An Utter Disregard for
Veterans Sue VA over Data Loss
WASHINGTONClaiming that the U.S. Department of Veterans Affairs "flagrantly disregarded the privacy rights of essentially every man or woman to have worn a United States military uniform," veterans groups filed a massive class-action lawsuit June 6 in the U.S. District Court for the District of Columbia.
The lawsuit, which comes days after the VA reported that the personal information of 26.5 million veterans was stolen from an employees home, seeks damages of $1,000 for every person listed in the missing database files.
The suit also asks that the courts prohibit the VA from handling any personal privacy-protected data except under court supervision, and that the court create a set of "consensus minimal security standards" under which the VA can operate.
The suit is a result of the theft of a laptop computer from the Maryland home of a VA employee who had taken the information home so that he could work on a presentation. The computer contained the names, Social Security numbers and dates of birth for millions of veterans and some spouses, as well as some disability ratings.
The employee reported the loss of the laptop and its accompanying external hard disk to police and to his supervisor as soon as the theft was discovered, but that fact was not made available to higher levels of management until weeks later.
According to information in the complaint, the VA employee had been taking the personal information home routinely for at least three years.
The suit says that the "VA arrogantly compounded its disregard for veterans privacy rights by recklessly failing to make even the most rudimentary effort to safeguard this trove of personally identifiable information from unauthorized disclosure."
According to the suit, the information was unencrypted and easily available.
In the complaint, the plaintiffs request that the court require the VA to publish the nature of every database it has that contains veterans personal information, and to reveal what information they contain and why they need the information.
The complaint also asks that the court prohibit VA employees from removing information, or even from carrying iPods, memory sticks, USB devices and the like to the office.
According to the plaintiffs attorney, Douglas Rosinski, the primary thrust of the suit is to force the VA to handle veterans personal information properly.
"The thousand dollars is there because its available and its a hammer," Rosinski told eWEEK. "Its primarily and principally an effort to invoke court supervision of the VA."
Rosinski said that what makes the data loss even worse is that the VA says it isnt sure exactly what information was actually lost.
"That they dont know what they lost is a violation of the privacy act," Rosinski said. "Theyre supposed to keep records of who is authorized to use this information. That indicates that there are huge long-term information security and privacy act deficiencies."
Rosinski noted that the VAs Inspector General as well as the Government Accountability Office have been pointing out the deficiencies in the VAs security for years.
"Were saying as a matter of fact that the VA cant do this right," he said.
Other federal agencies have been forced by the courts to protect information when improper breaches have occurred. The Department of the Interior was ordered to shut down all access to the Internet when one court determined that private information held by the Bureau of Indian Affairs was not being protected against improper disclosure over the Internet.
Next Page: An utter disregard for security.
An Utter Disregard for
"The veterans that I represent are seeking to fix this system. We want the courts to take control of this information and establish consensus minimal security standards," Rosinski said.
"You must protect your information to some minimal standard," Rosinski said, "The VA has stated that the data was not in any way encrypted. It boggles my mind that youd have 26 million records of any kind that arent encrypted. That cannot be allowed to occur.
"All of this indicates complete and utter disregard for security," Rosinski added.
The Vietnam Veterans of America is a party to the suit, and the organization underlines the feeling that the action is designed to fix the problem.
"Weve struggled for years to get some degree of privacy protection at the VA, and we never have," said Rick Weidman, executive director for Policy & Government Affairs. "Theres been a succession of secretaries who have tried to get a grip on that culture, and nobodys been successful."
Weidman said what concerns his members even more than the loss of data is that the information that the VA lost was in many cases information it was never supposed to have. "They had Social Security information for people who had never applied to the VA for anything," Weidman said.
He said there are other questions that must be answered as well.
"Why did this employee have this information at home? What kind of projects were they working on?" Weidman asked. "It was not encrypted; it was not coupled with a need to know."
Weidman added that there have been no satisfactory answers. "We want to make sure that this time, no more," Weidman said. "With court supervision we can call a halt to all of the problems of the past and make sure each step is taken carefully."
Weidman said that the suit was not really anti-Nicholson (referring to Secretary of Veterans Affairs R. James Nicholson, who was named a defendant in the suit along with the department he heads). "Were attacking the issue, not the secretary," Weidman said.
Weidman noted that the real problem with the VAs failure to protect veterans data is due to a culture that simply refuses to take the problem seriously.
He said that over the years, VA secretaries, Congress and the White House have tried to correct the problem, but that the bureaucracy has simply not budged.
"Every secretary that I can remember has gone through this," Weidman said. "None has been successful."
Weidman said the inability to solve the problem was the reason why the VVA and the other groups decided to involve the courts. "We have to have every tool needed to get a handle on this business," he said.
The Department of Veterans Affairs declined to comment on the lawsuit.
Montgomery County, Maryland, police announced June 6 that there is a $50,000 reward for the return of the missing laptop and its hard drive.
Police describe the computer as a Hewlett-Packard ZV5360US with an external personal media drive.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.