VA Wants to Know: What's in That Email?

News that a government agency or corporation exposed private information such as Social Security numbers is rather common these days. The public routinely asks, "Why can't organizations take more care in securing my personal information?"

One reason may be that agencies use personal information such as the Social Security number as part of their everyday work in processing information, making it difficult to not expose personal information. For example, the Department of Veterans Affairs recently installed software that scans each outgoing email for Social Security numbers. Under the VA's security policy, servers will block from being sent emails that contain Social Security numbers. In one month, 7,000 emails that the software determined could possibly contain a Social Security number were blocked, according to Robert Howard, assistant secretary of information and technology at the VA, who testified today before the Senate Committee on Veterans' Affairs.

That may seem like a lot. But looking at it another way, it's surprising that only 7,000 emails were blocked (which, of course, most likely includes some false positives.) According to the VA's Web site, the VA has 244,032 employees. If each employee sends on average, say, 100 emails a month (that's about five emails a day), that would mean less than 0.03 percent of all VA emails contained a Social Security number. And that doesn't include emails that VA contractors sent. However, Howard did not tell the committee if all VA emails are scanned, which if not, would increase the percentage of emails containing a Social Security number.

Nevertheless, for those who have their personal information exposed because it was emailed out of an organization's firewall, no solace can be had knowing it was highly unlikely.