Thursday, June 01, 2006


An Insanity Defense for VA Data Theft

When I first learned about the May 3rd theft of a laptop with personal data on about 26.5 million U.S. military veterans, my first thought was that the Veterans Affairs employee who took the data home was an illiterate idiot who somehow hadn't read any news about all the recent laptop data theft incidents. My second thought was a reminder that personal data had also been stolen last year as a result of employee negligence at my own place of work, the University of California at Berkeley, and I wondered whether these events too often occurred in the public sector where people seem to have less accountability and more employment security than in the private sector. (Breaking news – they've fired some of the responsible people -- it's about time). But I didn't feel compelled to post about the incident because I didn’t feel that I had any unique commentary to offer.

But the latest news about this incident contains a twist that gives me something to rant about. The chief privacy officer of the VA, Mark Whitney, wrote an internal memo on May 5, just two days after the burglary, in which he attempted to downplay the significance of the data loss. His reasoning was that "given the file format used to store the data, the data may not be easily accessible." In other words, because the VA stores information in a proprietary data format, presumably tied to a single application, the thief won’t be able to make much use of it.

But the application that uses the data is probably also on the stolen laptop, or why would the employee have the data there? And in any case, it is pretty easy to find specifications for most statistical data formats (a typical compendium is this one at Carnegie-Mellon University). And lots of us could probably whip up a little script that transforms almost any format into something we could more easily use or sell.

So we have a kind of insanity defense here, or maybe two of them. A VA employee who copies 26.5 million records that he can’t use onto his laptop is clearly insane. But the VA is also insane if it stores information about veterans in multiple proprietary and incompatible formats. I thought it was motherhood and apple pie to "create a single view of your customer."

-Bob Glushko

This won't work in reality, that is what I suppose.
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?