Thursday, June 01, 2006
An Insanity Defense for VA Data Theft
But the latest news about this incident contains a twist that gives me something to rant about. The chief privacy officer of the VA, Mark Whitney, wrote an internal memo on May 5, just two days after the burglary, in which he attempted to downplay the significance of the data loss. His reasoning was that "given the file format used to store the data, the data may not be easily accessible." In other words, because the VA stores information in a proprietary data format, presumably tied to a single application, the thief won’t be able to make much use of it.
But the application that uses the data is probably also on the stolen laptop, or why would the employee have the data there? And in any case, it is pretty easy to find specifications for most statistical data formats (a typical compendium is this one at Carnegie-Mellon University). And lots of us could probably whip up a little script that transforms almost any format into something we could more easily use or sell.
So we have a kind of insanity defense here, or maybe two of them. A VA employee who copies 26.5 million records that he can’t use onto his laptop is clearly insane. But the VA is also insane if it stores information about veterans in multiple proprietary and incompatible formats. I thought it was motherhood and apple pie to "create a single view of your customer."