How 26.5 Million Veterans Were Put At Risk of Identify Theft, and Why Credit Freeze Laws Are Needed to Protect Future Victi

By ANITA RAMASASTRY

Wednesday, May. 31, 2006

Earlier this month -- in another of a series of recent, high-profile security breaches -- one Veteran's Administration (VA) employee's rule violation put as many as 26.5 million veterans at risk of identity theft. This is reported to be the largest data breach of Social Security numbers ever.

The VA's response - which I'll detail below - shows that it is not inclined to voluntarily work to remedy this breach.

A federal statute should be passed to hold the VA and other government agencies, as well as private companies, accountable in the event of data breaches that their employees caused, or were negligent in failing to prevent. At a minimum, the agencies should be obligated to pay for credit monitoring for those affected.

Such a statute should also require credit report agencies to let consumers freeze their reports to prevent their credit from being destroyed by identity thieves. (I provided more detail about a possible credit freeze statute in a prior column.) If Congress does not step in, more states need to take the lead and protect their citizens with such a remedy.

The VA's Apparent Negligence: How Veterans' Information Was Stolen

The data that was compromised included names, birth dates and Social Security numbers of veterans discharged from military service since 1975, as well as those of veterans who were discharged earlier and who have filed for VA benefits. The veterans are now vulnerable to credit card fraud and wider-scale identity theft.

Disability-related information, too, seems to have gotten out: The VA admits that for "some veterans who have applied for VA disability compensation benefits and have been determined by VA to have a disability related to their military service, the data [in the breach] may have included the number of service-connected disabilities a veteran has and the veteran's overall disability percentage rating."

How could this happen? The answer is that while the data was originally stored safely on a government-issued computer and password-protected, a VA analyst copied it onto a home laptop computer. And that home computer was among the items taken during a burglary of the employee's home.

The VA's Response: Why It's Inadequate

The VA's response has been simple, and dramatically inadequate: It has essentially told all discharged veterans that it's up to them to protect themselves.

The VA has not yet told particular veterans, whether they are among the millions affected - nor has it said when it will do so. It claims it is "developing a method for individual notifications, where possible," but admits that "[w]e do not yet know when these letters will be released." And although the VA has established a toll-free number to cover this issue, veterans who call cannot find out if they were among those whose data was stolen.

The VA is urging all discharged veterans who may have been affected to check their credit report for free at AnnualCreditReport.com, and/or at the three major credit reporting bureaus, Equifax, TransUnion, and Experian. That's fine as far as it goes - but consumers only get one free report per year, and the VA isn't offering to pay for further reports, even though many veterans may reasonably want to check more often than annually.

All discharged veterans who may have been affected have also been asked to place fraud alerts on their credit files. Such alerts sometimes work - but sometimes, credit-granting companies have tended to disregard them.

The VA's, and Other Agencies', Vulnerability: Security Breaches Waiting to Happen

In retrospect, it seems inevitable that this kind of breach would occur, given the VA's poor record on computer security.

Reportedly, the VA has repeatedly ranked near the bottom among federal agencies in an annual Congressional report card of computer security. (The report card measures compliance with the 2002 Federal Information Security Management Act, which requires federal agencies to develop information-security plans and to test their viability)

The VA has received a grade of F every year since the scorecard began in 2001 - except in 2003, when it got a C. For five years, the VA's Inspector General has identified information security as a material weakness, and faulted officials for slow progress in tackling the problem.

In 2005, reviews found that access controls were not consistently applied at many VA data centers and other locations. Recommendations included ensuring that background checks are performed on VA employees and contract workers, and restricting off-duty workers' access to sensitive data. But with an off-duty worker's rule violation the cause of the huge recent breach, plainly these recommendations are not being enforced strictly enough.

Some agencies have done better than the VA: The Social Security Administration got an A-plus in 2005. This is reassuring given the type of sensitive data that this agency retains on behalf of the American public. But many are as bad as, or even worse than, the VA. The government-wide average for 2005 was an appalling D-plus.

Possible Remedies: Credit Monitoring and Credit Freeze

So what is to be done? Once again, a large group of the potential victims of an identity theft has been left in a Kafkaesque world. Group members do not know, and can't find out, if their data has been compromised. They are left to watch, worry, and wait.

At a minimum, the VA -- and other agencies in the same position -- should be required to offer veterans free credit monitoring services, not just once annually, but for at least one year.

Some recent studies do show that for private-sector security breaches, potential victims have been slow to take companies up on their offers. But this is a relatively new remedy, and the response rate may well grow when consumers learn of it.

Moreover, even if only some potential victims exercise this option, it's only right that all potential victims have the choice; after all, the breach is not their fault, but it may affect them. This is especially true in the context of a government-agency breach, rather than a private-sector breach: Victims can choose which private companies to entrust their data to, but they are legally required to give data to government agencies.

A federal statute should also be enacted to ensure that potential identity theft victims can put their credit reports "on ice" until they wish to have them thawed. (Some states already have such statutes - which stop identity thieves in their tracks by ensuring that an impostor cannot open up a credit card account or get a loan, without the bank first accessing a credit report and thus learning of the freeze.)

Our government has a very strong duty to keep safe the data it requires us to provide to it. Duties go both ways, and it is an especially sad irony that the VA is refusing to help protect the veterans who, with their honorable service, have protected our country.


Anita Ramasastry is an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, and other legal issues for this site, which contains an archive of her columns.

FindLaw Career Center

    Select a Job Title


      Post a Job  |  View More Jobs

    View More