The Right Way to Handle Data Theft

Comparisons tend to be invidious, but it's worth looking at how the Veterans Affairs Department manages the breach, loss or theft of data versus the Military Health System.

When VA discovers a breach of data, the department's CIO Roger Baker ensures that veterans whose data has been compromised are sent a letter offering free credit reporting for up to a year as a safeguard against fraud.

But earlier this week, when TRICARE reported what turned out to be the theft of computer backup tapes containing the records of 4.9 million patients, it left the fraud protection up to them, directing patients to contact the Federal Trade Commission for help in a rather obscure notice posted on the TRICARE Web page.

In another distinction, Baker is not afraid to call a theft theft in his monthly breach reports to Congress, which he also explains in a monthly call to Congress.

TRICARE, by comparison, referred to the theft of those backup tapes -- left in the car of an employee of one of its contractors, Science Applications International Corp., for an entire work day -- as a "data breach."

This is rather tame language for an incident that requires a much more detailed and frank explanation.