The Veterans Affairs data analyst responsible for the largest computer breach in government history earned a little bit of redemption yesterday -- but two experts said it may not be enough to prevent his termination.
The government-issued laptop and external hard drive stolen from the analyst's Aspen Hill home May 3 were recovered, and the data appeared to be untouched, according to the FBI.
In addition, the Associated Press reported that the 34-year veteran of the agency had permission to access and work with large amounts of sensitive data from home -- although not on the machine that was stolen, Tim S. McClain, the VA's general counsel, told a congressional committee.
"From the start, the VA has acted as if the theft was a PR problem that had to be managed, not fully confronted," Rep. Bob Filner, a California Democrat, told the AP. "They're trying to pin it on this one guy, but I think it's other people we need to be looking at."
The three documents obtained by the AP and issued in 2002 gave the worker permission to use special software that manipulates large amounts of data from home; to access veterans' Social Security numbers; and to take a laptop and accessories outside his office.
McClain, however, said the agreement on the Social Security numbers was standard for a data analyst, and that the authorized laptop was not the one stolen.
"You can't just blame the user," said Alan Paller, a computer security expert at the Bethesda-based SANS Institute. "The equipment has to have encryption, and downloads must be monitored and then checked on at least every 90 days thereafter."
The worker is challenging his dismissal from the agency, but three experts said yesterday that they doubted those documents gave him permission to download the data and not encrypt it.
"I'm sure that a policy had to exist where if he was downloading that data, it had to be encrypted, and if that would actually have been practiced, we wouldn't be discussing this," said John M. H. Edwards, co-founder of the Telework Coalition, an advocacy group that promotes telecommuting and telework.
"If he didn't follow any part of that policy, I'd think that would be adequate grounds to get rid of him," Edwards said.
William Nolan, a labor lawyer in Columbus, Ohio, said that it comes down to the fine print of those agreements.
"It's one thing to be able to use software on a laptop, and entirely another to download an entire database," Nolan said.
"But even if he wasn't doing everything he should ' have done, that doesn't necessarily mean the employer is off the hook," he said.
Since the theft, the agency has limited telework, retrained its workers on computer security and paid for a call center to handle questions from current and former military personnel about the lapse.
Congress also passed legislation offering victims of the breach free credit monitoring for one year. Several members of Congress said yesterday that the pressure to increase the government's security will continue despite the laptop's recovery.
"Since this story broke, I've been wondering whether a lot of federal employees have been rifling around their home offices looking for things they need to return," Edwards said.
The writer can be reached at email@example.com or 410-715-2885. Recent back issues can be found at www.baltimore sun.com/federal.
The Associated Press contributed to this report.