The GAO has released an update to its investigation of a May 2006 data breach at the Veterans Administration. The auditor's updated report notes that the VA has not completed 20 of 22 recommendations made in the first report, but notes that the VA has made some progress in securing data.

The report highlighted the need for improved asset control and the implementation of a comprehensive security management program for VA facilities. Since the breach, however, the VA has encrypted more than 18,000 laptops and is implementing software that rejects unauthorized data storage devices, such as USB drives. The VA has also rolled out software that inspects outbound email for data misuse, such as the transmission of social security numbers.

While it's easy to criticize the VA for its lax handling of personal data, the lessons the VA is learning are worth review by most organizations. The ability to transport data, whether it refers to employees, customers, proprietary technology, accounting or other business functions, is one that slips by most corporate security measures. Learning to secure data without having to experience the painful lessons handed to the VA is worth the price of admission on this issue and many network managers would do well to heed this process.