VA names new security adviser, seeks to fire analyst who put veterans' data at risk

Policy scrutiny, privacy training under way

The fallout from this month's massive security breach at the Department of Veterans Affairs continued today with the appointment of a new special adviser for information security at the agency and news that the analyst who improperly took veterans' data home is facing termination.

Secretary of Veterans Affairs James Nicholson named Richard Romley, former county attorney of Maricopa County, Ariz., to the post. Romley will report directly to Nicholson and will be responsible for reviewing the VA's current policies and procedures and recommending changes for improving the agency's information security.

"Rick Romley is a well-respected attorney and veteran who will provide a critical outsider's perspective to VA," Nicholson said in a prepared statement. Romley served four terms as the attorney general of Maricopa County between 1989 and 2004. He also served in the Marine Corps in Vietnam.

Yesterday, Nicholson announced  that he was making several personnel changes in the VA's Office of Policy and Planning. Among them: The agency has begun procedures necessary to terminate the data analyst who violated department policy, Nicholson said in a statement.

They are the latest in a series of moves at the VA in the wake of last week's news that a laptop and disks containing sensitive information on more than 26 million veterans had been stolen (See "Personal data on millions of U.S. veterans stolen "). The data was taken home by a senior data analyst who was not authorized to do so. The theft was discovered on May 5, although the public disclosure of the breach did not take place until May 22.

Nicholson also announced that Acting Assistant Secretary for Policy and Planning Dennis Duffy has been placed on administrative leave. His role is being assumed by the current Assistant General Counsel for Management and Operations Paul Hutter, who supervised the VA's information systems division as well as 22 regional offices and field operations.

In other personnel changes, Mike McLendon, deputy assistant secretary for policy, announced his resignation effective June 2.

The personnel changes come on the heels of a directive issued last week by Nicholson to all VA supervisors reminding them about their responsibility in protecting sensitive and confidential information.

Because of the data loss, all VA employees will be required to complete a general privacy awareness and cybersecurity training exercise by June 30 and will also be required to sign a statement affirming their commitment to and understanding of their data security obligations.

In a statement  May 26, Nicholson said he has convened a task force to review departmentwide information security practices. As part of the effort, the task force will compile an inventory of all positions within the VA that require access to sensitive data. The inventory will include information on justification for access, data type and method of access. The task force has until June 30 to complete the inventory.

Correction: An earlier version of this story had an incorrect title for Richard Romley when he worked in Maricopa County. He served as county attorney.


Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon