VA's general counsel resigns in wake of breach

He was under fire for helping to shape the agency's fractured security structure

Tim McClain, the general counsel of the U.S. Department of Veterans Affairs (VA) who was criticized for his role in creating an environment that contributed to a recent data breach, is leaving the agency.

A brief note posted on the VA's Web site said that McClain, who has been with the department since 2001, will return to the private sector. His resignation is effective Sept. 1.

"Tim McClain has been an integral part of VA's senior leadership team as our chief legal adviser, and I commend his dedicated service to our nation's veterans," VA Secretary Jim Nicholson said in a statement.

Members of the U.S. Senate Committee on Veterans' Affairs, which held a hearing on the breach today, also commended McClain's contributions and formally recognized his role as an integral part of the senior management team at the agency. The hearing focused on the theft of a laptop from a VA employee in early May, exposing the personal data of some 26.5 million veterans and active-duty personnel to identity theft. The laptop was later recovered, and the data appears to have been untouched.

McClain faced considerable criticism in recent weeks over what was seen as his role in undermining the authority of the VA's CIO and its chief information security officer (CISO). In an August 2003 memo, McClain expressed the opinion that responsibility for information security under the Federal Information Security Management Act (FISMA) rested not with the agency's central CIO but with the respective organizations within the agency.

In a similar memo in April 2004, McClain stated that while the CIO had the responsibility for ensuring information security, he had no authority at all under FISMA to enforce it across the agency. His legal interpretations of the authority that FISMA bestowed on the CIO and CISO were seen as contributing to a fragmented and insecure IT environment at the VA.

In an interview last week with Computerworld, Bruce Brody -- CISO at the VA between 2001 and 2004 -- said the two memos led to fragmented security at the VA with "little stovepipes and fiefdoms."

"The [opinions] were very protective of the existing culture, and obviously that is the core problem," Brody said in that interview. No replacement has been announced for McClain.

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon