Cybersecurity group questions VA legislation

The cybersecurity provisions in a U.S. Department of Veterans Affairs (VA) bill approved by Congress late last week are in some ways too narrow and in others too broad, a cybersecurity group says.

The Veterans Benefits, Health Care, and Information Technology Act, largely focused on veterans' health-care programs, includes a section on information security requiring the VA to report data breaches of any "sensitive" personal information, potentially including breaches where only veterans' names were exposed, said Liz Gasster, general counsel for the Cyber Security Industry Alliance (CSIA), a trade group representing cybersecurity vendors.

The bill, passed by Congress late last week, requires the VA to report breaches of sensitive personal information to Congress and requires VA Secretary R. James Nicholson to create plans for notifying affected veterans, as well as offering credit monitoring and identity theft insurance to affected veterans.

If the VA ends up notifying veterans every time a document with just names on it is lost, veterans may become numb to breach notifications that contain real dangers, Gasster said. Thirty-four enacted state data breach notification bills require that a name be coupled with other data, such as an unencrypted Social Security number, drivers' license number or financial account number.

"Essentially, the loss of a list of names on a piece of paper constitutes a data breach under the law, which seems far too broad," she said. "Clearly, your name is not sensitive personal information."

The VA announced in mid-May that a laptop and hard drive containing the personal information of 26.5 million military veterans and their spouses had been stolen from an employee's home about two weeks earlier. Police later recovered the hardware, and VA officials said the personal information had not been compromised, but the breach set off a firestorm of criticism from Congress.

In addition to its potentially broad definition of sensitive personal data, the bill does not exempt the VA from reporting data breaches if the information was encrypted, Gasster said. In supporting a national data breach notification bill, CSIA and other groups have called on Congress to exempt encrypted data from notification rules, saying the exemption would encourage companies and government agencies to encrypt more data.

The lack of an exemption "seems like it deprives the benefit of encryption from the VA," Gasster said.

Although the bill's language on personal sensitive information and encrypted data is too broad, in some ways the bill doesn't do enough to protect consumers, Gasster added. The bill only addresses VA data breaches, not breaches at other government agencies or private companies.

CSIA and some consumer groups have pushed for a national data breach notification bill after a rash of breaches in early 2005, but Congress failed to pass a notification law. While the VA's large breach generated significant attention from Congress, other agencies have lost dozens of laptops containing personal information in recent years, and private businesses continue to have breaches, Gasster said.

CSIA wants a bill that would require agencies and companies to take reasonable security measures to protect data, Gasster added.

A spokesman for Senator Larry Craig, the Idaho Republican who sponsored the veterans bill, didn't return messages seeking comment on the CSIA's concerns.