique and sometimes very easy, we need to make sure we are current 
with all of our needs, without providing names and information that is 
not necessarily needed to be held by our Government.
  I yield the floor and suggest the absence of a quorum.
  The PRESIDING OFFICER. The clerk will call the roll.
  The legislative clerk proceeded to call the roll.
  Ms. LANDRIEU. Mr. President, I ask unanimous consent that the order 
for the quorum call be rescinded.
  The PRESIDING OFFICER. Without objection, it is so ordered.

                          ____________________