On Monday, May 22, 2006, I made an announcement regarding an incident in which an employee took home VA data without the authorization to do so. The employee’s home was burglarized and the data was stolen. These stolen data contained identifying information for up to 26.5 million veterans. The public trust requires us to be vigilant in safeguarding the personal information that we collect on veterans and their families as part of our service to them. This memorandum is to instruct you that as a VA manager, supervisor, or team leader, you have a duty and responsibility in protecting sensitive and confidential information.
Having access to such sensitive information brings with it a grave responsibility. It requires that we protect Federal property and information, and that it shall not be used for other than authorized activities and only in authorized locations. As managers, supervisors, and team leaders it is your responsibility to ensure that your staff is aware of and adheres to all Federal and VA policies and guidelines governing privacy protected material. I also expect each and every one of you to know what sensitive and confidential data your subordinates, including contractors, have access to and how, when and where that data is used, especially in those cases where it is used or accessed off-site.
Each year, VA employees are required to complete Privacy and Cyber Security training. Those training courses are provided and required to serve as important reminders to all staff that public service is a public trust. Because of the serious breach that has occurred by the actions of this VA employee in removing Federal property to his home without authorization, all employees will be asked to complete the annual General Privacy Training and VA Cyber Security Awareness Training for 2006 by June 30. All employees will then be required to sign a Statement of Commitment and Understanding. By signing this statement, you and your employees will confirm your understanding of the training, the consequences for noncompliance, and your commitment to protecting sensitive and confidential information in the Department of Veterans Affairs.
In addition, I have convened a task force of VA senior leaders to review all aspects of information security and make recommendations to strengthen our protection of sensitive information. One of the first tasks of this group is to complete an inventory of all positions requiring access to sensitive VA data. I ask that each of you compile information on your subordinates and contractor staff who have access to sensitive information. This inventory should include position, justification for access, data type, and method of access (e.g., paper files, VA electronic data bases, remote access through VA’s Virtual Private Network (VPN), or other information sharing mediums). The specific reporting format for this inventory will be conveyed to you no later than May 31, 2006. I have asked for the completed inventory by June 30, 2006.
VA’s mission is to honor and serve our nation’s veterans. We must take very seriously the impact of this incident on the confidence veterans will have in our ability to handle their sensitive information. As managers, supervisors and team leaders it is our collective responsibility to assure veterans that we are responding to this incident with the utmost urgency and doing everything in our power to ensure it never happens again.
# # #
###
Reporters and media outlets with questions or comments should contact the Office of Media Relations at vapublicaffairs@va.gov
Veterans with questions about their health care and benefits (including GI Bill). Questions, updates and documents can be submitted online.
Veterans can also use our chatbot to get information about VA benefits and services. The chatbot won’t connect you with a person, but it can show you where to go on VA.gov to find answers to some common questions.
Subscribe today to receive these news releases in your inbox.