CYBEREYE—Commentary

VA settlement demonstrates just how costly lax security can be

If you want another good reason to make sure your sensitive data is adequately locked down, look no farther than the Veterans Affairs Department, which last week agreed to pay $20 million to settle a class action lawsuit over the 2006 loss of a laptop containing records with personal information about up to 26.5 million veterans and active duty personnel.

That’s a lot of money, and it will be paid from taxpayers’ dollars, but VA got off lucky. The suit originally asked for $1,000 for each person whose data was exposed, which could have been more than $26 billion. That’s nearly enough to bail out a good-sized bank.

The settlement demonstrates that the repercussions of exposing data can be long-lasting and that the cost can go far beyond the immediate expense of cleaning up the breach. For companies it has long been known that negative publicity resulting from public notification of a data breach can quickly translate into millions of dollars of lost shareholder value as stock prices tumble. Agencies do not have to worry about stock prices, but the threat of other costs is real. The VA agreed to the settlement even though the department has said there is no evidence that the information on the stolen laptop was used or than any person involved was harmed by it.

Lesson: It could be a lot cheaper to secure your data in the first place than to pay for damage control later.

To its credit, the VA generally has responded well to this incident despite an initial three-week delay after the theft was reported before possible victims were alerted back. Since then the department has gotten serious about improving protections on data and has been a major user of Microsoft’s Rights Management Services, which places controls on the use of documents. Security still is not perfect, but it is a huge department with hundreds of facilities and offices located around the country offering a multitude of services, so it is gong to take a long time to get everything under control. But the department did the right thing in stepping up and taking responsibility for the huge 2006 loss and agreeing to the payout, even if it does hurt the taxpayers.

The lawsuit was filed in U.S. District Court in Washington by five veterans groups in June 2006, a month after news was released of the theft of a laptop on which a VA data analyst had loaded the data. The laptop was recovered with the data apparently intact. But it is impossible say with absolute certainty that the data was not accessed and copied. Millions of persons whose names, birthdates and Social Security numbers were in the data were put to the trouble of monitoring their credit and worrying about data theft.

The settlement calls for payments of from $75 to $1,500 to persons who can show some harm resulting from the incident, which could include physical symptoms of stress or expenses for credit monitoring. Any money left over from the $20 million fund will be donated to veterans’ charities.

Let’s hope that few of the veterans whose data was exposed in the incident were badly harmed by it and that actual payouts of damages will be small. The upside of the incident could prove to be twofold: A sizeable chunk of money could go to deserving charities, and a lesson will have been learned about the value of preventing a breach rather than responding to it after the fact.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Sun, May 16, 2010 steve

i received a letter from the VA stating that my info was stolen back in 2009. And just now found out that there was a settlement that veterans received. And I was never notified by the VA about this matter again. Untill today, I had no idea that it even existed. And then i hear that they received 0.51 cents. Can you explain how this happens in America? P.S. I guess the attorneys and orginzations made all the money? Veteran, Steve Grady

Fri, Oct 2, 2009 VA IT Worker US

It astounds me that the taxpayers must shell out 20M to settle a case where for a lost and recovered laptop where there is no evidence that a single record was accessed. This is very different from cases where the information (not the hardware) ends up in the hands of the bad guys.

Mon, Mar 2, 2009

This was not a case of "lax security"!This is another case of political correctness runamok. A VA employee with more work than he could do in the office was taking work home with him-WITH HIS SUPERVISOR'S KNOWLEDGE-a common practice at the time. His work was stored on a laptop PC. His work was stolen, when the laptop was stolen from his home. It was later recovered and it was proven that the data had been secure and was not accessed! But the facts don't give politicians a grandstand opportunity and don't make sales for software security programs like the melodrama that's been oft repeated.

Mon, Feb 23, 2009 Marta Seattle, Washington

It looks to me like the only real winner's are the attorneys. It is just too bad the VA didn't offer make an estimate of how much time it would take to check on credit etc and make an then offer to compensate anyone who requested it. I would think even at $20.00 an hour it could not have been more than 2-3 hours. That would have saved everyone money and made a bad situation seem like the VA was recognizing its Veterans value.

Thu, Feb 12, 2009 James Hawaii

My wife and I both recieved letters saying our info had been exposed, yet we werent asked to take part in any class action lawsuit, what is this just some orginizations trying to get money without truly looking out for vets.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above