VA settlement demonstrates just how costly lax security can be
If you want another good reason to make sure your sensitive data is adequately locked down, look no farther than the Veterans Affairs Department, which last week agreed to pay $20 million to settle a class action lawsuit over the 2006 loss of a laptop containing records with personal information about up to 26.5 million veterans and active duty personnel.
That’s a lot of money, and it will be paid from taxpayers’ dollars, but VA got off lucky. The suit originally asked for $1,000 for each person whose data was exposed, which could have been more than $26 billion. That’s nearly enough to bail out a good-sized bank.
The settlement demonstrates that the repercussions of exposing data can be long-lasting and that the cost can go far beyond the immediate expense of cleaning up the breach. For companies it has long been known that negative publicity resulting from public notification of a data breach can quickly translate into millions of dollars of lost shareholder value as stock prices tumble. Agencies do not have to worry about stock prices, but the threat of other costs is real. The VA agreed to the settlement even though the department has said there is no evidence that the information on the stolen laptop was used or than any person involved was harmed by it.
Lesson: It could be a lot cheaper to secure your data in the first place than to pay for damage control later.
To its credit, the VA generally has responded well to this incident despite an initial three-week delay after the theft was reported before possible victims were alerted back. Since then the department has gotten serious about improving protections on data and has been a major user of Microsoft’s Rights Management Services, which places controls on the use of documents. Security still is not perfect, but it is a huge department with hundreds of facilities and offices located around the country offering a multitude of services, so it is gong to take a long time to get everything under control. But the department did the right thing in stepping up and taking responsibility for the huge 2006 loss and agreeing to the payout, even if it does hurt the taxpayers.
The lawsuit was filed in U.S. District Court in Washington by five veterans groups in June 2006, a month after news was released of the theft of a laptop on which a VA data analyst had loaded the data. The laptop was recovered with the data apparently intact. But it is impossible say with absolute certainty that the data was not accessed and copied. Millions of persons whose names, birthdates and Social Security numbers were in the data were put to the trouble of monitoring their credit and worrying about data theft.
The settlement calls for payments of from $75 to $1,500 to persons who can show some harm resulting from the incident, which could include physical symptoms of stress or expenses for credit monitoring. Any money left over from the $20 million fund will be donated to veterans’ charities.
Let’s hope that few of the veterans whose data was exposed in the incident were badly harmed by it and that actual payouts of damages will be small. The upside of the incident could prove to be twofold: A sizeable chunk of money could go to deserving charities, and a lesson will have been learned about the value of preventing a breach rather than responding to it after the fact.