Skip to content Skip to navigation

The VA And The High Cost of Security Breaches

February 4, 2009
by Reece Hirsch
| Reprints

Last week, the Veteran's Affairs Department agreed to pay $20 million to settle class action lawsuits by five veterans groups relating to a 2006 security breach. The incident involved, as is so often the case, the theft of a laptop. The laptop, which was stolen in the burglary of a VA data analyst's home in Maryland, contained the names, dates of birth and Social Security numbers of 26.5 million veterans and active-duty service members. The laptop was later recovered and the VA discovered no evidence that the data had been misused.

The VA has agreed to use the $20 million settlement amount, which comes from the U.S. Treasury, to pay affected individuals between $75 and $1500 if they can prove that they suffered actual harm, such as emotional distress or expenses related to credit monitoring. It will be interesting to see how the VA will go about paying damages for emotional distress. What sort of "proof" will affected individuals be expected to submit? What settlement amounts will be paid for emotional distress? This is of particular interest because in other class action lawsuits related to security breaches, courts have thus far tended to deny claims for damages because an individual experiences emotional distress at the prospect that his or her personal information MIGHT be exposed to criminals or used to commit fraud. Could the VA settlement be viewed as an encouraging sign by plaintiffs' class action attorneys seeking to bring emotional distress claims in the wake of security breaches?

I tend to think that the substantial settlement reflects the VA's desire to satisfy its veteran and service member constituencies, as well as an attempt to mitigate some of the public relations damage that resulted from negative press coverage in 2006 and a scathing report by the VA Department's Inspector General that followed the breach.



Topics

Comments

Reece,
Thanks for providing the follow-up on the settlement and terms, as well as the commentary.

It got me thinking about data theft in general, and measures to prevent it. One story I've heard but haven't validated was a 'Federal Innovation Award' given to a public servant who figured out that construction caulk could be injected into USB ports, precluding undesirable data (and virus) movement via thumb drives and their equivalent removable storage devices.

It just illustrates once more that convenience and flexibility are in tension with security.

On a personal note, I also lock my home office; it's just too tempting to my 7 year old ... so I'm fiddling with the key, inside my home, everyday.

Reece Hirsch

Partner, Morgan, Lewis & Bockius LLP

Reece Hirsch's Health Care Privacy Law Blog offers a lively commentary on a wide range of...