Thursday, June 08, 2006

VA Notification Letter Critique

The letter I received from the VA notifying me that my personally identifiable information may be at risk following the May 3 theft of an employee’s laptop computer is a mixed bag. I’ll outline the letter for you here:

For starters, the letter is short. Six paragraphs in length, fitting nicely on one side of a sheet of standard 8.5” x 11” bond paper, it’s not the sort of lengthy missive that is more likely to get wadded than read, so that’s a plus.

Paragraph One gives a brief description of what happened, tells me that my PII was “potentially exposed to others,” and points out that no health or financial information was included in the breach. Paragraph Two continues the tale, informing that the FBI and VA inspector general are on the job investigating. Without getting into a dissertation about the veracity of the letter’s account, I think it’s an opening that gives the letter proper context without raising unnecessary fear or shrug off responsibility.

Paragraph Three points to resources made available for veterans who may be concerned about the safety of their PII, or who believe someone is using their information for nefarious reasons. A web site, and phone number with hours of operation is noted.

Paragraph Four cautions the recipient about possible schemes fraudsters may use to obtain more information by calling or emailing under the guise of a federal agency. This is an especially important point since many of the 26.5 million vets may be inclined to fall for such social engineering techniques believing they are helping a government agency protect their financial safety.

Paragraph Five is a mea culpa, and Paragraph Six closes with an explanation as to why the IRS was the mailing agency along with assurance that the IRS shared no address or financial information with the VA.

Overall, I like the letter. There’s no unnecessary detail, no fear-mongering, and no finger pointing. What’s missing from the letter, however, is the availability of credit monitoring and other protective/precautionary services. I realize this is because the VA has not yet ponied up to absorb the cost of such services for all the affected vets, but I believe that service should be standard practice in such cases.

Also, in Paragraph Five, the VA states “we want to reassure you we have no evidence that your protected data has been misused.” First, I’d hardly call the data “protected” since the lack of protection is why I’m getting this letter in the first place. Second, it’s unlikely that the compromised data would, just over a month after the theft, already be seeing fraudulent use.

More on that when I look at the Q&A…tomorrow.

Room for improvement, certainly, but a good effort - especially considering we're talking about a federal agency and 26.5 million points of contact. I'll give it a B+.


Post a Comment

Links to this post:

Create a Link

<< Home