Cincinnati Change

With millions in danger of identity theft because a data analyst took home a computer disk that was later stolen during a burglary, more than 100,000 aggrieved veterans sought answers from 14 call centers set up by the Department of Veterans Affairs (VA).

Asked at a congressional hearing on the cost for preventing and covering potential losses from identity theft, VA Secretary Jim Nicholson estimated "way north of $100 million" and did not rule out a total as high as $500 million.

While the stolen disk drive did not contain detailed medical records, it did contain codes that describe physical disabilities, Nicholson said.

WASHINGTON – Emphasizing VA’s continued commitment to evaluating and improving procedures related to the handling of sensitive veterans’ data, Secretary of Veterans Affairs R. James Nicholson named former Maricopa County (Ariz.) Attorney Richard M. Romley as his new Special Advisor for Information Security.

“Rick Romley is a well-respected attorney and veteran who will provide a critical outsider’s perspective to VA as we work diligently to reform the Department’s information security policies and procedures,” said Secretary Nicholson. “Rick shares my commitment to cutting through bureaucracy to provide results for our nation’s veterans. I am grateful to Rick for agreeing to come to Washington and serve VA and his fellow veterans during this challenging period.”

During this assignment with VA, Romley will serve as a Special Advisor to the Secretary for Information Security, reporting directly to Secretary Nicholson. Romley will be responsible for evaluating the current state of VA’s information security procedures and processes, and developing recommendations for improvement in VA’s information security systems.

“I appreciate the confidence Secretary Nicholson is showing in my ability to provide an independent and objective assessment of the existing information security procedures within VA,” said Romley. “Over the next few months, I look forward to serving my fellow veterans by investigating and making recommendations to the Secretary on how the Department can best prevent future information security incidents.”

Romley’s appointment comes a day after Secretary Nicholson’s announcement of a series of personnel changes in VA’s Office of Policy and Planning – the division in which the private information of up to 26.5 million veterans was compromised.

Romley is nationally recognized as a leader in criminal justice, and served four elected terms as the Maricopa County (Ariz.) Attorney (1989-2004). He was responsible for administering one of the largest prosecuting attorney’s offices in the nation, with Maricopa County being the fourth most populated county in the country.Romley has testified before Congress on the issues of violent crime, terrorism, drug trafficking, youth violence, public corruption and victims’ rights. He has also championed many prosecution and reform policies. In the early 1990s, Romley successfully prosecuted “AzScam,” the largest public corruption case in Arizona’s history.

Romley served in the Marine Corps in Vietnam until he was injured. He has received numerous commendations for his service, including the Purple Heart. In 2001, Romley received the Presidential Unsung Hero Award, and Disabled American Veteran of the Year Award from Disabled American Veterans (DAV).

Michael H. McLendon is a Veterans Affairs (VA) Deputy Assistant Secretary who didn't immediately notify top officials about a theft of millions of veterans' personal information is stepping down, citing missteps that led to the security breach. Michael H. McLendon, deputy assistant secretary for policy who supervised the VA data analyst who lost the data, said he would relinquish his high-level post on Friday.

“Words are inadequate to describe how I feel about these recent events and the impact on the band of brothers and sisters of service members and veterans that we are supposed to serve,” McLendon wrote in a letter obtained Tuesday by The Associated Press.

“Given that this very serious and tragic event occurred on my watch and in my organization, I feel it necessary that I tender my resignation,” stated the letter, which was submitted to the VA late Friday. “I would be modeling the wrong behavior to my staff and others in VA if I took no action to be responsible.”

Michael H. McLendon, VA deputy assistant secretary for policy, learned of the May 3 burglary less than an hour after the worker (GS-14) reported it to his supervisors and to Montgomery County police, according to a briefing document, given to congressional committees this week by the VA. McLendon met with two high-ranking VA information security specialists the next day.

The briefing document reveals new details about the 60-year-old man at the heart of the scandal. He is a senior-level career employee working as an information technology specialist in the Office of Policy. As a GS-14 level employee, he earns between $91,407 and $118,828 a year.

Among items stolen from his Aspen Hill home was an external computer hard drive that VA officials say contained the unencrypted names, birthdates and Social Security numbers of 19.6 million to 26.5 million veterans.

In a meeting with McLendon two days after the theft, the employee "assumed full responsibility, acknowledging he knew he should not have taken the data out of the office," the summary says. James J. O'Neill, VA deputy assistant inspector general for investigations, said in an interview yesterday that the employee is cooperating fully in the investigation. "He reported it [the theft] immediately, and he certainly could have kept it quiet," O'Neill said.

According to the document, Dennis M. Duffy, acting assistant secretary for policy, planning and preparedness, was told of the theft May 5. Duffy asked VA computer security specialists to determine the extent of the data lost and three days later asked them to draft a memo. McLendon convened a meeting of the Office of Policy staff May 9 to stress the importance of data security and had the data analyst discuss his experience.

It was not until that day, May 9, that Duffy informed VA Chief of Staff Thomas Bowman about the theft, suggesting that senior management should discuss the department's obligations to notify veterans whose data may have been compromised. Bowman told Deputy Secretary Gordon Mansfield, the department's No. 2 official, the next afternoon, but neither man informed Nicholson until May 16, the document shows.

Nicholson told the White House that day and informed Congress and the public six days later, on May 22.

"What the timeline shows is that, once he was informed, the secretary acted quickly, decisively and in the best interest of veterans," said Matt Burns, a VA spokesman.

The 60 year old data analyst will be dismissed while the acting head of the division in which he worked, Dennis Duffy, has been placed on administrative leave, VA Secretary Jim Nicholson said Tuesday.

This is an update to that plan to serve veterans in the United States in the theft of unencrypted names, birthdates and Social Security numbers of 19.6 million to 26.5 million veterans is second only to a hacking incident last June at CardSystems Solutions in which the accounts of 40 million credit card holders were compromised.