Laboratory Manual to Legal issues in Information Security: Lab 1


Posted on by Divya Aradhya

  1. What is the difference between privacy law and information systems security? How are they related?
    According to Grama, J. L. (2015, pp.38), though “the U.S Constitution does not use the word privacy anywhere”, the “constitution right” of privacy can “pieced together” from a “number of different provisions”. [1] This includes the First, Third, Fourth Amendments, industry-based Federal Laws, State Laws of some states which “recognize a right to privacy”, and Common Laws or Torts which essentially uphold “the right to be let alone”.

Privacy can be then defined as “an individual’s right to control the use and disclosure of her own information”, while “information security is the process used to keep data private”.
They are related, as to get the desired result of upholding the “right to privacy” in the digital world, the process to be followed is of ensuring “information systems security”.
The latter being a means to an end that is the former.

  • Was the employee justified in taking home official data? Why or why not?

The employee had been given permission to take home his work, and the data, and had been doing so for the last three years. The VA had no comprehensive policies to draw and impose boundaries.
But, while he isn’t liable for the damages, he definitely showed “extremely poor judgment when he decided to take personal information pertaining to millions of veterans out of the office and store it in his house without password protecting and encrypting the data” and leaving it “unattended”. [2]

  • What are the possible consequences associated with the data loss?
    • Identity theft
    • Possible access to other private databases which need authentication based on the fields that were breached (name, SSN, spouse name, birth dates etc.)
    • Loss of sensitive private family information (spouse name and details) and the social vulnerabilities it can lead to.
  • Regarding the loss of privacy data, was there any data containing protected health information (PHI) making this a Health Insurance Portability and Accountability Act (HIPPA) compliance violation?

According Grama, J. L. (2015), the U.S. department of Veterans Affairs “reported that the information stolen included veterans’ and their spouses’ names, Social Security numbers, birth dates, and disability ratings” and “did not include financial data or health records”. [3]

Thus as the privacy health information was not violated, it does make the information-theft and loss a HIPPA compliance violation.

  • What action can the agency take against the employee concerned?

As the employee had been given permission to work from home, and to make copies of the confidential information, and there were no policies on the use, access, storage or protection of the hardware or software, I don’t think the agency can take any legal action against the employee concerned.
Further they had no policies in place to deal with acts of negligence, and hence wouldn’t be able to take authoritative administrative action.

  • Would the response of the agency have been different had the data theft occurred at work instead of happening at the employee’s residence? Why or why not?

The agency’s initial response, in a report released in July 2006, it is stated that the employee was “Not Authorized to Take VA Data Home”. It further concludes that “While much has been made about the burglary of the employee’s home and

theft of the external hard drive, the loss of VA data was possible because the employee

used extremely poor judgment” and that “the employee is personally accountable for this

serious error in judgment. The Department has already proposed administrative action.”

However, Grama, J. L. (2015) states that “the analyst who took the laptop home had been given permission to use the laptop at home” and that “the agency did not reveal this until after it had already said that the employee was fired for taking the laptop home”. [2]
This is a serious ethical issue. The agency’s response seems to have been minimizing its own accountability and the bulk of the blame on the employee.

I think if the data theft had occurred at work, they would have still given the rap to the analysts involved, but would have to have been accountable sooner, without having an “opportunity” to cover up their own lapses.

  • Why were the VA data analyst’s two supervisors reprimanded and demoted by the VA secretary? Do you think this was justified? Why or why not?

Yes, I think it was justified. As data analysts it is part of their job to design, create, maintain, test, improve, and backup the database and ensure constantly of the C-I-A health of the sensitive information. By failing to encrypt the data, and by allowing its copies to be made, they were at fault.
However having said that, they were only one of the weak links in the whole system, and people in the leadership positions – the policy-makers are the ones who failed at graver levels.

  • What was violated in the data breach?

In C-I-A triad, “confidentiality” of the information was definitely violated. Sensitive and private information had been put at large.
If the information loss has led to identity theft, it could have perhaps also been seen as a loss of information “integrity” in a broader spectrum, beyond from that of the VA database.
And as this database was a copy of the main database, there wasn’t any loss of information “availability”.

  • If the database had been encrypted because of VA policy, would this data loss issue even have been an issue? Why or why not?

Yes, it would still be an issue. The severity could have been arguably lesser, but is still a grave issue.
Storing unencrypted information is an unforgivable lapse, but the fact that the laptop had stored so much of personal information, and had been allowed to go out of the work premises, for three years, no less, is an equally grave issue.
Mere database encryption is not adequate protection against loss of privacy and data loss. Most ciphers can be broken by hose determined to break them.

  1. What risk mitigation or security control recommendations would you suggest to prevent this from occurring again?
  2. Creating clear and complete policies with regard to technology design, communication, department hardware, software and network access and scope of use
  3. Regular training for the technology analysts to be up-to-date with the latest industry developments, models, standards, and threats.
  4. Regular audits and compliance checks, and amendments to policies as necessary
  5. What information systems security and privacy security policies do you think would help mitigate this breach and loss of privacy data?

Policies with regard to-

  • Storage of information (encryption of data in accordance with latest standards)
    • Access of information (requiring authentication)
    • Geographical boundaries of work laptops and work-related storage data devices (books, hard-drives, pen-drives etc.)
    • Information access boundaries (how much information, is accessed by whom, and for how long)

            What or who was the weakest link in this chain of security and protection of privacy data?

In my opinion, the lack of detailed policies and subsequently the absence of their implementation, especially with regard to information storage and information access, is the weakest link in this scenario. It is essentially a failure of leadership.
According to a news report in the Washington Post (6/30/2006, Lee and Goldfarb), Rep. Steve Buyer (R-Ind.), the then chairman of the Veterans Affairs Committee, has been quoted to say: “The history of lenient policies and lack of accountability within VA management must be rectified.” [4]

The report further quotes Rep. Lane Evans (Ill.), the committee’s then ranking Democrat as saying: “Today’s announcement does not relieve the Department of Veterans Affairs from fixing its broken data security system and failed leadership.”

  1. If the VA had performed a security and information assurance audit for compliance, what could the VA do on an annual basis to help mitigate this type of loose policy conformance?

An annual audit performed keeping in mind the latest advances, threats and compliance policies, in the cyber world and in digital crime, could have exposed the vulnerabilities that lead to the information privacy loss.
Missing or incomplete policies, inadequate technological security (lack of database encryption), and risk involved in information being taken out of the office, could have all been identified and subsequently patched up.

  1. True or false: U.S. taxpayers ended up paying for this VA security breach, notifications, and post-mortem damage control.

True.
According to a report in Federal Computer Week (1/29/2009, Mosquera), the VA “agreed to pay $20 million to settle a lawsuit filed by veterans over the risk of potential identity theft when a VA laptop PC that contained their sensitive information was stolen in 2006”.  It further quoted a VA spokespersons statement and reported “taxpayers ultimately would pay for the $20 million proposed settlement through the Treasury Department’s Judgment Fund, the VA said.” [5]

  1. Which organization in the U.S. federal government is responsible for performing audits on other U.S federal government agencies? (Hint: It is also known as the “Congressional Watchdog.”)

The U.S Government Accountability Office, is an “independent, nonpartisan” organization “that works for Congress”. Their mission is to “support the Congress in meeting its constitutional responsibilities and to help improve the performance and ensure the accountability of the federal government for the benefit of the American people.” They work to “provide Congress with timely information that is objective, fact-based, nonpartisan, nonideological, fair, and balanced.” [6]

References

[1] Grama, J. L. (2016). Legal issues in information security. Sudbury, MA: Jones & Bartlett Learning.

[2] Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans. (2006).

[3] Grama, J. L. (2016). Laboratory Manual To Accompany Legal issues in information security. Sudbury, MA: Jones & Bartlett Learning.

[4] Stolen VA Laptop and Hard Drive Recovered. (2006, June 30). Retrieved from http://www.washingtonpost.com/wp-dyn/content/article/2006/06/29/AR2006062900352.html

[5] 28, 2. B. (n.d.). VA agrees to pay $20M in laptop theft case — FCW. Retrieved from https://fcw.com/Articles/2009/01/28/VA-settlement.aspx

[6] About GAO. (n.d.). Retrieved from http://www.gao.gov/about/