Veterans Sue VA over Data Loss

By Wayne Rash  |  Posted 06-06-2006
WASHINGTON—Claiming that the U.S. Department of Veterans Affairs "flagrantly disregarded the privacy rights of essentially every man or woman to have worn a United States military uniform," veterans groups filed a massive class-action lawsuit June 6 in the U.S. District Court for the District of Columbia.

The lawsuit, which comes days after the VA reported that the personal information of 26.5 million veterans was stolen from an employee's home, seeks damages of $1,000 for every person listed in the missing database files.

The suit also asks that the courts prohibit the VA from handling any personal privacy-protected data except under court supervision, and that the court create a set of "consensus minimal security standards" under which the VA can operate.

The suit is a result of the theft of a laptop computer from the Maryland home of a VA employee who had taken the information home so that he could work on a presentation. The computer contained the names, Social Security numbers and dates of birth for millions of veterans and some spouses, as well as some disability ratings.

The employee reported the loss of the laptop and its accompanying external hard disk to police and to his supervisor as soon as the theft was discovered, but that fact was not made available to higher levels of management until weeks later.

According to information in the complaint, the VA employee had been taking the personal information home routinely for at least three years.

The suit says that the "VA arrogantly compounded its disregard for veterans privacy rights by recklessly failing to make even the most rudimentary effort to safeguard this trove of personally identifiable information from unauthorized disclosure."

According to the suit, the information was unencrypted and easily available.

In the complaint, the plaintiffs request that the court require the VA to publish the nature of every database it has that contains veterans' personal information, and to reveal what information they contain and why they need the information.

The complaint also asks that the court prohibit VA employees from removing information, or even from carrying iPods, memory sticks, USB devices and the like to the office.

According to the plaintiff's attorney, Douglas Rosinski, the primary thrust of the suit is to force the VA to handle veterans' personal information properly.

"The thousand dollars is there because it's available and it's a hammer," Rosinski told eWEEK. "It's primarily and principally an effort to invoke court supervision of the VA."

Click here to read about how a stolen Fidelity laptop exposed HP workers.

Rosinski said that what makes the data loss even worse is that the VA says it isn't sure exactly what information was actually lost.

"That they don't know what they lost is a violation of the privacy act," Rosinski said. "They're supposed to keep records of who is authorized to use this information. That indicates that there are huge long-term information security and privacy act deficiencies."

Rosinski noted that the VA's Inspector General as well as the Government Accountability Office have been pointing out the deficiencies in the VA's security for years.

"We're saying as a matter of fact that the VA can't do this right," he said.

Read the full story on eWEEK.com: Veterans Sue VA over Data Loss