Secretary of Veterans Affairs James Nicholson named Richard Romley, former attorney general of Maricopa County, Ariz., to the post. Romley will report directly to Nicholson and will be responsible for reviewing the VA's current policies and procedures and recommending changes for improving the agency's information security.
"Rick Romley is a well respected attorney and veteran who will provide a critical outsider's perspective to VA," Nicholson said in a prepared statement. Romley served four terms as the attorney general of Maricopa County between 1989 and 2004. He also served in the Marine Corp. in Vietnam.
Yesterday, Nicholson announced that he was making several personnel changes in the VA's office of Policy and Planning. Among them: The agency has begun procedures necessary to terminate the data analyst who violated department policy, Nicholson said in a statement.
There are the latest in a series of moves at the VA in the wake of last week's news that a laptop and disks containing sensitive information on more than 26 million veterans had been stolen. The data was taken home by a senior data analyst who was not authorized to do so. The theft was discovered on May 5, though the public disclosure of the breach did not take place until May 22. Nicholson also announced that Acting Assistant Secretary for Policy and Planning Dennis Duffy has been placed on administrative leave. His role is being assumed by the current Assistant General Counsel for Management and Operations Paul Hutter, who supervised the VA's information systems division as well as 22 regional offices and field operations.
In other personnel changes, Mike McLendon, deputy assistant secretary for policy, announced his resignation effective June 2.
The personnel changes come on the heels of a directive issued last week by Nicholson to all VA supervisors reminding them about their responsibility in protecting sensitive and confidential information.
Because of the data loss, all VA employees will be required to complete a general privacy awareness and cybersecurity training exercise by June 30 and will also be required to sign a statement affirming their commitment to and understanding of their data security obligations.
In a statement issued May 26, Nicholson announced that he has convened a task force to review department-wide information security practices. As part of the effort, the task force will compile an inventory of all positions within the VA that require access to sensitive data. The inventory will include information on justification for access, data type and method of access. The task force has until June 30 to complete the inventory.