The suit asks that the U.S. Department of Veterans Affairs be forced to use at least minimal security to protect records.
WASHINGTONClaiming that the U.S. Department of Veterans Affairs "flagrantly disregarded the privacy rights of essentially every man or woman to have worn a United States military uniform," veterans groups filed a massive class-action lawsuit June 6 in the U.S. District Court for the District of Columbia.
The lawsuit, which comes days after the VA reported that the personal information of 26.5 million veterans was stolen
from an employees home, seeks damages of $1,000 for every person listed in the missing database files.
The suit also asks that the courts prohibit the VA from handling any personal privacy-protected data except under court supervision, and that the court create a set of "consensus minimal security standards" under which the VA can operate.
The suit is a result of the theft of a laptop computer from the Maryland home of a VA employee who had taken the information home so that he could work on a presentation. The computer contained the names, Social Security numbers and dates of birth for millions of veterans and some spouses, as well as some disability ratings.
The employee reported the loss of the laptop and its accompanying external hard disk to police and to his supervisor as soon as the theft was discovered, but that fact was not made available to higher levels of management until weeks later.
According to information in the complaint, the VA employee had been taking the personal information home routinely for at least three years.
The suit says that the "VA arrogantly compounded its disregard for veterans privacy rights by recklessly failing to make even the most rudimentary effort to safeguard this trove of personally identifiable information from unauthorized disclosure."
According to the suit, the information was unencrypted and easily available.
In the complaint, the plaintiffs request that the court require the VA to publish the nature of every database it has that contains veterans personal information, and to reveal what information they contain and why they need the information.
The complaint also asks that the court prohibit VA employees from removing information, or even from carrying iPods, memory sticks, USB devices and the like to the office.
According to the plaintiffs attorney, Douglas Rosinski, the primary thrust of the suit is to force the VA to handle veterans personal information properly.
"The thousand dollars is there because its available and its a hammer," Rosinski told eWEEK. "Its primarily and principally an effort to invoke court supervision of the VA."
Click here to read about how a stolen Fidelity laptop exposed HP workers.
Rosinski said that what makes the data loss even worse is that the VA says it isnt sure exactly what information was actually lost.
"That they dont know what they lost is a violation of the privacy act," Rosinski said. "Theyre supposed to keep records of who is authorized to use this information. That indicates that there are huge long-term information security and privacy act deficiencies."
Rosinski noted that the VAs Inspector General as well as the Government Accountability Office have been pointing out the deficiencies in the VAs security for years.
"Were saying as a matter of fact that the VA cant do this right," he said.
Other federal agencies have been forced by the courts to protect information when improper breaches have occurred. The Department of the Interior was ordered to shut down all access to the Internet when one court determined that private information held by the Bureau of Indian Affairs was not being protected against improper disclosure over the Internet.
An utter disregard for security.