In a case of closing the barn door after the cows have all gotten out, the Veterans Administration took steps to get its information security in order Friday, a half decade after security alerts were first issued and nearly two months after the largest personal data breach in U.S. history.

The House Government Reform Committee, chaired by Rep. Thomas M. Davis III (R-Va.), began releasing its annual federal computer security report card (PDF) five years ago, which each year awarded the VA a failing grade, the only exception being 2003 when the VA got to choose its own C grade. The report card measures compliance with the 2002 Federal Information Security Management Act, which requires agencies to test their systems, develop cyber-security plans and report on their progress.

“To the best of my knowledge, the loss of 26 million records by VA is the largest by a federal agency to date,” said Davis of the most recent security fiasco. “Perhaps if the department improved its compliance with the existing information protection laws, this breach would not have happened. There seem to be two problems here: a department that’s inadequately protected, and an employee who acted incredibly irresponsibly.”

Security at the VA is a well-worn joke: In 2003, tests by staff members in the VA Inspector General’s office demonstrated that a hacker could gain access to veterans’ protected medical information from outside the VA network. Last year, internal reviews found that access controls were not consistently applied at dozens of data centers, medical centers and regional offices. Recommendations included ensuring that background checks are performed on VA and contract workers, restricting off-duty workers’ access to sensitive information and providing annual security awareness training for employees.

“We identified significant information security vulnerabilities that place VA at considerable risk of . . . unauthorized access to sensitive data and improper disclosure of sensitive data,” acting Inspector General Jon A. Wooditch wrote.

Awoken jarringly from his slumber, Secretary of Veterans Affairs Jim Nicholson now attempts to play a game of retroactive CYA by ordering a complete restructuring of information security. Nicholson announced (PDF) during congressional hearings that during the week of June 26-30, “VA facilities across the country — every hospital, CBOC, regional office, national cemetery, field office and VA’s Central Office — will ‘stand down’ for Security Awareness Week. Managers throughout VA will review information security and reinforce privacy obligations and responsibilities with their staff.”

“I have also ordered that every laptop in VA undergo a security review to ensure that all security and virus software is current. The review will include removal of any unauthorized information or software,” Nicholson continued. “Importantly, I have ordered that no personal laptop or computer equipment be allowed access to VA’s Virtual Private Network (VPN) or be used for official business. VPN settings will be changed every 30 days, forcing laptop users to return the laptop to VA for updating and security screening. We are in the process of conducting an inventory of all positions in VA with access to VPN or to any sensitive information.”

In military terms, a “stand-down” is an order given to military units, ranging from a single military command to the entire Defense Department, to cease all but the most basic of duties and focus all attention and training on the special task given them.

Steve Kennebeck, 46, an Army sergeant who retired in 1997, is familiar with another military term. After he called a special VA toll-free number but was unable to learn whether he was among affected veterans, Kennebeck said, “I’m angry. . . . If we had done something like that in the military, we’d be punished by courts-martial. We protect America, and do they protect our personal information? No. It’s galling. Somebody’s head should roll.”

Data on a VA laptop stolen May 3 from an analyst’s home may include as many as 1.1 million active-duty military personnel, 430,000 National Guard members and 645,000 Reserve members constituting nearly 80% of the active duty force as well. Some of those records included information about active duty personnel’s spouses and family members. These records could be used to target military members deployed overseas or their families at home.

Early reports had said that National Guard troops were not affected by the theft.

Former Republican National Committee Chairman and current Veterans Administration Secretary Jim Nicholson may have been “mad as hell” over the theft of 26.5 million records containing sensitive personal information during testimony before Congress, but he shouldn’t have been surprised when the security disaster occurred, given that his organization’s lax security has been a matter of public knowledge since shortly after he began his tenure.

While Nicholson kept referring to only the most recent lapse in security involving a single employee, Sen. Susan Collins (R-Maine), chair of the Homeland Security and Governmental Affairs Committee, indicated there was plenty of blame to go around, saying, “You seem to be saying it was just one employee. But it’s not just one employee. You have a high-risk vulnerable system that has been identified time and again as vulnerable.”

Several members of the committee chastised Nicholson for failing to repair a badly mismanaged information systems department that had been identified as such by its own attorney general in frequent reports to Congress. Every year since 2001, the VA’s Inspector General has reported to Congress that its “material weakness” put information security at great risk.

During testimony on the theft in the House, Rep. Bob Filner (D-Calif.) said, “In the last five years, a host of agencies have reported that the VA has had many problems with information security. How did the VA react? With indifference.”

The cause of the security lapse was a lone data analyst who had been taking the names, birth dates, disability information and Social Security numbers of veterans home on his laptop computer, without permission and apparently without as much as even simple encryption, since 2003. On May 3, while the laptop was left unattended in the employee’s Aspen Hill, Md., home, it was stolen during a burglary.

The next morning, the data analyst informed his supervisors, who then proceeded to conceal the information until May 10th, when another VA employee overheard talk of the burglary and subsequent data loss during a routine meeting. Deputy Secretary of Veterans Affairs Gordon Mansfield was then informed of the data theft, and he, in turn, requested VA Chief of Staff Tom Bowman to investigate. However, VA Inspector General George Opfer wasn’t informed of the breach until May 16th, nearly two weeks after the theft. Also informed on the 16th, Secretary Nicholson called in the FBI to investigate the next day. The FBI went public about the theft during an announcement on May 22nd, nearly three weeks after the burglary.

Montgomery County, Md., police agencies have asked anyone purchasing a used Hewlett-Packard laptop or hard drive to notify them immediately, while the VA has begun a massive mail and public relations program designed to notify all 26.5 million veterans affected of the theft and how to best protect their credit. The program is expected to begin at a cost of $10 million, with Nicholson’s prediction that the program could ultimately cost tens of millions more.

The employee who caused the largest personal data security breach in U.S. history is still on administrative leave and cooperating with officials and expects to be fired once his services are no longer required. Several VA employees have resigned or been placed on administrative leave, and Democrats ranging from Sen. Patrick J. Leahy of Vermont to Rep. Filner are calling on Nicholson to resign.

White House Press Secretary Tony Snow said that Nicholson continued to serve with the President’s support, and Nicholson now says that he is conducting a comprehensive review of security procedures to ensure this never happens again. He is also requesting an additional $25 million to upgrade the organization’s security measures.

Adding insult to injury, several veterans’ groups have joined together to file a class-action lawsuit claiming that veterans’ privacy was violated and asked for $1,000 per veteran, totaling $26.5 billion dollars.

All because some geek didn’t want to work at his desk.

In a further example of Louisiana legislators’ incompetence, the state senate passed a bill (PDF) raising the Louisiana minimum wage to $6.15, $1.00 above the national wage. The Democrat senator from Monroe, Charles Jones, had originally wanted the wage to be set at $7 an hour!

There are plenty of exemptions, though: the law, if enacted as is, would not apply to student employees of the state or student employees of state colleges and universities; employees of any local governmental subdivision, political subdivision, port authority, or levee district; and to employers with 25 or fewer employees. It also wouldn’t apply to newly-hired employees who haven’t reached one year’s employment.

Louisiana has suffered years of outmigration businesses and younger career people, leaving the state with the 11th highest local tax burden of any state. Then, hurricanes Katrina and Rita hit the state, decimating the state’s largest city and forcing billions of dollars in FEMA aid, cleanup and rebuilding, and now this!

Companies considering moving to Louisiana (who were few and far between) would shy away, and you can expect companies to leave the state at a faster pace, should the bill be enacted into law. Those small businesses not exempt who choose to remain will simply include the additional $1.00 per hour per minimum wage employee in their product or service’s cost, and be passed along to the consumers, raising the cost of living, many times on the very employees Senator Jones was attempting to help.

Senate bill 700 now moves on the House, where we can only hope they’ll kill it, because Mother Blanco will almost assuredly sign it if it gets to her desk.

Cross-posted from charlesstricklin.com.

As far back as the ancient Greeks, many people have set aside one day each year to honor and remember those of their own who fell in battle. Usually somewhat somber and reflective, families would carry food and drink to their relatives’ graves, clean and clear around them, lavish the sites with colorful flowers, flags and laurel, then retire underneath the shade of nearby trees to eat dinner together, sometimes holding an impromptu memorial for their lost loved ones.

Shortly after the American Civil War, both the former Union and Confederate states observed the practice, although the former Confederate states resisted observing the same date as their former enemies. Only after World War I did the entire United States began to observe May 30 as Memorial Day.

The practice of remembering and honoring those who have fallen in our wars remained largely unchanged for generations, until government mucked things up in 1968 by passing the Uniform Monday Holiday Act. The law mandated that, beginning in 1971, the observance of Memorial Day, along with Columbus Day, Veterans Day, and Washington’s Birthday as federal holidays, would be moved to occur only on Mondays, so as to create a three-day weekend.

Backers of the legislation, including the United States Chambers of Commerce, had argued that creation of a three-day weekend would reduce absenteeism — no more calling in sick on Friday after a Thursday Memorial Day, that business wouldn’t experience midweek interruptions, and that travel-related businesses such as hotels and motels, gas stations, tourism, etc., would prosper.

Rep. Robert McClory (R-Ill.), a supporter of the law, suggested that families would likely spend their long weekends visiting Arlington National Cemetery, Gettysburg, and other “famed battlegrounds and monuments.” Others weren’t as enamored of the idea and called it what it was: a rejection of tradition and heritage in favor of making more money.

Rep. Edward Hutchinson (R-Mich.) assailed it as “a rejection of our historic past.” Rep. Joe Waggoner (D-La.) shouted, “Holidays and commemorative events were not created for the purpose of trade or commerce.” Rep. Dan Kuykendall (R-Tenn.) accurately forecast: “If we do this, ten years from now our schoolchildren will not know what February 22 means. They will not know or care when George Washington was born. They will know that in the middle of February they will have a three-day weekend for some reason.”

Rep. Basil Whitener (D-N.C.) complained that “a few business organizations would make more profit on Mondays” at the expense of “the tradition and background of our Nation. . . . Let us not peg everything to the dollar.” Representative Harold Gross (R-Iowa) said of the proposal, “I have an idea if we make Monday holidays, to fulfill the promise to merchants that they are going to do a better business, that employees of the stores of this country will have no holidays. They will work at selling merchandise. That is about what will happen.”

The Uniform Monday Holiday Act of 1968 passed the House, 212-83, and the Senate by voice vote, without debate.

Technically, the United States does not celebrate national holidays, but Congress has designated ten “legal public holidays,” during which most federal institutions are closed. While individual states and private businesses are not required to observe these, many businesses do, and as Gross predicted, most retailers remain open.

Best estimates count the total of fallen military in each war and conflict the United States has been involved in since it declared its independence is upwards of 2.5 million. Today, we show our appreciation by beginning our school children’s summer vacations, sleeping late on Monday morning and spending the week traveling to the nearest water park when we should be honoring their sacrifices.

I enjoy long weekends as much as the next man, but government’s meddling with the dates of holidays, even going so far as to move the observance of a president’s birthday, undermines and devalues the holiday’s original meaning and importance. By focusing on commerce and leisure on Memorial Day, we lose a little bit more of our heritage and historical perspective.

If you’re able, I recommend that you observe this holiday by visiting a nearby military cemetery or memorial. Also, at 3:00 p.m. local time, pause for one minute in rememberance of our fallen war dead.

Members at a Chicago, Illinois-area school district have decided that student blogs they deem inappropriate may lead to denial of extracurricular student privileges. The Community High School District 128, ironically headquartered in Libertyville, Ill., voted Monday night to amend the codes of conduct at Libertyville and Vernon Hills High Schools to read, “Maintaining or being identified on a blog site which depicts illegal or inappropriate behavior will be considered a violation of this code.”

Nearly four out of five of the district’s 3,200 students, or roughly 2,560 students, participate in after-class athletics, fine arts or extracurricular activities. Each of the district’s students and their parents must sign a written contract stating that they will abide by their respective school’s code of conduct. The revision to the code was without objection, even among a packed auditorium of educators, parents, students and the media.

Except Mary Gramer, whose child attends Libertyville High School, who said, “As parents we have the obligation to police our children while they are on the Internet. It is not necessary that the school board do this also.”

Tom Engstrom, a senior at Libertyville High School, and Jeff Boucher, a senior and student board representative from Vernon Hills High School demonstrated their support for the revision. “The Internet is in the public domain and if used improperly can be potentially dangerous to some,” Engstrom said.

Do children even have First Amendment rights? According to the Supreme Court, they do. If the student posts illegal material, shouldn’t the blogger be arrested or otherwise disciplined? Also, who’s the arbiter of what’s considered “inappropriate”? The principal? The student council?

Ultimately, Ms. Gramer had the right idea: the responsibility of watching, safeguarding and disciplining their children belongs to the parents, not to the school district.