Rep. Tom Davis (R-Va.), chairman of the House Committee on Government Reform, last week promised to introduce legislation seeking to strengthen breach-notification requirements at agencies. His vow followed a belated disclosure by the Department of Energy that the Social Security numbers and other personal data of about 1,500 employees and contract workers were compromised by a hacker last September.

In addition to the VA and the Energy Department, the Social Security Administrationand the Internal Revenue Service recently acknowledged that they had been hit by data breaches.

Davis has said the recent incidents highlight the need to strengthen FISMA's requirements. At a VA-related hearing that the Government Reform Committee held on June 8, he called for the addition of unspecified penalties and incentives to foster better information-security practices.

During the same hearing, VA Secretary R. James Nicholson expanded on some of the measures the agency is taking to prevent further breaches. Among them are a complete ban on using personally owned computers and laptops to log into the agency's networks, and an indefinite suspension of the practice of permitting VA employees to download claims files and work on them from home. Nicholson said he has also ordered a complete recall of all agency-issued laptops for a comprehensive security review by the end of this month.

The VA plans to require laptop users to submit their systems for a monthly review but has not yet decided how that will be done, a spokesman said.