Legal Regulations, Compliance, and Investigation

Lab02_VeteransAffairs.pdf

Home >Computer Science homework help >Legal Regulations, Compliance, and Investigation

Introduction Privacy is not something to take for granted as true privacy becomes increasingly challenging to find. In most day-to-day cases, you are aware that your information is being collected. As you drive, video surveillance monitors for traffic conditions. When you purchase items with credit cards, your buying history is analyzed for marketing. As you use the Internet at work, your browsing habits might be monitored for performance. These are known impacts on personal privacy, but there are many other examples where your privacy is lost without your knowledge or consent.

The loss of privacy data has implications for both the individual(s) responsible and the organization at which the individual(s) works. Privacy and information systems security can be violated, but breaches can also be prevented.

In this lab, you will review a real-world case study that involves the loss of privacy information, and you will analyze what violations occurred, the implications of those violations, and the possible mitigation remedies that can prevent future violations.

Learning Objectives Upon completing this lab, you will be able to:

• Relate a real-world case study on privacy law violation and its implications to the individual and the organization in violation.

• Distinguish how privacy law is different from information systems security. • Review a case study on a U.S. government agency’s loss of privacy data and information. • Suggest possible mitigation remedies to prevent the same loss from occurring at another

organization.

Lab #2 Case Study on U.S. Veterans Affairs and Loss of Privacy Information

10 | LAB #2 Case Study on U.S. Veterans Affairs and Loss of Privacy Information

Deliverables Upon completion of this lab, you are required to provide the following deliverables to your instructor:

1. Lab Report file; 2. Lab Assessments file.

Instructor Demo The Instructor will present the instructions for this lab. This will start with a general discussion about privacy law and how this is different from, yet related to, information systems security. The Instructor will then present an overview of the U.S. Veterans Affairs’ privacy loss breach and the case study lab exercise.

Hands-On Steps

Note: This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to Microsoft® Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab deliverable files.

1. On your local computer, create the lab deliverable files.

2. Review the Lab Assessment Worksheet. You will find answers to these questions as you proceed through the lab steps.

3. Review the following case study on U.S. Veterans Affairs and loss of privacy information:

The U.S. Department of Veterans Affairs had a privacy data breach in 2006 that an agency employee said affected the records of 26.5 million veterans and their spouses. An employee at the agency reported the breach and said that a laptop he used at his home in Montgomery County, Maryland, had been stolen. This employee had been taking home a laptop that contained private information of the approximately 26.5 million veterans. This privacy information included the veterans’ names, Social Security numbers, the dates of birth, and disability ratings.

On May 17, 2006, the Federal Bureau of Investigation (FBI) was informed of the breach, and it began an investigation along with the Veterans Affairs (VA) Inspector General’s Office. During the investigation, it was discovered that more than the originally reported veterans and their spouses were affected by the theft. In fact, approximately 1.1 million active-duty military personnel were affected, as well as 430,000 members of the National Guard and 645,000 members of the Reserves. In addition, the investigation revealed other information, including:

• On May 3, 2006, the theft occurred. The employee whose laptop was stolen reported the theft to his supervisors at the agency and to the Maryland police.

• On May 16, 2006, Veterans Affairs Secretary R. James Nicholson was told of the breach that resulted in unencrypted data being stolen. Supervisors at the agency knew of the theft on May 3 when it happened, but they failed to tell Mr. Nicholson until the May 16 date.

• On May 22, 2006, the agency finally informed those who were affected by the breach. The agency announced that the laptop had been stolen. The agency reported that the information stolen included veterans’ and their spouses’ names, Social Security numbers, birth dates, and disability ratings. The agency said that the information did not include financial data or electronic health records.

12 | LAB #2 Case Study on U.S. Veterans Affairs and Loss of Privacy Information

• The analyst who took the laptop home had been given permission to use the laptop at home. (The agency did not reveal this until after it had already said that the employee was fired for taking the laptop home.) The employee said that he had taken the laptop home regularly for three years.

Congress held a hearing on May 25, 2006. During this hearing, Secretary Nicholson admitted that the stolen information included disability ratings for 2.6 million people.

On June 3, the agency admitted that approximately 50,000 active-duty personnel were also affected by the stolen data. By June 6, 2006, the agency had admitted that approximately 1.1 million active-duty military personnel were affected, as well as 430,000 members of the National Guard and 645,000 members of the Reserves.

On June 29, 2006, an unidentified person turned the laptop over to the agency, which believes it will cost $100 million to $500 million to cover the data theft losses and prevent additional losses.

Calculating Costs The concluding paragraph of this case study shows how difficult it can be to calculate the consequences of a crime. Violating data privacy is no exception. The range of $100 million to $500 million is by a factor of five! Why is the total so unclear?

Some costs directly relate to recovery from the crime, while other costs come from closing the vulnerabilities that allowed the crime to happen. The latter helps prevent the same crime from occurring again. It’s easy for someone to simply decide the vulnerabilities should have been closed earlier, saving the recovery costs.

Of course, it’s not that simple in real life. Without the gift of hindsight, costs are far less justified before a disaster than after. The powers that be will resist spending funds on any risk except the most probable and with the most serious consequences. It’s not feasible to mitigate all identified risks, let alone identify and assess the unforeseen ones before they occur. So, some closure doesn’t happen until after a risk presents itself in the worst way.

Still, why so different an estimate of consequential costs? The easier costs include money spent to fix the problem, appease those affected, and estimated losses from downtime. Those directly relate to the crime and are fairly quantifiable. Then additional costs stem from situations that might or might not happen, for example, identity theft and any resulting fraud. No one can calculate for certain that X percentage of the personnel will experience identity theft, or find out years later of a fraudulent loan. The guesswork involved helps broaden the costs, even if by a factor of five.

4. On your local computer, open a new Internet browser window.

5. In the address box of your Internet browser, type the URL http://www.pcworld.com/article/126093/article.html and press Enter to open the Web site.

6. Read and review Grant Gross’s online article (IDG News Service), “VA Ignores Cybersecurity Warnings.”

Note: When reading the article, place yourself in the position of the person called to prevent the situation from happening again. Where do the vulnerabilities begin?

7. In your Lab Report file, discuss the case study and answer the following questions:

• What laws have been violated? • What do you think contributed to the problems that could lead to a violation of these

laws? • What are the implications to the individual and organization of these violations? • What are some security controls and mitigation strategies for handling future

violations? (Name three to five.) • How does privacy law differ from information systems security?

Note: This completes the lab. Close the Web browser, if you have not already done so.

14 | LAB #2 Case Study on U.S. Veterans Affairs and Loss of Privacy Information

Evaluation Criteria and Rubrics The following are the evaluation criteria for this lab that students must perform:

1. Relate a real-world case study on privacy law violation and its implications to the individual and the organization in violation. – [25%]

2. Distinguish how privacy law is different from information systems security. – [25%] 3. Review a case study on a U.S. government agency’s loss of privacy data and information.

– [25%] 4. Suggest possible mitigation remedies to prevent the same loss from occurring at another

organization. – [25%]