And Loss of Privacy Information GUIDE Introduction Learning Objectives Deliverables Hands-On Steps Mands-On Steps 2. Review the following case study on U.S. Veterans Affairs and loss of privacy Information: The U.S. Department of Veterans Affairs had a privacy data breach in 2006 that an agency employee sald affected the records of 26.5 million veterans and their spouses An employee at the agency reported the breach and said that a laptop he used at his home in Montgomery County, Maryland, had been stolen. This employee had been taking home a laptop that contained private information of the approximately 26.5 million veterans. This privacy Information included the veterans' names, Social Security numbers, the dates of birth, and disability ratings. On May 17, 2006, the Federal Bureau of Investigation (FBI) was informed of the breach and it began on investigation along with the Veterans Affairs (VA) Inspector General's Office. During the Investigation, it was discovered that more than the originally reported veterans and their spouses were affected by the theft. In fact, approximately 1.1 million active duty military personnel were affected as well as 430.000 members of the National Guard and 645.000 members of the Reserves. In addition, the investigation revealed other information, including On May 3, 2006, the theft ocurred. The employee whose laptop was stolen reported the theft to his supervisors at the agency and to the Maryland police On May 16, 2006, Veterans Affairs Secretary R. James Nicholson was told of the breach that resulted in unencrypted data being stolen Supervisors at the agency knew of the theft on May 3 when it happened, but they failed to tell Mr. Nicholson until the May 16 date. A4 di wo Type here to search DE e 39 ntroduction Leaming Objectives Deliverables Hands-On Steps Hands-On Steps o On May 22, 2006, the agency finally informed those who were affected by the breach. The agency announced that the laptop had been stolen. The agency reported that the information stolen included veterans and their spouses' names, Social Security numbers, birth dates, and disability ratings. The agency said that the Information did not include financial data or electronic health records The analyst who took the laptop home had been given permission to use the laptop at home. The agency did not reveal this until after it had already said that the employee was fired for taking the laptop home. The employee said that he had taken the laptop home regularly for three years Congress held a ming on May 25, 2006. During this hearing, Secretary Nicholson admitted that the stolen information included disability ratings for 2.6 million people. On June 3, the agency dmitted that approximately 50,000 active duty personnel were also affected by the stolen data By June 6, 2006, the agency had admitted that approximately 1.1 million active duty military personnel were affected, as well as 430.000 members of the National Guard and 645 000 members of the Reserves On June 29,2006, an unidentified person turned the laptop over to the agency, which believes it will cost $100 million to $500 million to cover the data theft losses and prevent additional losses Calculating costs The concludinvo w o of this case study shows how difficult it can be to calculate the consecuences of a crime Violatio data orain O Type here to search Learning Objectives 3. Deliverables 4. Hands-On Steps LE Hands-On Steps 4. Read and review Grant Gross's online article (IDG News Service). "VA Ignores Cybersecurity Warnings." Note: When reading the article, place yourself in the position of the person called to prevent the situation from happening again. Where do the vulnerabilities begin? 5. In your Lab Report file, discuss the case study and answer the following questions o What laws have been violated? What do you think contributed to the problems that could lead to a violation of these laws? What are the implications to the individual and organization of these violations? What are some security controls and mitigation strategies for handling future violations? (Name Ihree to five) Type here to search O Hands-On Steps 5. In your Lab Report file, discuss the case study and answer the following questions: o What laws have been violated? o What do you think contributed to the problems that could lead to a violation of these laws? o What are the implications to the individual and organization of these violations? o What are some security controls and mitigation strategies for handling future violations? (Name three 6 How does privacy law differ from information systems security? Note: This completes the lab. Close the web browser, if you have not already done so. O Type here to search