[House Hearing, 109 Congress] [From the U.S. Government Publishing Office] ONCE MORE INTO THE DATA BREACH: THE SECURITY OF PERSONAL INFORMATION AT FEDERAL AGENCIES ======================================================================= HEARING before the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS SECOND SESSION __________ JUNE 8, 2006 __________ Serial No. 109-159 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpoaccess.gov/congress/ index.html http://www.house.gov/reform _____ U.S. GOVERNMENT PRINTING OFFICE 28-759 PDF WASHINGTON : 2006 _________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON GOVERNMENT REFORM TOM DAVIS, Virginia, Chairman CHRISTOPHER SHAYS, Connecticut HENRY A. WAXMAN, California DAN BURTON, Indiana TOM LANTOS, California ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania GIL GUTKNECHT, Minnesota CAROLYN B. MALONEY, New York MARK E. SOUDER, Indiana ELIJAH E. CUMMINGS, Maryland STEVEN C. LaTOURETTE, Ohio DENNIS J. KUCINICH, Ohio TODD RUSSELL PLATTS, Pennsylvania DANNY K. DAVIS, Illinois CHRIS CANNON, Utah WM. LACY CLAY, Missouri JOHN J. DUNCAN, Jr., Tennessee DIANE E. WATSON, California CANDICE S. MILLER, Michigan STEPHEN F. LYNCH, Massachusetts MICHAEL R. TURNER, Ohio CHRIS VAN HOLLEN, Maryland DARRELL E. ISSA, California LINDA T. SANCHEZ, California JON C. PORTER, Nevada C.A. DUTCH RUPPERSBERGER, Maryland KENNY MARCHANT, Texas BRIAN HIGGINS, New York LYNN A. WESTMORELAND, Georgia ELEANOR HOLMES NORTON, District of PATRICK T. McHENRY, North Carolina Columbia CHARLES W. DENT, Pennsylvania ------ VIRGINIA FOXX, North Carolina BERNARD SANDERS, Vermont JEAN SCHMIDT, Ohio (Independent) ------ David Marin, Staff Director Lawrence Halloran, Deputy Staff Director Teresa Austin, Chief Clerk Phil Barnett, Minority Chief of Staff/Chief Counsel C O N T E N T S ---------- Page Hearing held on June 8, 2006..................................... 1 Statement of: Johnson, Clay, III, Deputy Director for Management, Office of Management and Budget; R. James Nicholson, Secretary, Department of Veterans Affairs, accompanied by Tim McClain, General Counsel, Department of Veterans Affairs, and Robert Howard, Senior Adviser to the Deputy Secretary and Supervisor, Office of Information and Technology, Department of Veterans Affairs; David M. Walker, Comptroller General, Government Accountability Office; William E. Gray, Deputy Commissioner for Systems, Social Security Administration; and Daniel Galik, Chief Mission Assurance and Security Services, Internal Revenue Service, Department of Treasury..................................... 13 Galik, Daniel............................................ 69 Gray, William E.......................................... 59 Johnson, Clay, III....................................... 13 Nicholson, R. James...................................... 18 Walker, David M.......................................... 31 Letters, statements, etc., submitted for the record by: Clay, Hon. Wm. Lacy, a Representative in Congress from the State of Missouri, prepared statement of................... 102 Cummings, Hon. Elijah E., a Representative in Congress from the State of Maryland, prepared statement of............... 100 Davis, Chairman Tom, a Representative in Congress from the State of Virginia, prepared statement of................... 4 Dent, Hon. Charles W., a Representative in Congress from the State of Pennsylvania, prepared statement of............... 96 Galik, Daniel, Chief Mission Assurance and Security Services, Internal Revenue Service, Department of Treasury, prepared statement of............................................... 71 Gray, William E., Deputy Commissioner for Systems, Social Security Administration, prepared statement of............. 61 Johnson, Clay, III, Deputy Director for Management, Office of Management and Budget, prepared statement of............... 15 Nicholson, R. James, Secretary, Department of Veterans Affairs, prepared statement of............................. 22 Schmidt, Hon. Jean, a Representative in Congress from the State of Ohio, prepared statement of....................... 98 Walker, David M., Comptroller General, Government Accountability Office, prepared statement of............... 33 Waxman, Hon. Henry A., a Representative in Congress from the State of California, prepared statement of................. 8 ONCE MORE INTO THE DATA BREACH: THE SECURITY OF PERSONAL INFORMATION AT FEDERAL AGENCIES ---------- THURSDAY, JUNE 8, 2006 House of Representatives, Committee on Government Reform, Washington, DC. The committee met, pursuant to notice, at 10:41 a.m., in room 2154, Rayburn House Office Building, Hon. Tom Davis (chairman of the committee) presiding. Present: Representatives Tom Davis, Shays, Mica, Gutknecht, Souder, LaTourette, Platts, Marchant, Dent, Schmidt, Waxman, Sanders, Cummings, Kucinich, Clay, Van Hollen, and Norton. Staff present: David Marin, staff director; Ellen Brown, legislative director and senior policy counsel; Chas Phillips, policy counsel; Rob White, communications director; Andrea LeBlanc, deputy director of communications; Victoria Proctor, senior professional staff member; Teresa Austin, chief clerk; Sarah D'Orsie, deputy clerk; Kristin Amerling, minority general counsel; Adam Bordes and Anna Laitin, minority professional staff members; Earley Green, minority chief clerk; and Jean Gosa, minority assistant clerk. Chairman Tom Davis. The committee will come to order. Secure information is the lifeblood of effective government policy and management, yet Federal agencies continue to hemorrhage vital data. Recent losses of critical electronic records compel us to ask: What is being done to protect the sensitive digital identities of millions of Americans, and how can we limit the damage when personal data does go astray? In early May, a Veterans Affairs employee reported the theft of computer equipment from his home, equipment that stored more than 26 million records containing personal information. While he was authorized to access those records, he was not part of any formal telework program. VA leadership delayed acting on the report for almost 2 weeks, while millions were at risk of serious harm from identity theft. And since admitting to the largest data loss by a Federal agency to date, the VA has been struggling to determine the exact extent of the breach. Just yesterday we learned the lost data includes information on over 2 million active duty and Reserve personnel as well as veterans. So the security of those currently serving in the military may have been compromised, and the bond of trust owed to those who served has been broken. And that is just only the latest in a long string of personal information breaches in the public and private sectors, including financial institutions, data brokerage companies and academic institutions. Just recently, a laptop computer containing information on nearly 300 Internal Revenue Service employees and job applicants, including data such as fingerprints, names, Social Security numbers and dates of birth, was lost while in transit on an airline flight, according to reports. These breaches illustrate how far we have to go to reach the goal of strong uniform government-wide information security policies and procedures. On this committee, we have been focused on government-wide information management and security for a long time. The Privacy Act and E-Government Act of 2002 outline the parameters for the protection of personal information. These incidents highlight the importance of establishing and following security standards for safeguarding personal information. They also highlight the need for proactive security breach notification requirements for organizations, including Federal agencies that deal with sensitive personal information. I know other committees have been working on the requirements for the private sector. Federal agencies present unique requirements and challenges, and it is my hope that we can work to strengthen personal data protections through regulatory changes and any needed legislative fixes. The Federal Information Security Management Act of 2002 [FISMA], requires Federal agencies to provide protections for agency data and information systems to ensure their integrity, confidentiality and availability. FISMA requires each agency to create a comprehensive risk-based approach to agency-wide information security management. It is intended in part to make security management an integral part of everyday operations. Some complain that FISMA is a little more than a paperwork exercise, an analog answer to a digital problem. This latest incident disproves that complaint. FISMA requires agencies to notify agency inspectors general and law enforcement among others when a breach occurs, promptly. It appears VA didn't comply with that requirement. Each year, the committee releases scorecards based on information provided by chief information officers and inspectors general in their FISMA reports. This year, the scores for many departments remained unacceptably low or dropped precipitously. The Veterans Affairs Department earned an F the second consecutive year and the fourth time in the last 5 years the department received a failing grade. The Federal Government overall received a whopping D-plus, although several agencies improved their information security or maintained a consistently high level of security from previous years, including the Social Security Administration. Today the committee wants to discuss how we can improve the security of personal information held or controlled by Federal agencies. In my view, these efforts should include strengthening FISMA and adding penalties, incentives, or proactive notification requirements. OMB will discuss government-wide efforts to improve data security. GAO will highlight areas in which the protection of consumer information can be enhanced. In this context, we will focus on security at the Veterans Affairs, Social Security Administration and the IRS. VA Secretary Nicholson will discuss the details of that department's potentially catastrophic data breach. Officials from the IRS and Social Security Administration will describe the experiences and efforts of those agencies which stand as guardians of the largest storehouses of taxpayer information. Government information systems hold personal information about millions of citizens, including health records, military service histories, tax returns and retirement accounts. E- commerce, information sharing, online tax filing are commonplace. If the Federal Government is going to be a trusted traveler on the information super highway, critical data on millions of citizens should not be able to go missing after a trip around the Beltway in a back seat of some government worker's car. And that is kind of where we are. So we appreciate everybody being here. Secretary Nicholson, you are new to the VA, and I know this has come up, and you are trying to deal with it. We appreciate your being here today and sharing your thoughts. Mr. Waxman. [The prepared statement of Chairman Tom Davis follows:] [GRAPHIC] [TIFF OMITTED] 28759.001 [GRAPHIC] [TIFF OMITTED] 28759.002 Mr. Waxman. Thank you, Mr. Chairman. I'm pleased you are holding this hearing on Federal data security. Last month, the sensitive data on 26.5 million veterans and active duty members of the military were stolen from the Department of Veterans Affair. Everybody has heard about this, but I think we need to examine it carefully and learn from this experience. The administration needs to provide the public with a thorough accounting regarding the VA incident, and it must detail how it will ensure that no future breaches will occur with respect to the tremendous volume of information the Veterans Administration and other Federal agencies maintain on Americans across the country. The recent VA data breach represents a violation of trust of remarkable magnitude. The administration's failure to protect against such an incident and its delayed response may have made millions of men and women who currently serve or have served in uniform vulnerable to identity theft and other potentially costly misuse of their information. Unfortunately, this breach does not come as a surprise. Consider for example GAO's July 2005 assessment of information security in the Federal Government. GAO stated: Pervasive weaknesses threaten the integrity, confidentiality, and availability of Federal information and information systems. These weaknesses exist primarily because agencies have not yet fully implemented strong information security management programs. These weaknesses put Federal operations and assets at risk of fraud, misuse and destruction. In addition, they place financial data at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure and critical operations at risk of disruption. So we had a warning as of July 2005, and indeed in this year, March of this year, in its annual scorecard evaluation, this committee gave the Federal Government a government-wide grade of D-plus, and the VA received a grade of F. Well, remarkably and regrettably, the Bush administration has repeatedly shown questionable commitment to protecting the privacy of American citizens. For example, last December, we learned that the President had authorized warrantless eavesdropping on Americans' e-mails and phone calls despite Federal laws prohibiting this practice. Just this week, the Washington Post reported that, ``since the Federal medical privacy requirements went into effect in 2003, the administration has received nearly 20,000 complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases.'' Well, I hope the administration will view the VA data breach as impetus for placing higher priority on privacy issues relating to the sensitive data it collects and maintains on Americans. You would think that the General Accounting Office report in July 2005 which was so damning should have been a wake-up call. Now we have another wake-up call where the data has actually been surreptitiously available to others that could do harm to the veterans whose data may be used against them. Well, I hope we will give a higher priority on privacy issues because technology advances facilitate the sharing of information, and as we develop new ways to use data on individuals to further important goals such as terrorism prevention, we must be vigilant about protecting Americans' privacy rights. In the short term, the government must do everything possible to address expeditiously, any harm resulting to the individuals whose data was stolen. The VA Secretary has taken several steps to provide information to veterans about the breach, but the administration should be doing more to support the affected veterans and active service members. I recently joined Representative Salazar and over 100 other colleagues in urging President Bush to request emergency funding for free credit monitoring and additional free credit reports for veterans and others whose information was compromised. For our part, Congress should consider measures, such as the Veterans Identity Protection Act of 2006 which Representative Salazar has introduced. This bill would require the Department of Veterans Affairs to certify that it has notified all affected individuals. It would also direct the VA to provide free credit monitoring services and reports to each affected individual. We must also determine exactly what went wrong at the VA, not only to know what happened but to prevent future breaches. To that end, there is an ongoing joint investigation by the inspector general, the Department of Justice and local law enforcement, and I hope that today's hearing will advance our understanding of this issue. Finally, the VA data breach should underscore the importance of ensuring implementation of sound information- security practices government-wide. The reports from the Office of Management and Budget and the Government Accountability Office show that some agencies, some agencies are making progress on this front. The A-plus grade this committee gave the Social Security Administration this year underscores that large agencies with aging systems and vast amounts of sensitive data can comply with Federal information security requirements. I want to thank all the witnesses for taking time to appear before the committee today. I look forward to hearing from them about the issues raised by the VA data breach. I hope this will not just be another hearing, another wake-up call that is ignored and that we find ourselves with similar breaches of privacy as we unfortunately have seen with the veterans in this country. Chairman Tom Davis. Thank you. Members will have 7 days to submit opening statements for the record. [The prepared statement of Hon. Henry A. Waxman follows:] [GRAPHIC] [TIFF OMITTED] 28759.003 [GRAPHIC] [TIFF OMITTED] 28759.004 [GRAPHIC] [TIFF OMITTED] 28759.070 [GRAPHIC] [TIFF OMITTED] 28759.071 [GRAPHIC] [TIFF OMITTED] 28759.072 Chairman Tom Davis. We will move to our panel. We have the Honorable Clay Johnson III, the Deputy Director for Management, Office of Management and Budget; the Honorable R. James Nicholson, Secretary of the Department of Veterans Affairs, accompanied by Tim McClain, who is the General Counsel of the Department of Veterans Affairs, and Robert Howard, the senior adviser to the Deputy Secretary and Supervisor, Office of Information and Technology, Department of Veterans Affairs; the Honorable David Walker, the Comptroller General, Government Accountability Office; William E. Gray, the Deputy Commissioner for Systems, Social Security Administration; and Mr. Daniel Galik, Chief Mission Assurance and Security Services for the IRS, Department of Treasury. It is our policy to swear all witnesses in before they testify. So, including Mr. McClain and Mr. Howard, if you would rise and raise your right hands. [Witnesses sworn.] Chairman Tom Davis. We will start with you, Mr. Johnson, and we will move straight down. Thank you very much. STATEMENTS OF CLAY JOHNSON III, DEPUTY DIRECTOR FOR MANAGEMENT, OFFICE OF MANAGEMENT AND BUDGET; R. JAMES NICHOLSON, SECRETARY, DEPARTMENT OF VETERANS AFFAIRS, ACCOMPANIED BY TIM MCCLAIN, GENERAL COUNSEL, DEPARTMENT OF VETERANS AFFAIRS, AND ROBERT HOWARD, SENIOR ADVISER TO THE DEPUTY SECRETARY AND SUPERVISOR, OFFICE OF INFORMATION AND TECHNOLOGY, DEPARTMENT OF VETERANS AFFAIRS; DAVID M. WALKER, COMPTROLLER GENERAL, GOVERNMENT ACCOUNTABILITY OFFICE; WILLIAM E. GRAY, DEPUTY COMMISSIONER FOR SYSTEMS, SOCIAL SECURITY ADMINISTRATION; AND DANIEL GALIK, CHIEF MISSION ASSURANCE AND SECURITY SERVICES, INTERNAL REVENUE SERVICE, DEPARTMENT OF TREASURY STATEMENT OF CLAY JOHNSON III Mr. Johnson. Mr. Chairman and members of the committee, thank you. I'm here to speak about the adequacy or inadequacy of existing laws, regulations and policies regarding privacy, information security and data breach notification. I'm here because we have had an unprecedented security breach causing the loss of personal data concerning millions of people. Generally, at OMB, we believe we have sound laws, policies and standards related to this topic. But we can and must do a much, much better job of implementing them. We have policies and standards that call for encryption and passwords to protect data taken offsite via laptops, for instance. But we obviously need to do a better job of abiding by them. We must do a better job of holding ourselves accountable for implementing existing policies and holding each employee accountable for performing their assigned responsibilities. In the short term, as the Deputy Director for Management, I have instructed agencies to remind each employee of their specific responsibilities for safeguarding personally identifiable information and the relevant rules and penalties. I have instructed them to review and appropriately strengthen the means by which they hold their bureaus and people accountable for adhering to existing security guidelines, and I have instructed them to ensure that they are reporting all security incidences as required by law. Our inspectors general are already reviewing the adequacy of their data security oversight. As chair of the PCIE and the ECIE, the two inspector general associations. I will make sure that IG oversight is consistent with the high level of accountability called for in this matter. Longer term, the Federal Government is already implementing a 2004 Presidential Directive to develop and utilize information cards that will be used to control access to government computer systems and physical facilities. It will take several years to implement this new initiative. OMB, all executive branch agencies and employees, and the inspectors general community have a shared responsibility to minimize the risk of harm associated with our use of this type of data. I am committed to working with Congress to ensure our information security policies and procedures are what they need to be and, most importantly, that we are all held accountable for following them. Thank you. [The prepared statement of Mr. Johnson follows:] [GRAPHIC] [TIFF OMITTED] 28759.005 [GRAPHIC] [TIFF OMITTED] 28759.006 [GRAPHIC] [TIFF OMITTED] 28759.007 Chairman Tom Davis. Thank you very much. Secretary Nicholson, thanks for being with us. STATEMENT OF R. JAMES NICHOLSON Secretary Nicholson. Mr. Chairman, ranking member, members, I want to thank you for holding this hearing. I think it is very timely, and I thank you for the invitation to appear here before you to provide you with a report and an assessment of current events at the Department of Veterans Affairs. In that context, I will also present a brief overview of VA security policies along with the Department's views on the adequacy of current regulation legislation, regulations and policies regarding privacy, information security and data breach notification. Facts surrounding the recent data breach at VA are well known to you through their coverage in the media. I will briefly recap them, though, before reviewing with you the actions that I have taken in response and what we have learned and are learning as a result and what we need to be doing as we go forward. A 34-year VA employee, a VA analyst, took home electronic data files from the VA. He was not authorized to do so, but he had been in the practice of doing it for 3 years. On May 3, that employee's home was broken into in what appears to local law enforcement to be a routine breaking and entering. His laptop computer and hard drive containing the VA data were stolen. These data contained identifying information on up to 26.5 million veterans, some spouses and dependents. It is important to note that the data did not include any of the VA's electronic health records. On June 1, independent forensic experts that we retained, confirmed that there was some data pertaining to active duty, Guard and Reserve troops. On June 5, we learned through ongoing analysis and through data matching and discussions with the Department of Defense that private information on over 2 million active duty, Guard and Reserves may have also been included. As I stated in my testimony before the House and the Senate Committees on Veterans Affairs recently, I am totally outraged at the loss of this data and the fact that an employee would put so many people at risk by taking it home in violation of existing VA policies. I'm also gravely concerned about the timing of the Department's response once the burglary did become known. I accept responsibility for this. I am in charge of this Department. I have never been so disappointed and angry at people, but it is my responsibility also now to fix this. And just as the health care system, the VA has risen to be a paradigm of integrated health care in our country and it has done so in a relatively short period of time, I think that we can make the same of the VA and data security, and I'm committed to doing that because it's doable. It won't be easy, and it won't be overnight because we are going to have to change a culture. Full-scale investigations into this matter remain ongoing. Authorities believe it's unlikely the perpetrators targeted the items stolen because of any knowledge of the data contents. We remain hopeful that this was a common random theft and that no use will be made of this data. However, certainly we cannot count on that. And because we are committed to keeping our veterans and our service members informed, we have established call centers with call numbers to provide information which we have promulgated in many different ways, including a letter to each of the known affected people. We've dedicated a Web site that provides answers to any concerned veteran, service member or family member. These are updated as additional information becomes available to us regarding this theft and what it might entail. From the moment I was informed, the VA began taking all possible steps to protect and inform our veterans. On May 31st I named Maricopa County District Attorney Richard Romley, formerly district attorney, as my new special adviser for information security reporting directly to me. Mr. Romley shares my commitment to cutting through the bureaucracy to provide the results our Nation's veterans and service members deserve and expect. I have initiated several actions to strengthen our privacy and data security programs. On May 24th, we launched the Data Security Assessment and Strengthening Program, a high-priority focus plan to strengthen our data privacy and security procedures. On May 26th, I directed my top leadership to reenforce each VA manager of their duty to protect sensitive information. I've instructed all employees to complete privacy and cyber security training by June 30th. Further, I have convened a task force of VA senior leadership to review all aspects of information security, inventory all positions requiring access to sensitive VA data and ensure that personnel have the appropriate current security clearances. On June 6th, 2 days ago, I issued a VA information technology directive entitled, Safeguarding Confidential and Privacy Act- Protected Data at Alternative Work Locations. I also issued a separate directive under the under secretary of benefits suspending the practice of permitting veterans' benefits employees to remove files for claims from their regular work stations in order to adjudicate claims from alternative work locations, including their homes. During the week of June 26th, VA facilities across the country and including Guam, Manila and the Puerto Rican islands at every hospital, clinic, regional office, national cemetery, field office and our central office will stand down for Security Awareness Week. Managers throughout the VA will review information security and reenforce privacy obligations and responsibilities with their staff. I've also ordered that every laptop in the VA undergo a security review to ensure that all security and virus software is current. The review will include removal of any unauthorized information or software. I have also ordered that no personal laptop or computer equipment will be allowed to access the VA's virtual private network or be used for any official business. You asked that I review the VA's data security policies and procedures. I believe these have been shared with you and your staff and they are discussed in my written testimony. They include: VA Directive 6502, issued on June 30, 2003 on our privacy program; Directive 5011 dated September 22, 2005, providing specific policies and procedures for the approval of alternative workplace arrangements and teleworking. One existing guideline, Security Guideline for Single-User Remote Access, will be published very soon as a VA directive. This document sets the standards for access, use and information security including physical security, incident reporting and responsibilities. I believe that the policies we have and the legislation under which they are promulgated is generally adequate. But it is, Mr. Chairman, too hard in my opinion to discipline people in the Civil Service. It is too hard to impose sanctions. I have multiple examples of that I can give you of people at each strata of leadership in the VA who, due to the cultural lapses, have violated the existing policies. I think something that this committee and the Congress should look at is HIPA, the Health Information Portability Accounting Act, which has teeth in it for violations of health information breaches, and I think we should consider putting the same kind of teeth into an enforcement mechanism for the compromising and the careless and negligent handling of personal information, putting it under the same category of enforcement. Another that I think needs to be considered is that while we have a system in the government of doing background investigations for people to whom we will give access to classified information, we do not have a similar screen for those to whom we will give enormous amounts of data. And I will use--this is my wallet. This is a hard drive that holds 60 gigabytes; 60 gigabytes will hold 12 times the information that was compromised in our data breach. This will hold the personal information of the population of the United States, and it fits very easily into my vest pocket. So obviously what we need to do is know more about the people who have access. This employee who took this home, as I said, worked for 34 years with the VA. He has not had a background check for 32 years. He did, by the way, this year sign the annual requirement for security awareness. So it is clear that we need to put some teeth behind the obvious needs that also exist at the VA for more training, education and enforcement and the ascertainment of the culture of the people that we are giving access. This has been a painful lesson for me at the VA. Ultimately our success in changing this is going to depend on changing the culture, and that depends on our ability to change the attitudes of our people. It is our obligation to do this, to ensure that they have the right training, that they are instilled with the sense of discipline and the commitment to be careful in their trusteeship of this data, and we have an obligation on, collectively, I believe, at the governmental level to ensure the character and the vulnerability of people that have access in important work for caring for our veterans and all of the other people in this government. This is a personal priority of mine. Indeed, I believe it needs a crusade. This is an emergency. It is an emergency at the VA, and it should be an emergency in our society. Last night I was approached by a university president who recognized me to tell me about a data breach that they'd just had--I can't divulge--but a very prestigious university and its recommendations. So this is unfortunately rampant and we need to have better tools in the way of approaching it. Significant change in the way the VA manages its infrastructure ironically was put into place by me last October. Part of the reason the VA I think has gotten so lapse is that it is decentralized and it is spread all over this country, as you know. I made a major policy decision and we are centralizing information technology, and that is undergoing significant cultural resistance but we are going to do that and that was underway and that will also assist us in this broader goal and it will include both cyber and information security and privacy. We will stay focused on these problems until they're fixed and we will take direct and immediate action to address and alleviate people's concerns. With greater control comes greater accountability. Mr. Chairman, I remain cognizant that we are accountable not only to you, the Congress, but also to our Nation's veterans and our service members. And, Mr. Chairman, that concludes my statement. Thank you for this opportunity. [The prepared statement of Secretary Nicholson follows:] [GRAPHIC] [TIFF OMITTED] 28759.008 [GRAPHIC] [TIFF OMITTED] 28759.009 [GRAPHIC] [TIFF OMITTED] 28759.010 [GRAPHIC] [TIFF OMITTED] 28759.011 [GRAPHIC] [TIFF OMITTED] 28759.012 [GRAPHIC] [TIFF OMITTED] 28759.013 [GRAPHIC] [TIFF OMITTED] 28759.014 [GRAPHIC] [TIFF OMITTED] 28759.015 [GRAPHIC] [TIFF OMITTED] 28759.016 Chairman Tom Davis. Thank you, Mr. Secretary. And now we'll hear from General Walker. STATEMENT OF DAVID M. WALKER Mr. Walker. Thank you, Mr. Chairman. I assume that the entire statement will be included in the record and therefore I will move to summarize. I appreciate the opportunity to be here today to discuss the key challenges that Federal agencies face in safeguarding certain personal and sensitive information that's in their custody and taking action when that information is compromised. As we've just heard, there have been circumstances in the past where such information has been compromised, and I think it is important to note that this is a matter of increasing concern both in the public and the private sector and breaches have occurred all too frequently in the private and the public sector. As we look forward, I think it is important to keep in mind that Federal agencies are subject to security and privacy laws that are aimed in part at preventing security breaches, including breaches that could result in identity theft. The major requirements of the protection of personal privacy by Federal agencies come from two laws: The Privacy Act of 1974 and the E-Government Act of 2002. The Federal Information Security Management Act of 2002, FISMA, also addresses the protection of personal information in the context of securing Federal agency information and information systems. Federal laws to date have not required agencies to report security breaches to the public, although breach notification has played an important role in the context of security breaches in the private sector. A number of actions can and should be taken in order to help safeguard against the possibility that personal information maintained by government agencies is inadvertently compromised. First, agencies should conduct privacy impact assessments and, second, agencies should ensure that they have a robust security program in place. In the course of taking a more strategic approach in adopting these two particular measures to protect privacy and enhance security over personal information, agencies should also consider several other specific actions, including limiting the collection of personal information, limiting data retention, limiting access to personal information and conducting appropriate training of persons who do have access, and considering using technological controls such as encryption when data needs to be stored on mobile devices, and other measures. Irrespective of the preventative measure that James put in place data breaches are possible and may occur. However, in the event that an incident does occur agencies must respond quickly in order to minimize potential harm that could be imposed by identity theft. Applicable law such as the Privacy Act currently do not require agencies to notify individuals of security breaches involving their personal information. However, doing so allows those affected the opportunity to take steps to protect themselves against the dangers of identity theft. Breach notification is also important in that it can help an organization address key privacy rights of individuals and in the government notifying somebody like OMB, helps to obtain a better understanding of the government-wide challenges associated with this area. Public disclosure of major data breaches is a key step to ensuring that organizations are held accountable for personal protection of information. At the same time, care needs to be taken to avoid requiring agencies to notify the public of trivial security incidents. In summary, agencies can and should take a number of actions to help guard against the possibility that data bases of personal, sensitive information aren't inadvertently compromised. Furthermore, when such compromises do occur, it is important that appropriate notification steps be taken. We at GAO are attempting to lead by example as well, and I must note, Mr. Chairman, that I met with my own CIO about these issues and am comfortable that we are taking appropriate steps, but I have also instructed them to take a couple of additional steps in light of some of the recent events that have occurred. I would also note that with the additional proliferation of teleworking and with the additional use of laptop computers in the government that this becomes an increasing challenge and one of significant concern and interest. As Congress considers legislation requiring agencies to notify individuals or the public about security breaches, we think it is important to ensure that there are specific criteria that are defined for the incidents that merit public notification. Congress may also want to consider a two-tier reporting requirement in which all Federal Government security breaches are reported to OMB and affected individuals regarding the nature of the violation and the risk imposed. Furthermore, Congress should consider requiring OMB to provide guidance to agencies on how to develop programs and remedies to affected individuals. And last, Mr. Chairman and members of the committee, I would say on listening to the two colleagues who presented before myself, you may want to think about whether or not there should be additional requirements for restricting access to sensitive information or conducting mandatory training and monitoring with regard to those who do have access for requiring reporting to OMB to the extent there is a significant breach within the Federal Government, and as the Secretary mentioned, make sure that there are tough sanctions for violators. We need to have incentives. We need to have transparency, and we need to have an accountability mechanism, and if we don't have all three of those the system won't work. Thank you very much. [The prepared statement of Mr. Walker follows:] [GRAPHIC] [TIFF OMITTED] 28759.017 [GRAPHIC] [TIFF OMITTED] 28759.018 [GRAPHIC] [TIFF OMITTED] 28759.019 [GRAPHIC] [TIFF OMITTED] 28759.020 [GRAPHIC] [TIFF OMITTED] 28759.021 [GRAPHIC] [TIFF OMITTED] 28759.022 [GRAPHIC] [TIFF OMITTED] 28759.023 [GRAPHIC] [TIFF OMITTED] 28759.024 [GRAPHIC] [TIFF OMITTED] 28759.025 [GRAPHIC] [TIFF OMITTED] 28759.026 [GRAPHIC] [TIFF OMITTED] 28759.027 [GRAPHIC] [TIFF OMITTED] 28759.028 [GRAPHIC] [TIFF OMITTED] 28759.029 [GRAPHIC] [TIFF OMITTED] 28759.030 [GRAPHIC] [TIFF OMITTED] 28759.031 [GRAPHIC] [TIFF OMITTED] 28759.032 [GRAPHIC] [TIFF OMITTED] 28759.033 [GRAPHIC] [TIFF OMITTED] 28759.034 [GRAPHIC] [TIFF OMITTED] 28759.035 [GRAPHIC] [TIFF OMITTED] 28759.036 [GRAPHIC] [TIFF OMITTED] 28759.037 [GRAPHIC] [TIFF OMITTED] 28759.038 [GRAPHIC] [TIFF OMITTED] 28759.039 [GRAPHIC] [TIFF OMITTED] 28759.040 [GRAPHIC] [TIFF OMITTED] 28759.041 [GRAPHIC] [TIFF OMITTED] 28759.042 Chairman Tom Davis. Thank you very much. Mr. Gray. STATEMENT OF WILLIAM E. GRAY Mr. Gray. Chairman Davis, Representative Waxman and members of the committee, thank you for inviting me here this morning to discuss government data security at the Social Security Administration. As SSA Deputy Commissioner for Systems, I appreciate the opportunity to talk about the ongoing challenge of safeguarding the personal information that the public counts on us to protect. As you know, Mr. Chairman, the Social Security Board's first regulation published in 1937 dealt with confidentiality of SSA's records. Our policies predate and are consistent with the Privacy Act, and while the technologies we employ to ensure the safety and privacy of our records has changed dramatically over the 70-year history of our program, our commitment to the American people and maintaining the confidentiality of our records has remained constant. We nurture a security conscious culture throughout the agency from the executive level down. Every time an SSA employee logs on to his or her work station, and that includes the Commissioner of Social Security, a banner pops up warning that unauthorized attempts to access, upload or otherwise alter SSA's data are strictly prohibited and subject to disciplinary and/or criminal prosecution. In effect, every SSA employee sees that message every day he or she comes to work. We use state-of-the-art software that carefully restricts our employees' access to data. Using this software, we ensure the employees only have access to the information they need to perform their jobs. The software allows us to audit and monitor the actions of individual employees, and it provides us with the means to investigate allegations of misuse. Every year every SSA employee must read the Sanctions for Unauthorized Systems Access Violations, which we developed to secure the integrity and privacy of personal information contained in the computer systems. This memorandum advises SSA employees of the category of security violations and the minimum recommended sanctions. Annually, all employees are required to read and sign the acknowledgment statement indicating that they have read and understood the sanctions. Our Flexiplace agreements require adherence to our information management in the electronic security procedures for safeguarding data and data bases. While each Flexiplace agreement is different, they share different basic requirements. The agreements generally contain provisions that require participating employees to maintain lockable storage for securing files at the alternate duty site. They also require participating employees to protect government records from unauthorized access, theft and damage in addition to requiring protection from unauthorized disclosure in accordance with the Privacy Act and other Federal laws restricting disclosure of the information we maintain. A violation of the conditions set forth in the agreements results in disciplinary action. Penalties may range from reprimand to removal, depending on the seriousness of the violation. Despite our best efforts in establishing policy and procedures and enforcing these procedures, no system of safeguards is immune from human error. We use these rare occurrences to review and strengthen our security precautions. At SSA, our approach to data security is multi-faceted. It involved numerous policy and hardware and software safeguards. Even with all of the measures and safeguards we use, we cannot rest and be satisfied that we've plugged every hole. We continue to monitor, test, and evaluate what we are doing to prevent, detect and mitigate any potential threat. We strive to create and maintain a security conscious culture. We continue to try to stay abreast of all threats and vulnerabilities associated with emerging technologies, and our goal is to keep up with best practice approaches related to information security. We have recently reemphasized with all employees the critical importance of safeguarding personal information, and we've directed managers to reinforce this point with their employees. In light of recent events, we are also conducting the review of our response procedures and protocols. Mr. Chairman, Commissioner Barnhart and I recognize that data security is an ongoing challenge and critical component of our mission. We look forward to continuing to work with the committee to assure the American people that we are doing all that we can to maintain the security of the information entrusted to us. Thank you for the opportunity to speak before this committee, and I am happy to answer any questions. [The prepared statement of Mr. Gray follows:] [GRAPHIC] [TIFF OMITTED] 28759.043 [GRAPHIC] [TIFF OMITTED] 28759.044 [GRAPHIC] [TIFF OMITTED] 28759.045 [GRAPHIC] [TIFF OMITTED] 28759.046 [GRAPHIC] [TIFF OMITTED] 28759.047 [GRAPHIC] [TIFF OMITTED] 28759.048 [GRAPHIC] [TIFF OMITTED] 28759.049 [GRAPHIC] [TIFF OMITTED] 28759.050 Chairman Tom Davis. Thank you very much. Mr. Galik. STATEMENT OF DANIEL GALIK Mr. Galik. Good morning, Mr. Chairman, Mr. Waxman and members of the committee. I am pleased to be with you this morning to discuss IRS's efforts relative to information technology security and the privacy of both employee and taxpayer information. Commissioner Everson regrets that he could not be here today as he is out of the country on travel that was scheduled several weeks ago. Taxpayer and employee privacy is of foremost concern to the IRS. We are charged with protecting the most critical information about virtually every American. Taxpayer data is subject to much higher statutory protection and safeguards. IRS's security policy guidance requires the mandatory use of encryption to protect all taxpayers and other sensitive, personally identifiable information that may be contained in IRS's computer systems. We continue to update our systems and our training so that employees who have access to sensitive information are aware of the steps they must take to prevent that information from being compromised. This job has never been tougher, specifically in an agency like the IRS. We have more than 82,000 full-time and 12,000 part-time employees. We also have a large mobile work force that utilizes laptops and other portable storage devices, and they are authorized to have taxpayer and sensitive information with themselves at locations outside of IRS office space. By focusing on both privacy and security, we have made significant progress in upgrading our system to respond to the security challenges we face in this new age. Consider the following: We have achieved the green status on the President's management agenda fiscal year 2000 scorecard with over 90 percent of our major systems having successfully completed security certification and accreditation. In early 2004, very few of the IRS's major information systems had not completed security accreditation. We make use of a defense and security approach with over 100 firewalls and several intrusion detection devices on our computer systems. We operate our own computer security incident response center that monitors all network activity 24 hours per day. There is no evidence that any IRS systems, including the master files of all taxpayer data, have ever been successfully penetrated or compromised by external attacks. Cracking our system requires more than bypassing a single barrier. All IRS computers are equipped with multiple data protection tools that allow IRS users to encrypt all IRS taxpayer data and all other sensitive information that they may have on their computers, including their laptops. In light of the incident at the VA, the IRS is aggressively reviewing all policies, processes and training to ensure IRS users know how to use the encryption tools and are aware of the penalties of violation of policies. It is important to note that the laptops used by all IRS personnel working in the field are equipped with software applications that automatically encrypt all taxpayer and other personal and sensitive information. We have also been proactive not only in the area of security but also on our commitment to privacy. Almost 1 year ago we implemented OMB to designate senior officials to privacy. Despite all of this we know that we are still vulnerable to computer theft and loss, especially since our agents need to use laptops in the performance of their duties outside of IRS premises. For example, recently an IRS employee checked a laptop as checked baggage on a commercial air flight. The laptop did not make it to the proper destination. We determined that the laptop contained the names, Social Security numbers and dates of birth of 291 IRS job applicants and employees. We reported this security breach to our Inspector General and law enforcement, which are currently conducting an investigation. We have attempted to call each of the individuals as information was on the laptop, and we also sent a letter to inform them of the missing data and to guide them on how to watch for suspicious activity. We are also taking additional steps to ensure this does not happen again. In summary, Mr. Chairman, we at the IRS take privacy and security of both taxpayer and employee information as one of our highest priorities. We have taken numerous steps to make sure that our systems are not breached, but because so much of our work is done offsite we have a heavy reliance on laptops and other portable mass storage devices. While we remain vulnerable to one of those devices being lost or stolen, we are making every effort to ensure that any data on such a device is encrypted and of no use to anyone. The Treasury Department and IRS look forward to continuing to work with the committee to ensure we are doing everything possible to protect taxpayer information and privacy. I appreciate the opportunity to appear today. I'll be happy to answer any questions. [The prepared statement of Mr. Galik follows:] [GRAPHIC] [TIFF OMITTED] 28759.051 [GRAPHIC] [TIFF OMITTED] 28759.052 [GRAPHIC] [TIFF OMITTED] 28759.053 [GRAPHIC] [TIFF OMITTED] 28759.054 [GRAPHIC] [TIFF OMITTED] 28759.055 [GRAPHIC] [TIFF OMITTED] 28759.056 [GRAPHIC] [TIFF OMITTED] 28759.057 [GRAPHIC] [TIFF OMITTED] 28759.058 [GRAPHIC] [TIFF OMITTED] 28759.059 Chairman Tom Davis. I want to thank all of you very much. Twenty-six million veterans' records, a million active duty records, 300 tax records. And I am just troubled with the number and the scope of losses. We have a lot of laws protecting secure information. Personal information really seems to fall into a different category and maybe we have to give it, you know, rethink how we deal with this. To all of you, I guess I'd ask, what assurances can you give this committee and the American public that personal and sensitive data in Federal IT systems are secure to access, control staff are being trained in security practices and the breaches will be detected quickly and those responsible for sloppy data handling will be punished? Mr. Johnson. The question is what assurances can we give? We need to give them a greater level of assurance than they have now obviously. OMB needs to be held accountable for ensuring that all agencies have plans that they deem acceptable, that OMB and Congress deems acceptable and they implement this plan and they do what they say they are going to do, and there are various ways of doing that: Reporting mechanisms, details of reporting, frequency of reporting. There are a lot of mechanisms for doing that. I think we are doing more and more of that with the present agenda. A lot of our government-wide initiatives, security clearance reform. Where we are doing a better and better job of holding agencies accountable is for implementing some new way of doing business and we need to employ that here to everybody's satisfaction. We need to make sure we have a plan, agencies have a plan to do what's the right thing and that they then follow through and implement that plan as promised. Chairman Tom Davis. I mean, Secretary Nicholson, you came in with your plan of what you were trying to do proactively to prevent this in your agency. Let me ask for the employee who was involved, he's terminated at this point; is that correct? Secretary Nicholson. That's correct. Chairman Tom Davis. What was the lag time of when this was stolen and when he notified his superiors? Do you know? Secretary Nicholson. He notified his superiors the day that he discovered that it had been stolen. Chairman Tom Davis. OK. And did they--how long did it take to get to you? Secretary Nicholson. Thirteen days. Chairman Tom Davis. OK. Obviously you are dealing with that in your Department, aren't you. Secretary Nicholson. Yes, sir. Chairman Tom Davis. We don't know what is out there, but time is critical in a case like this. Have the police department, the local police department been involved in any leads on--have they put any pressure into this knowing what's at stake? Secretary Nicholson. Yes. It's a well-known fact this happened in Montgomery County, MD, and the local law enforcement people turned to it immediately. Chairman Tom Davis. There are a series of burglaries in that area. Secretary Nicholson. There were a series of burglaries with the same pattern, and they believe that these were young burglars whose goal was to get computers and computer peripheral equipment from other houses like they did this house. They took laptops and hard drives, overlooked other sort of valuable or semi-valuable things to get this computer equipment. They further think that their MO is to take these things, clean them up, actually to erase them and fence them into a market for college campuses and high schools where they pick this stuff up pretty cheap. We have no assurance of that. Chairman Tom Davis. All right. Secretary Nicholson. By the way, the FBI is intensely involved now, as our Inspector General. They have had a few leads. They've apprehended a few people who have committed these burglaries but they didn't have--we have the serial numbers of this equipment and we checked it against some of the equipment but it didn't match. Chairman Tom Davis. But the answer is the locals with Federal help now have intensified what would have been a routine investigation. I want to be assured that we are doing everything at all levels to try to close this out. That would be the win/win if we could close this out, find the perpetrators, find the missing disks and be able to bring this to closure. Secretary Nicholson. Indeed. Chairman Tom Davis. Data breach laws at the State level which require companies to inform individuals whom the organizations exposes a breach of their personal information have really improved our understanding of this problem. Congress is carrying a national breach standard, but currently there is no requirement to notify citizens in the case of a breach, the Federal agencies notify when a breach of personal information occurs on a Federal Government data base, and what, if any, guidelines exist to determine if a breach requires a notification? How do you determine what's trivial, and General Walker, do you have any thoughts on that and should we consider a Federal agency breach notification law? Mr. Walker. The answer is yes, I think you should consider a Federal agency breach notification law, one that would require notification of affected individuals as well as notify OMB to obtain an understanding of what might be going on on a government-wide basis. I think one has to be careful to make sure that you do have some criteria laid out to meaningfully differentiate between certain events that don't represent a real risk of identity theft. For example, there may have been something that was misplaced for a short period of time that's been recovered. Obviously, that's not something you want to have a broad based notification on. And we would be happy to work with this committee to come up with some potential criteria. But yes, it is something you need to consider. You may well also want to consider whether or not you want to require agencies to have certain things. For example, to restrict access to certain sensitive information, to have mandatory training and monitoring with regard to individuals who do have access to certain reporting requirements, which we just talked about; and you may also want to think about whether or not there need to be tougher sanctions here than might exist under current law. Chairman Tom Davis. Thank you. Mr. Gray. I wanted to say under Social Security if there's a data breach, we would always notify. It is part of our policy to notify the claimant and work with them. Chairman Tom Davis. Mr. Sanders. Mr. Sanders. Thank you very much for holding this important hearing. Before I get into the thrust of the issue today I did want to respond to something Secretary Nicholson said. We talked about the improvements in VA health care and I concur with you. But, Mr. Secretary, remember just last year your administration denied VA health care access to over 250,000 priority 8 veterans, including those who had fought in World War II. You wanted to raise--double the cost of prescription drugs for our veterans. You also wanted to increase fees substantially, which would probably have thrown hundreds of thousands of other veterans of VA health care and the veterans organizations also understand that the Bush administration is significantly underfunding the VA and the needs of our veterans. Now in terms of this issue today, it is really difficult to imagine with all of the money we spend on security at the Federal level every year how what appears to have been a garden variety burglary in suburban Maryland could result in a breach of the personal information of over 26 million American veterans, including, it appears, over 2 million American military personnel. You know we have about 300 million people in our country. What we are looking at is a breach of privacy for approximately 10 percent of the American population, and if you look at the adult population it is probably 15 or 20 percent, at one time, an unprecedented and extremely dangerous breach of privacy for tens of millions of Americans. According to a variety of experts quoted in yesterday's Washington Post, this breach could enable the holder of this information to, ``create a zip code for where each of the service members and their families live and if it fell into the wrong hands could potentially put them at jeopardy of being targeted.'' These experts, including those at the Center for Strategic and International Studies, have expressed concern that this released information could, ``reach foreign governments and their intelligence services or other hostile forces, allowing them to target their service members and families.'' One anonymous Defense official quoted in the Post called the extent of the battle, ``monumental.'' This is serious business. I think we all understand that. Mr. Waxman and Mr. Davis have raised some very important issues. Mr. Secretary, my question for you is, it is obvious, I think there is no disagreement here, that we have to make sure that this never happens again. We have to do a much, much better job in protecting the privacy in the records of all of the American people, including those in the military and our veterans, but this is my question for you. After all is said and done, after hopefully we do all of these things, if--and we certainly hope this does not happen-- if there is a breach of privacy, if in fact identity theft does happen and if in fact you know how--what a terrible situation would be of theft. People spend years and years working to recover. I am on the Financial Services Committee. We've heard horrendous testimony from people for years and years who have tried to clear their names as other people have stolen their identities. It would seem to me that given what has happened and the responsibility for it at the VA, what are you going to do to protect 28 or 30 million Americans whose identity theft may be at risk if in fact that happens? Are you going to come to Congress and say we will ask for money to make sure that we will provide the financial resources necessary and the legal resources necessary to protect those tens and tens of millions of people whose identity was released? Secretary Nicholson. I think that's a very good, very important question. And we--so far what we have done, we've notified every person whose identity that we have and with the cooperation of the IRS because the addresses we do not have we matched them against Social Security without a violation of their privacy and we were able to--we sent a letter to every affected person, and in that letter we give them one notice that this has happened and the steps that they can take and the steps--and we've coordinated closely with the three major credit agencies that there are in the United States who make available to every citizen upon a call or an e-mail or a fax a free credit check and a credit alert. So that they can implement that immediately. If they have any questions about how to do that or need assistance---- Mr. Sanders. And that's fine. I am aware of that. But here's the question. If--and we hope it does not happen, but if it does happen, you know, the identity theft is a horrible thing. We have heard testimony year after year from people who have tried to clear their names and convince creditors that they have not racked up these bills. It's a terrible experience. If that happens, are you going to come before Congress and say we have to take responsibility for the financial expenses incurred by veterans for the legal expenses? Are you going to come before Congress and ask for that help, or are you going to let the men and women in our military have to cope with this by themselves? Secretary Nicholson. I can tell you, Congressman Sanders, our No. 1 priority really in everything that we do at the VA is the veteran, what's best for our veteran, and we now have active service members that we would include in that priority. So what unfolds will be guided by that principle. We also, I would mention to you, have, and this was not in place before this came to the light of day, a new Presidential task force on identity theft and very ironically had a meeting set for this task force and I serve on it. The first meeting was accelerated and met the first day that we disclosed this information. And that task force will also consider this question because it's a very important question. I had a meeting yesterday afternoon with the veterans service organizations, leadership, 15 or 20 of them. We had the same discussion. Mr. Sanders. I think they have initiated a lawsuit against you; isn't that correct? Secretary Nicholson. One group of them has initiated, others have issued statements saying that's not the answer to this. Mr. Sanders. My hope, Mr. Secretary, is that in fact you will do everything that you can, that in case there is identity theft taking place that you do everything you can to protect financially and legally our veterans, that you will come before Congress if you need the money to do that. Chairman Tom Davis. Thank you very much. Mr. Gutnecht. Mr. Gutknecht. Thank you, Mr. Chairman. I guess I am becoming a little more or less confused about this from this testimony, because what I've been reading in the papers is there was a very serious security breach and that millions of names were out there floating in space. What I am hearing today, Mr. Nicholson, is that's not exactly the case, at least we don't know that yet. Let me review what we've learned today to make sure I am on the same page. An employee against the policy of the VA took their laptop computer home. That laptop computer was stolen. We don't know what happened to the data that probably was on that laptop, but so far none of that data has appeared in cyberspace as far as we know; is that correct? Secretary Nicholson. That's correct, Congressman. I just would add that they took a laptop, some computer disks and downloaded it into a hard drive and the hard drive was stolen also. Mr. Gutknecht. I am going to be clear on this. Who downloaded it or who downloaded it to the hard drive? Secretary Nicholson. The employee, the subject employee. Mr. Gutknecht. But the people who stole it, we don't know what they did with that data? Secretary Nicholson. That's correct. Mr. Gutknecht. So I think we have to be careful not to get too far ahead of ourselves in terms of real damage. So far there is no evidence that any of these people have actually sustained any real damage; is that correct? Secretary Nicholson. That is correct. Mr. Gutknecht. And in testimony you said that you are going to implement even tougher policies. The employee who was involved has been fired. What else has happened in terms of the agency not only to sort of cure this problem but to hopefully prevent this kind of a problem in the future--not only in your department; this could happen in any department, couldn't it? Secretary Nicholson. Yes, it could. His--the Acting Assistant Secretary in that department has been let go. The principal Deputy Assistant Secretary has been let go. We are rebuilding that department and the Office of Policy and Plans. They have a very bright, recently acquired Navy admiral that the President has now announced that we've recruited. We have tremendous opportunity in the private sector and he has a great background. He's teamed up to come in if confirmed to take over to rebuild that department. We are reviewing all of our existing rules, regulations and laws, and that is another reason I welcome the opportunity to come here not because it is pleasant to you in light of what's happened, it is my responsibility, but we need to put some more teeth into the enforcement of this because the attitude is far too laissez faire. And I would add that in the discussion that just ensued where we talked about having some teeth in HIPPA and not having teeth in FISMA, in HIPPA there is also a requirement to disclose to people if their identity has been accidentally or intentionally compromised, where there is not in FISMA. Let's put it in there. Just another step, and then we need to start enforcing some of this so we set some examples. Mr. Gutknecht. Let me--I can't resist the opportunity, Mr. Gray, I want to come back to a question that keeps coming up relative to Social Security, and that is we are having some rather heated debates in Washington about illegal immigration. And I have heard employers say that one of the real problems we have is a lot of people are using false Social Security numbers. How does the Social Security Administration deal with that because I have heard there may be three different employees using the same Social Security numbers. How does that not come back to the---- Mr. Gray. One of the tools that we fielded last year was the Social Security number verification system that allows an employee who they hire to enter the information into a Web based application and verify that person's Social Security number really doesn't belong to them to give them a tool in making sure that Social Security number and those wages are reported correctly. In addition to that, as employers report wages throughout the year we do checks to try to make sure that we associate the wages appropriately with the person's Social Security number. Mr. Gutknecht. Are you saying right now we don't have multiple employees using the same Social Security number? Mr. Gray. No, I am not saying that. Mr. Gutknecht. How would you find that out? Mr. Gray. When the wage earner--when the employer reports come in we can have multiple employers showing multiple wages on the same Social Security number. We try to investigate that. Mr. Shays [presiding]. I'm going to interrupt. Mr. Waxman needs his time before the vote time. Mr. Waxman. Thank you, Mr. Chairman. As I understand it, we have had on the books since 1974 laws to protect privacy and another law in 2002. The General Accountability Office has been giving grades to agencies about how well they're doing in meeting requirements. Isn't that correct? Mr. Walker. I think this committee is the one that gives the grades. We do, however, look at computer security as part of our audit of the financial statements, and that is a material weakness area for many agencies. Mr. Waxman. In fact, this committee gave the Veterans Administration an F in terms of security for this kind of data. Secretary Nicholson, you blame this on obviously employees being fired, on the culture, on people just not doing what they're supposed to be doing, but that doesn't sound to me like we are really getting to the heart of it. It is sort of passing the buck. Now it sounds like you are also going to seize this opportunity to clamp down, and I appreciate that. But I just want you to know how bureaucratic it all sounds. We have Mr. Johnson from the Office of Management and Budget. You are the Secretary. You are Secretary for only a short period of time and you blame the fact that an employee had been there for a long time. I don't know what relevance that has except we need to find out who has access within the VA to the type of information that was stolen. Do you know how many people have access to this type of information? Secretary Nicholson. Congressman Waxman, I don't think I could give you right now the exact number, but I will tell you that quite a few people do. We have a system of authorized telecommuting and teleworking that is a product of encouragement of the Federal Government. Mr. Waxman. How many VA employees have the capacity to download this information unencrypted onto personal computers? Secretary Nicholson. Well, the--of the subject information it would--I couldn't give you the exact number right now but that number would not be real high because this was a--out of what is called a BURALS file, which is an acronym for this system. He was working on a project at his home and using the entire data base. Not many would have that. Mr. Waxman. You explained that individual. Do you know how many employees have such unencrypted information on personal hard drives outside of the VA offices now? Secretary Nicholson. Yes. I think that 35, roughly 35,000 employees of the VA have some level of accessing data and working it on laptops or computers at home, much of it through the VPM, the Virtual Personal Network. Mr. Waxman. That's a large number of people that have this information out. You have said that what we need to do is--I hope you'll take charge of those 35,000 people or so that had-- -- Secretary Nicholson. As I said in my testimony, we are doing a survey right now to see who all has access, why they have access, and what access they have, inventorying the entire system. Mr. Waxman. The story seems to have changed. First we were told only veterans and some spouses were affected and then about 50,000, but no more active duty personnel were affected. And then on Tuesday we learned that 80 percent of the active duty military may have been impacted. Was any medical information on any of these veterans, on active duty members compromised? Secretary Nicholson. No, sir. Mr. Waxman. How about disability ratings? Secretary Nicholson. Some of them had a disability classification index in part of their line. But on the medical question there were no--no medical records were compromised in this at all. There were about 300 people that we have ascertained through the forensic work that we are doing that have an annotation, a medical annotation next to their name. And I'll give you an example because I looked at all of these. One of them said asthmatic. Another herniated disc. It is fewer than 300 but nearly 300 have that degree of annotation next to their name. Mr. Waxman. I see my time has expired. Thank you, Mr. Secretary. Mr. Chairman. Mr. Shays. Thank you very much. I'd first like to ask GAO is this something that should have shown up in our radar screen? We can throw bricks at the administration and we can throw bricks at the Department. But is this something where GAO could have alerted us better? Or you did alert us or combination of both? What's an honest assessment of why all of a sudden we seem to be outraged and shocked by what's happened? Mr. Walker. I think both the GAO and Inspector General have both in this case been charged with the responsibility for auditing personal statements of respected agencies as well as U.S. Government overall. There are serious security challenges. So many agencies---- Mr. Shays. Same security channel. Say we are finding terrorists, it's more helpful when we are fighting Islamic terrorists we know are not from Iceland. Mr. Walker. I think the key, Mr. Chairman, we have a lot more controls over classified information and taxpayer information and, as Secretary Nicholson mentioned, there are now sort of the controls under HIPPA for health information. There is a gap here, and the gap is with regard to certain sensitive information that could end up improperly being disclosed, and I think one of the things we need to look at is not--clearly agencies should be taking steps on their own but Congress may want to consider requiring certain steps. Mr. Shays. That's helpful information, but sometimes Congress will get blamed. Sometimes Congress will get blamed because we didn't do something. We look at the testimony and the department head says we have all of the money we needed to get the job done. You need to refer to someone. Mr. Walker. If I can. Thank you. I've been advised we have not issued a report directly on this. However, in the conduct of our audits we have noticed weaknesses in this area before so it was one of a number of material controls. Mr. Shays. But weaknesses specifically with people taking information out? Mr. Walker. Weaknesses with the potential for information to be compromised, not that it actually was compromised. Mr. Shays. What strikes me, you know, I heard the Secretary say he was outranked. He should be outranked because it is beyond stupid to take out sensitive documents. But I have a sense that is a common practice. So obviously we've all been a little asleep. The department heads have been asleep. The White House has been asleep. Congress has been asleep and now we are trying to deal with it, and all I wanted to know is there's been no specific outlining that we have this kind of problem. And you are coming forward and obviously saying we need to deal with this issue? You are also saying we have had security. We need to maintain security. Mr. Johnson, tell me, when you heard that this happened at the Department of Veterans Affairs? Anger would probably be one way to describe it, but were you surprised or did you start to say, my gosh, you know, is this just the tip of the iceberg? Mr. Johnson. No. I was surprised. I am told that there are dozens of security breaches involving a laptop, for instance, nothing, though--a year. None of these involve 26, 27 million names. So this is the hundred-year storm of security breaches. So the magnitude of it is the alarming thing. There are breaches. There will be breaches. And in spite, no matter however we spend and how tightly we resecure this, the more we secure it, the more responsible, the fewer the number of breaches, whenever we have one we need to respond accordingly, figure out what caused the problem and deal with it. But it was the number of names that was truly alarming to everyone. Mr. Shays. If it's anticipated that this was a common theft, they weren't really looking for this bit of information and that's one of the opinions out there. Is it a strongly held opinion on the part of folks that are investigating this? Secretary Nicholson. Yes, sir. I would say, Mr. Chairman, that it is quite commonly held among the law enforcement investigating communities. Mr. Shays. Is it something where we can simply offer a significant reward to contact a certain person with no--that they return this with no prosecution? I mean, because what's at stake is so significant. Do we have the capability to say, you know, you stole the computer but, by the way, you have something that will cost us billions of dollars to deal with and provide some incentive for them to return it with no prosecution if they do? Do we have the capability to do that? Secretary Nicholson. We do not have the capability. That was discussed at our hearings in the GAO committee. But I will say that a $50,000 reward has been posted by the Montgomery County, MD law enforcement community. Mr. Walker. As I mentioned earlier, and you may or may not have been here. Mr. Shays. I was trying to be in a vote. Mr. Walker. I understand. I was briefed by my own CIO with regard to our own procedures and there are two things that I think people can think about in this area right now irrespective of whether or not Congress takes any action. Specifically to encrypt all sensitive information of the type that we are talking about. That doesn't mean encrypt all information, but encrypt this type of sensitive information. And all--or prevent the ability to download and/or copy certain types of sensitive information. Those are things that can and should be done now. Because the fact is we are moving to use technology more. More and more government employees have laptops because they are mobile, because the government is promoting Flexiplace and things of that nature. So we need to take these steps to minimize the risk. Mr. Shays. My Government Reform subcommittee oversees Defense and State Department hearings about classified material and we had DOD testing that 50 percent should be reclassified, 50 percent more than we should classify, we had the outside group saying we classified 90 percent more than we should. Then we had a hearing on all of these sensitive but not classified, which anyone could classify, and then we have a breach like this which clearly should never have gotten out of someone's office. So it blows you away and some of the secret stuff that I look at would make you laugh because there is nothing secret about it and something like this is huge and it just--when you went to look at it in your own operation, did you get a candid response from anyone who said, hey, boss, we sometimes take out stuff, too, or do you have confidence within your own department that this couldn't happen? Mr. Walker. I have confidence. We have extensive procedures in checks and balances. For example, when we have this type of sensitive information, we typically end up having a separate hard drive that we lock up. We have computers at GAO. The people can only use computers at GAO for this type of situation. You could theoretically have somebody who willfully and intentionally, however, wants to abuse the system, and that's why we've never had that, I might note. But that's why I am saying what else can we do to even try to deal with that situation. Even if you have all of these other checks and balances, that's why I come back to encrypt this type of information and/or possibly as a supplement prevent the copying and/or downloading of this type of information. Mr. Shays. Let me conclude with this and then go to Mr. Mica. Is the biggest concern that people will be careless or that they will actually be devious and go beyond careless? What is the big concern? Maybe you could comment as well. Secretary Nicholson. I think the bigger concern, Mr. Chairman, is carelessness. That's the instant case. This person wasn't being deviant. They were working on a project that he had been doing that for 3 years, taking the data home and working. Mr. Shays. How long do you think it's going to take you to resolve this problem, not get the information back but make sure it doesn't happen again? Secretary Nicholson. I think that it won't happen overnight but it is very doable and we are under way. It is something that absolutely has to be done, but I don't know that you were here, but we are going to need some tools for enforcement and you were touching on it a minute ago when we require---- Mr. Shays. I don't want to repeat the record. Yes, Mr. Johnson, and I apologize. Mr. Johnson. I'd like to point out that--follow up on what Mr. David Walker was talking about. It is currently the standard that all data, sensitive data on laptops be encrypted. That is the standard. It's just not enforced. We don't hold agencies, ourselves accountable for that being the case. Mr. Shays. Thank you. Mr. Mica. Mr. Mica. Thank you, Mr. Chairman, and I am not here really to beat up on these witnesses. In fact, I know three of them fairly well. You have three probably of the most dedicated, capable, public servants. Watched Clay Johnson and his experience over the years and Secretary Nicholson, incredible representative of the United States, and his tenure, and now incredible advocate for our veterans. Then I have known Mr. Walker since--I don't want to say since he was in diapers but for a long time. Although you look pretty old these days, Dave. But the problem is not these capable administrators or the other witnesses you have. The problem is advances in technology, and I would venture to say since you know on this disk you have millions and millions of pieces of information and pretty soon we'll have it probably in something the size of the thumbnail, and I would venture to say that not a day goes by that someone from your agencies or congressional staffers don't take laptops home or someplace else and we are at risk. What we had here was a theft, a criminal act. But we do have to keep the laws and the rules up with technology, and that's what we are always having trouble with in Congress. Laptops didn't even exist. Cell phones, I was in the cell phone business and I was a pioneer in 1987, something like that. That's not that long ago. So keeping up with it. So I have a couple of questions. I left it after a bit, but did we do our job? I see that even the President did in August 2004 a directive that actually directed OMB to take the lead here. I did read that--we have two responsibilities. One is protecting data and what to protect and then, well, what to protect and unprotecting it. And how we protect is so important. OK. Clay, you were responsible. You're still the lead agency in this, in setting the---- Mr. Johnson. In some HSPD1 identification cards. Mr. Mica [continuing]. Security of information for the agencies. Did you--have you sent out a--so you have sort of taken a lead in this? And then I read that while 20 percent of the government systems are certified and accredited, this is agency security planning. That means 20 percent are not. Do you monitor this? Is that your responsibility? Mr. Johnson. Yes. Mr. Mica. Who isn't the 20 percent? It says 80 percent of the government systems. Mr. Johnson. I can get you that information. Mr. Mica. I think that's important to find out where the gaps are. Do you have enough legislative authority to do what you need to do to make certain there is compliance? Because I know these agencies--we have dozens of agencies and they are all going their own way. Do you have enough legal authority from the Congress to set standards? And then the other thing, too--the important thing here, too, is reporting back an incident. And I read you directed your staff to have Homeland Security chief information officer counsel to identify the appropriate detail and schedule for distributing a periodic government-wide incident report. That is getting information back on incident. Mr. Johnson. Yes, sir. Mr. Mica. You pick them, and do you have enough authority and do they have enough authority to get compliance? And then the concern of the chairman was the timeline of information and reporting. Would you answer that elongated question? Mr. Johnson. As to the second question, the reason why we refer to DHS, they are the cybersecurity office. They are the lead on cybersecurity. So that's why this reporting is to them. And it's my understanding it is not clear as it needs to be how we record different kinds of breaches, and we need to be sure that it's real clear---- Mr. Mica. Do you have a systemwide standard right now? OK, a breach has occurred. What's the reporting? Is that---- Mr. Johnson. We have that now, but the reporting is inconsistent and I'm not sure that they're all--it's equally clear to all agencies. So we need to make sure that it is. Mr. Mica. Do you have the authority to require that? Not require; you are just requesting. It is a ``may'' rather than a ``shall.'' Mr. Johnson. I don't know. I think of them as being the same. But maybe somebody else would think of them differently, but---- Mr. Mica. Again it is nice to beat up--we pass the laws and then sometimes we allow you to pass the rules. But we have to make certain that somebody has the authority and responsibility for this, both the---- Mr. Johnson. I think one of the things we can do is, in general, I think we have the laws and the regulations we need. We don't need to assume that, though. We should go and make sure that maybe there's--we have 95 percent of what we need but we need extra teeth in it, as the Secretary talked about, over here and over here. So we need to review that. I bet we'll find a couple of additional things we need to do. But the big opportunity and the big challenge here is to enforce and be held accountable, all of us, for abiding by the laws and regulations and processes and procedures and standards that are already on the books. Mr. Mica. Thank you. Chairman Tom Davis. Thank you. Mr. Souder. Mr. Souder. Thank you. What's happened here is basically every conservative's nightmare about consolidation of information in the Federal Government; what would happen. And I was pleased to see in your testimony, and then, Secretary Nicholson, you responded to it because you said that in addition to informing all concerned--I was a little concerned. Mr. Johnson just said that he didn't think there were necessarily new laws, and you've been saying we need new laws because, for example, in your statement you say this may violate Federal law and could result in administrative, civil, or criminal penalties. This is something Congress should act on immediately because when we talk about disincentives to take things home and to not follow the rules, you can sit through seminars but if there's no consequence--so I was glad to see you make that point. I have one technical followup question to Mr. Gutknecht. You said that there is some reason to believe this is a computer fencing firm basically. Was the disc inside the computer or did they also collect discs that are lying around the site? Secretary Nicholson. I'm having a little trouble hearing you. Was your question---- Mr. Souder. Regarding the theft, the statement said there's speculation that this may be a group of people who basically fence computers, steal the computers. But you made the statement that the drive--was that in the computer, or did they take it in particular, or did they take the other information and there may be a secondary market going on? Secretary Nicholson. There was a laptop and a hard drive. They weren't at that time connected. They took both of those and did not take the discs. Mr. Souder. So only the discs that were inside the equipment are what they have? Secretary Nicholson. We don't know--we don't know what was loaded in his laptop. Mr. Souder. We don't know that the information has been stolen---- Secretary Nicholson. He told us that he had downloaded these discs into the hard drive. We obviously don't have the hard drive either. That's what was stolen. But we do have the discs. And he brought those to us and that's what's been undergoing this forensic analysis is the holdings that are, you know, developed. Mr. Souder. Thank you. Because what that means is that somebody has to actively download to do that, and there has to be another step in the process here. Mr. Johnson, Congressman Sanders raised the question to Secretary Nicholson, but those of us who have been here a long time know that this is really--a lot have known--the question. If indeed we start to identify that in fact this information is being used, it is outrageous that many low-income veterans and veterans would have to pay for the credit reports. Would OMB back up the Veterans Administration in coming to Congress and saying look, we need some money because the veterans shouldn't have to fund this because it's a government error, not their error? Mr. Johnson. We agree totally with Secretary Nicholson that our highest priority is to find the best way to serve the veterans and the active military personnel who are at risk of being harmed here, and that means figuring out the best way to do that and then doing it. Mr. Souder. You agree it's not their financial responsibility to try to figure this out; that the government made the error, they didn't? Mr. Johnson. I would agree with that. But, again, that's not just financial response--our responsibility or not. It's all the ways we can serve them. Mr. Souder. It's broader than that. Mr. Johnson. Yes, sir. Mr. Souder. But if you don't have--if you're already trying to figure out how to cover your health care, you're already trying to figure out how to cover your housing, you don't have much income, asking to do multiple credit reports to track-- like it's their responsibility that they lost it when it was the government's--is a big deal right now. Mr. Johnson. Right. Mr. Souder. And I wanted to ask Mr. Walker--and this may also come back to you, Mr. Johnson--that most identity theft in the United States right now isn't related to trying to steal the person's full identity, or even for financial purposes. It's related to the fact that we have Social Security numbers being stolen for illegal--by illegal immigrants who need a job, many of them in my district. In 1 month they took down three green card manufacturers who were producing with stolen Social Security numbers. Not only related to this latest with the Veterans Administration, but in the other agencies where there's theft, do you know, or are there recommended policies, or how do we interrelate this theft with ICE, with CBT, with the Coyotes and other groups that are networking in large groups of people, fencing operations for stolen Social Security numbers? Do we have a systemic way of addressing where--if this shows up? Because this isn't just going to show up with somebody in a bank account somewhere. Maybe it would indirectly, later on in a Social Security number; if one of the veteran's Social Security numbers are stolen, something is going to come in under FICA relatively, you know, down the road here. But it seems like one of the first points of contact should be that an alert should go out to ICE, and so we're watching whatever kind of networks we have where these Social Security numbers might pop up. Mr. Walker. I'll have to reflect on that, Congressman. I will say this: that one of the major problems that we have is when Social Security numbers are intentionally or inadvertently disclosed, and that provides a basis under which individuals who engage in certain other activities that can result in identity theft. And I think one of the things we're willing to do is to make sure that when you have SSNs, that type of information either, A, isn't used for an identifier; or, B, if it is, that it's encrypted in some way so that people can't attain access to that. Presumably the VA is taking steps to try to ascertain whether or not some of this information might be compromised, you know, through sampling techniques, through the type of communications that you're talking about with selected Federal authorities. I think that's important because--that they be proactive in that regard. And if it turns out that it looks like there are some that have been, and hopefully they will never be, but if it turns out, then it comes back to your question: What are you going to do for everybody with regard to credit reports and credit monitoring? But we may not get to that point. Mr. Souder. But my question was, really, wouldn't the first logical place that you would be trying to track whether this has been stolen, looking--since it's the No. 1 reason Social Security numbers would be stolen--would be to work with ICE, CBP, and looking at illegal immigration, which then the secondary tail would be through FICA reports. One of my friends--Congressman Gutknecht referred to it-- had four other people on her Social Security account. And when she went to apply for a credit card, it was very difficult for her with the Social Security Administration to try to prove who she was. And if we have all these veterans going through this, one of the first places we should look at are who's likely to be using these numbers; not just bank accounts, but who's likely to be stealing them? And I wonder, is that recognized in the government that this is the first place we ought to be looking, financial services right behind it, Social Security right behind it, but this is likely to be the first place it's going to show up in a fencing operation for Social Security numbers? Mr. Walker. I think you make a very good point. I mean, one of the hot debates right now is the immigration debate. To the extent that people can get a valid Social Security number, it's a way that they might be able to obtain, you know, employment and other types of opportunities. So it's a good point that I think needs to be followed up on. Mr. Souder. Thank you. Chairman Tom Davis. Mr. LaTourette. Mr. LaTourette. Thank you very much, Mr. Chairman, for having this hearing. And to all of the witnesses, thank you for coming. Just, first, a commercial: A number of committees are working in the Congress on data security and H.R. 3997, which is the financial services product, would in fact cover this situation and would, in fact, provide all of these veterans with 6 months of free file monitoring. So I would ask you, Mr. Johnson, if you would share that with Mr. Portman. It's the only bill that does that. But Secretary Nicholson, I appreciate your being here, but I need to share a story with you because one of the fights we've had on that bill is I've always argued that a data security breach is different than identity theft. One doesn't always lead to the other. And when you lose a laptop, you don't necessarily have to notify everybody about what's going on. But I have a constituent. His name is Steven Michael. He's 33 years old. He lives in Ashtabula, OH. He served for 3 years in the Army during the Gulf war, and he receives an $873 disability check each month from the Veterans Administration because he has a heart condition. On June 1st, exactly 1 week ago, he withdrew money from his account at a local ATM and noticed that his balance didn't reflect the deposit of his monthly VA check, which is made through direct deposit. He immediately called the VA's 800 number and checked on the status of the payment. The automated system said that the records couldn't be accessed at this time; so he waited and actually spoke to a real live person. He provided his personal information to verify his identity and explained that his VA disability check wasn't in his account. He was stunned to learn that it, in fact, had been put in a new account, his new account. He inquired, what new account? The woman from the VA said that it was a new account he had on file. He told her he had not set up a new account and gave her the last four digits of his existing account. Of course, it didn't come close to matching his new account. She assured him that the problem would be corrected. He asked if he should visit the VA office in Cleveland. She asked if he was close, and he said he could get in his car. And he then drove 45 minutes to Cleveland. He went to the original VA office and provided them with a copy of his account. He was told that the numbers were from his old account. He stressed that it was his current and only account and that his accurate information was entered. He was told that it could take 7 days to process. He then asked the folks at the VA if this could be related to theft of the laptop containing the information that's the subject of this hearing. He was given a toll-free number, 800- 333-4636. Mr. Michael is rightly concerned about this, and he wonders how his direct deposit form could be changed or why it happened on the heels of the reports of the stolen laptop. He believes whoever did this must have had his name, address, and Social Security number. He doesn't believe this is a simple computer glitch because his monthly disability check has been deposited in the same account for years. He is even more disturbed that his bank informed him that it was possible someone phoned in the new direct deposit information to a bogus bank account, his new account, in the State of Michigan. If you could, Secretary Nicholson, can you give me a sense of whether this is possibly related to the stolen laptop or if my constituent is another unfortunate victim of identity theft? Secretary Nicholson. Or both. Mr. LaTourette. Or both. Secretary Nicholson. First I would tell you, Congressman, that is the first incidence I've heard of that affecting a veteran since this has come to light. I would like to get, you know, that information and we will follow that up on an individual basis. So that is the only one. Now, it is a fact that every year in this country, 1 to 3 percent of the people suffer from identity theft. Last year, 9 million Americans did, causing them an average of 28 hours of time to straighten it out at an average cost of $5,600, almost all of which was borne by the affected creditors, not the consumers. We have been talking to a company that specializes in trying to find the derivative source of identity theft, the company happens to be called ID Analytics, because we have that same concern; because 1 to 3 percent of our veteran population are going to be victims of this anyway due to the statistical distribution, and we want to know what's sourcing this. So we will followup with that one and we have not yet entered into an arrangement with this company to monitor this population, but we are seriously looking at it. Mr. LaTourette. I very much appreciate your answer. And to be very, very fair, I will tell you that currently the constituent is in our district office filling out some forms necessary for the regional office to help. And my caseworkers say that they've never seen the VA move so fast--I will tell you that--in response to this report. And as someone who wrote the identity theft legislation here when we reauthorized the Fair Credit Reporting Act, I'm well aware of the difficulties and the horrible stories that come out of stealing someone's identity. But I wanted to bring this to your attention for a couple of reasons. One, so you know that you may have one now out of these 28 million people. Two, to please ask that you, through your offices here, make sure that the folks in Cleveland stay on top of this, because obviously this veteran is concerned that the two are related. And if they're not related, then I think it's good news for the VA. If it is related, I think you've got a problem. I thank you, Mr. Chairman. Chairman Tom Davis. Thank you very much. I just have a couple more questions and then if anyone else has one. Mr. Nicholson, let me just ask the Secretary, Federal telework programs allow employees and contractors to work remotely. They're good programs. They're seen as a key ingredient of continuity of operations, emergency planning, especially for extended periods of disruption, whether it's a terrorist attack, avian flu. Was this individual participating in an authorized telework program? Secretary Nicholson. No, sir. He was not. Chairman Tom Davis. Are there steps that should be taken as a matter of course to ensure that benefits of teleworks are not eroded by the security risk? It gives us a chance to rethink that and continue to make it--I believe we want telework to grow, but this is a reminder sometimes that there are limitations. Secretary Nicholson. Yes, I think it does. I think it raises to a silhouette that we need to examine this program to see that, you know, the abuses are not taking place, we are not making it too easy for these abuses. And that is where the people thing kicks in as well as the requirements that data be encrypted and that we monitor it more closely with enforcement for violators. Chairman Tom Davis. Mr. Johnson, does OMB have the authority and the resources it needs to set and enforce government-wide information security programs, or do you need additional authority here, do you think? Mr. Johnson. In general, I think we have sufficient authority, but we ought to review it. We ought to look through it. Chairman Tom Davis. I think we are willing to give you, in light of this, so you seize on every opportunity--if you would look at that and come back and make sure we give you the tools you need to do it. Mr. Johnson. Right. Chairman Tom Davis. I know your dedication to this, but I want to make sure you've got all the tools. And also what's the position regarding the merits of data breach legislation requiring agencies to notify affected individuals of compromises in their privacy or their personal information? If legislation is enacted, what methods should be used to determine whether and how to notify individuals with security breaches? And will all of you work with us on legislation? Obviously, it's a big deal with Social Security and IRS. General Walker. Mr. Walker. We'll be happy to work with you, Mr. Chairman. Let me also mention in addition to telework, which you just talked about, which could cause increasing risk, even if a person is not on telework, they may travel and take their laptop with them. In addition to that, they may take work home at night or on the weekend, which would not be part of the telework. So we need to look at this issue as a separate and distinct challenge that has to be addressed irrespective of whether they're on telework. Chairman Tom Davis. That's a good point. Mr. Johnson, will you work with us on this, too? Mr. Johnson. I look forward to it. Chairman Tom Davis. This is a good wakeup call. I guess my last question would be to all of you. In your opinions, individually and collectively, do our departments provide the CIO and its organizational components with sufficient resources to establish and maintain an effective agencywide security program? We hold the CIA's feet to the fire every year with our scorecards on FISMA. We hold them responsible for agency security. Do they actually have the authority to get the job done or do you think this is agency to agency? General Walker, let me ask you first. You kind of have a government-wide perspective. Mr. Walker. I think there are variances by agency. I mean, one of the keys is that under the legislation, the CIO is supposed to be reporting directly to the agency head. Is that happening in form or is that happening in substance? Obviously, there are different levels of resource allocations, not only financial resources but human resources. Do they have enough people with the right kind of skills and knowledge to be able to get the job done? The example I gave earlier when this issue came up, I pulled the CIO in my office and talked to him directly about what are we doing and everything else we need to do. I don't know if that happens---- Chairman Tom Davis. Let me just get each agency to just respond briefly. I mean, how is the relationship with the CIO? Do they have the authority they need in your agency? Mr. Gray. From the Social Security Administration I think they do have the authority--that our CIO does have the authority he needs to do the job effectively. I think we also have the resources we need within the agency to do that. Mr. Galik. Yes, Mr. Chairman, I agree. I think the CIO does have that authority and our organization has a direct link to the Commissioner of the IRS to pursue anything that needs to be pursued. Chairman Tom Davis. Mr. Secretary. Secretary Nicholson. I would say, Mr. Chairman, the answer to VA is no; that the CIO has not enough authority to go with his responsibility. But that is in transformation as of last October. And we're centralizing the IT function, creating a new career field where it has been decentralized out into these hundreds of hospitals and the other facilities. We're pulling that back in. So that is really progressing and we'll cure that. Chairman Tom Davis. You've only been there a short time but I appreciate the headway you're making there. And, Clay, let me just ask you, I mean government-wide you see the variance too. You have Karen Evans, I think, in your shop that helps oversee this. I know what we need to do and how you foster that relationship between the CIO and the agency heads; but wouldn't you agree with me that is very critical in all of these areas? Mr. Johnson. It's critical. I don't think we have a resource problem, which is another question you asked. We spend $65 billion a year on IT; $4.5 billion of that is on security. So we're spending a lot of money on this. The question is are we backing it up with the kind of determination that the Secretary has demonstrated here to really make that stick, is the key. Chairman Tom Davis. Let me thank all of you for your time here, answering a lot of questions. There's a lot of anxiety over this, and we'll continue to monitor it. But you've been forthcoming today with your answers and we appreciate it. The hearing's adjourned. [Whereupon, at 12:33 p.m., the committee was adjourned.] [The prepared statements of Hon. Charles W. Dent, Hon. Jean Schmidt, Hon. Elijah E. Cummings, and Hon. Wm. Lacy Clay follow:] [GRAPHIC] [TIFF OMITTED] 28759.060 [GRAPHIC] [TIFF OMITTED] 28759.061 [GRAPHIC] [TIFF OMITTED] 28759.062 [GRAPHIC] [TIFF OMITTED] 28759.063 [GRAPHIC] [TIFF OMITTED] 28759.064 [GRAPHIC] [TIFF OMITTED] 28759.065 [GRAPHIC] [TIFF OMITTED] 28759.068 [GRAPHIC] [TIFF OMITTED] 28759.069