Veterans Seek Billions in Data Breach Suit

WASHINGTON – Angry veterans aren’t waiting for Congress to take action over the recent Veterans Administration loss of 26.5 million personal records of veterans.

Tuesday afternoon, a coalition of veterans groups filed a class action lawsuit demanding the VA name those who are at risk for identity theft. The suit seeks $1,000 in damages for each person, a payout that could reach $26.5 billion.

According to the lawsuit, the VA’s loss of the records violated both the U.S. Privacy Act and the Administrative Procedure Acts.

“It is appalling to all veterans that their personal information — information that is supposed to be held in confidence — is potentially in the hands of individuals who can wreak identity-theft havoc,” John Rowan, the national president of Vietnam Veterans of America and a plaintiff in the lawsuit, said in a statement.

Other veteran groups backing the lawsuit include the National Gulf War Resource Center, Radiated Veterans of America, Citizen Soldier and Veterans for Peace.

The lawsuit also seeks a court order to prevent the VA from any further use of veterans’ data until a court-appointed panel of security experts determines appropriate safeguards to prevent future data breaches.

“This lawsuit seeks to insure that no harm will come to veterans as a result of this theft, and that such an incident can never occur again,” Rowan said.

In late May, the VA disclosed it had suffered the second largest known data breach in U.S. history and the largest Social Security numbers breach ever.

The breach occurred when a VA employee violated agency policy and took a laptop with the records on it home, where it was stolen in a burglary.

“The VA has been criticized for years about lax information security and that includes criticism from the VA’s own Inspector General. The VA still hasn’t properly secured all the personal information under its control,” Rowan said.

He added: “We hope this lawsuit will help Secretary [Jim] Nicholson correct the known vulnerabilities in how the VA protects private information.”

The breach sparked new interest in Congress to pass data protection and disclosure laws.

While more than 10 bills were introduced in the aftermath of the ChoicePoint data breach 17 months ago, neither the U.S. House or Senate has been able to actually pass a measure.

The legislation has bogged down over issues of just exactly what is the trigger to publicly disclose a data breach. Should it be a “reasonable” or “substantial” threat to result in identity theft?

“The problem is how to define if data is at risk. If the thief can’t access the data, is there a breach?” Joseph Ansanelli, president and CEO of security firm Vontu, told internetnews.com.

Ansanelli, as he has three times in congressional testimony over the last several years, again called for Congress to pass legislation as soon as possible.

“It needs to be technologically agnostic and require [businesses holding personal consumer data] to have a security program and pro-actively enforce those policies,” he said. “And, of course, there should be a disclosure requirement.

Ansanelli said he supports legislation that would pre-empt any existing state laws to create a single national consumer data security standard.

The answer, he suggested, could be surprisingly simple: “Extend any existing industry specific consumer data protection requirements to cover any organization which stores private consumer data.”

Financial institutions, for instance, are already under data protection obligations through the Graham Leach Bliley Act and health care providers face similar requirements under the Health Insurance Portability and Accountability Act (HIPPA).

Those standards, Ansanelli said, could be extended to cover data brokers and other holders of personal data.

“Whoever has this data should be covered, including government agencies.”