Tom Munnecke’s Eclectica

The U.S. Department of Veterans Affairs (VA) has announced that an employee took home electronic data from the VA, containing identifying information including names, social security numbers, and dates of birth for up to 26.5 million veterans and some spouses, as well as some disability ratings. Importantly, the affected data did not include any of VA’s electronic health records nor any financial information. The employee’s home was burglarized and this data was stolen.

I have some familiarity with this issue. I was one of the designers of the VA hospital information security system 20 years ago. I went through a certification check with some very dour security analysts from the federal Computer Security Center. As far as I know, the only losses have been from folks with authorized access, using this access inappropriately. The bad guys have come from within…

My other familiarity has come from my former employer telling me of a similar loss of data… someone stealing a computer from the company’s offices. I asked my bank what to do, and they suggested changing account numbers. They said that this would be a simple thing – and it was for them. But a year later, I am still trying to fix the problems that they caused for me. A very long series of chain reactions followed; all my autopay information was deleted (and halted), checks were bounced, my credit rating was messed up, overdraft protection invalidated, and on and on. I sometimes wonder if identity theft might have been an easier alternative to deal with. I thought of starting a web page called US BANK SUCKS, but decided to just leave this phrase in my blog for Google to find.

The greatest damage that the bad guys can do with data is to take out lines of credit unbeknownst to the veterans. Rather than have 26 million veterans calling the credit agencies to fix this individually, we should simply not allow folks to take out credit lines without validating the request from the consumer directly.

In other words, we should put the burden of proof on the banks to confirm that the applicant wants the credit. The way things stand now, we put the burden of proof on the innocent victim of the identity theft that they weren’t the party taking out the false credit line.

I am still trying to clean up my credit rating. Among other things, a credit union has dinged me for 13 delinquent payments on a closed account; a long distance phone company dinged me for non payment on a bill after they refused to cancel my service; and somehow they show me with $10 million in personal debt (I wish).

This is all incredibly sloppy information reporting and practices… They need to clean up their act so that thefts like the VA’s don’t trigger 26 million personal fiascos.