In one of the soon-to-be countless articles about the VA Incident, Network World’s Ellen Messmer writes:
The sad irony in all this is that there are many at the VA who have worked hard to design and install network-based security. But in the “multiple layers of security” everyone is so fond of discussing, the human being apparently remains one of the hardest to fix.
Yes, while “there’s no technical solution to a social problem”, in this case the problem seems to have been that unencrypted sensitive data were literally left lying around. Even if one accepts the premise that these data need to be stored on laptops (which is far from clear in this case), any number of commercial products could easily have helped here.
A further point. Much is being made of this being a “simple burglary”. Let’s imagine that it was not. With crypto, an insider being paid for information would need to commit two offenses: leaving the info lying around (which might be worth it, depending on how much he’s being paid and by how gullible investigators are), and deliberately disabling the protection provided by crypto (by leaving the machine running, or by leaving the crypto key in plain sight on a Post-It). I’m no lawyer, but it seems that the second scenario makes it easier to separate malice from stupidity. Sounds like something that might be worth doing.