The VA's Data Breach - Tips for Veterans and Action You Can Take under Federal Law

 

UPDATE (6/29/06): The stolen laptop computer and the external hard drive were recovered. www.usa.gov/veteransinfo.shtml

UPDATE (7/14/06): FBI and VA Inspector General conducted a forensic examination on the laptop and reported that no data had been removed. But experts say there are ways to thwart detection.

UPDATE (7/18/06): The decision was made by the White House to cancel its request for an additional $160.5 million in additional funding for the Department of Veterans Affairs for credit monitoring for veterans whose personal information had been exposed when a computer and storage device were stolen from a VA employee's home May 3rd.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(May 23, 2006) Sensitive personal information of 26.5 million veterans was stolen recently when the home of a VA employee was robbed. The individual had brought a computer and disk home containing names, Social Security numbers (SSNs), dates of birth, and other information of anyone who served in the military and has been discharged since 1976. The theft apparently occurred May 3, 2006.

  • Why is this a serious data breach?
  • Establish a fraud alert
  • Consider a security freeze
  • Monitor your credit reports regularly
  • Find out the latest from the Veteran's Administration
  • Some tips on taking action
    • Contact your U.S. Senators and Congressional Representative
    • File a HIPAA complaint with the DHHS's Office of Civil Rights
    • Purchase your credit report - and invoke the Privacy Act's damages clause

This guide offers tips for veterans on ways to prevent identity theft. It also provides links to other resources.

 

The data obtained by the thief includes the SSNs of all 26.5 million veterans - also dates of birth. With these two pieces of information plus the individual's name, identity thieves are able to open credit and wireless phone accounts as well as obtain phone, cable, and electrical utility accounts, rent apartments, and more.

 

It's impossible to know if or when an imposter might use this sensitive information to commit fraud. The thief might be connected to a widespread criminal ring that could spread the data far and wide. But again, it's impossible to know of any of these possibilities. So it's vitally important that veterans take the following steps.

 

With one phone call, you can place a fraud alert on your three credit reports. Call one of the bureaus, listed here, and that bureau will share the information with the other two:

Equifax: 1-800-525-6285
Experian: 1-888-397-3742
TransUnion: 1-800-680-7289

 

An alert places a statement on your credit report. If an imposter attempts to obtain credit in your name, the creditor will check your credit and will encounter a statement that says something to this effect: "I may be a victim of fraud. Call me at my phone number 123-456-7890 before extending credit."

 

You will then receive a call and you can tell the creditor whether the applicant is yourself or an imposter. If you use a mobile phone, we advise that you use that phone number for the fraud alert.

 

The fraud alert only lasts 90 days. So mark your calendar and renew the fraud alert each 90 days for at least a year. There is no cost for establishing fraud alerts.

In some states, residents can take advantage of the ultimate prevention tool, a security freeze. A freeze enables you to curtail access to your credit reports. When an imposter attempts to obtain credit or a wireless phone account in your name, the credit issuer will attempt to check your credit. The credit issuer will receive a statement to this effect: "not accessible." And it will then reject the application for credit.

 

Credit freezes do not affect your own ability to obtain your credit report however. And if you are applying for credit, you can unfreeze your credit report either for a specific named creditor, or for a specific period of time. Be aware that a security freeze will affect your ability to open up an instant credit account or to make a spur-of-the-moment purchase involving a new credit account or loan. But if you are not in the market for new credit or loans at this time, a security freeze will have no impact on your use of existing accounts.

 

For a detailed list of states with security freeze laws on the books, visit this Consumers Union site. It provides implementation date, cost, who can establish freezes (all consumers or just identity theft victims), and links to instructions on how to place a security freeze:
www.consumersunion.org/campaigns//learn_more/003484indiv.html

Here's a summary of states with security freeze laws:

California (effective Jan. 1, 2003) Colorado (effective July 1, 2006) Connecticut (effective Jan. 1, 2006) Florida (effective July 1, 2006) Hawaii (effective Jan. 1, 2006) Illinois (effective Jan. 1, 2007) Kansas (effective Jan. 1, 2007) Kentucky (effective July 1, 2006) Louisiana (effective July 1, 2005) Maine (effective Feb. 1, 2006) Minnesota (effective Aug. 1, 2006) Nevada (effective Oct. 1, 2005) New Hampshire (effective Jan. 1, 2007) New Jersey (effective Jan. 1, 2006) New York (effective Nov. 1, 2006) Oklahoma (effective Jan. 1, 2007) North Carolina (effective Dec. 1, 2005) South Dakota (effective July 1, 2006) Texas (effective Sept. 1, 2003) Utah (effective Sept. 1, 2008) Vermont (effective July 1, 2005) Washington (effective July 24, 2005) Wisconsin (effective Jan. 1, 2007)    

California veterans can learn how to obtain security freezes at the web site of the California Office of Privacy Protection:
www.privacy.ca.gov/nr/vasecurity_incident.htm

For identity theft-specific information on other states, click here:
www.privacyrights.org/fs/fs17a-IdTheft-US.htm

And for more information on how to respond to a security breach, see our guide:
www.privacyrights.org/fs/fs17b-SecurityBreach.htm

 

Monitor your credit reports regularly

When you establish a fraud alert, you will receive a letter from each of the three credit bureaus giving you the opportunity to order a free copy of your credit report. Be sure to take advantage of this offer.

 

Each time you renew your 90-day fraud alert, you will, to the best of our knowledge, receive the same letter and ability to obtain a free credit report. Again, take advantage of these opportunities.

 

If you become a victim of identity theft, you will see evidence of it on your credit reports. The quicker you learn you are a fraud victim, the quicker you can take steps to recover.

 

We sincerely hope you never become a victim of identity theft, but if you do, here are some good resources:

Federal Trade Commission, www.consumer.gov/idtheft
Privacy Rights Clearinghouse, http://www.privacyrights.org/fs/fs17a.htm
Identity Theft Resource Center, www.idtheftcenter.org

 

You also have the right to obtain free credit reports through another provision of a federal law known as FACTA. This is over and above your ability to receive free reports when you establish a fraud alert.

 

Once you have received your free credit reports as a part of the fraud-alert process, follow up in a few months by taking advantage of your free FACTA copy. We recommend that you order your free credit reports by phone rather than using the online system at www.annualcreditreport.com. Call (877) 322-8228.

 

For more on free credit reports, see www.ftc.gov/bcp/conline/pubs/credit/freereports.htm and www.annualcreditreport.com.

 

Find out the latest from the Veteran's Administration

The VA has established a web site and a phone number providing additional information to veterans on this data breach:

Phone: (800) 333-4636
Web: www.firstgov.gov/veteransinfo.shtml

 

You can check this web site from time to time to learn new information, if appropriate.

 

But a word of caution. At this writing (May 27, 2006) the information provided on the VA's web page is incomplete and misleading. We advise you to follow the steps outlined above on our web site rather than the tips provided on the VA web site. (Sorry, VA, but your site misses some vital points.)

 

Some tips on taking action

The VA's data breach should never have happened. Had the data been encrypted, there would be no need for you to have to take the steps outlined here. There's obviously considerable room for improvement in the handling of sensitive personal data by the VA.

But the VA is not alone. Security breaches are rampant throughout all sectors of our society.

 

Following are three suggestions for ways you can take action regarding this matter:

  • Contact your U.S. Senators and Congressional Representative.
  • File a HIPAA complaint with the DHHS's Office of Civil Rights.
  • Purchase your credit report -- and invoke the Privacy Act's damages clause.

Contact your U.S. Senators and Congressional Representative

If you are so motivated, take some time to contact your Senators and Representatives in Congress and in the state legislature where you live. Tell them you want strong and meaningful protections in law that both help you prevent identity theft and if you become a victim, to recover from this crime quickly and easily. You also want federal agencies to do a better job implementing the privacy and data security laws that are already on the books.

The states have led the way with strong consumer protection laws. About half the states have security breach notice laws. And many states have also passed security freeze laws. These web pages provide listings of those states:

Security breach notice laws:
www.consumersunion.org/campaigns/Breach_laws_May05.pdf
Security freeze laws:
www.consumersunion.org/campaigns//learn_more/003484indiv.html

 

But here's the rub. Bills being considered in Congress right now are generally weaker than the strongest of the state laws. And what's worse, the bills in Congress would pre-empt state laws, in other words, wipe them out.

 

If Congress has its way and if any of the bills become law, we are likely to see the hard work of at least half the states obliterated. So be sure to tell your elected representatives to oppose any bills that pre-empt state laws that establish stronger standards than federal law.

 

The best bill currently being considered in Congress is H.R. 4127. But despite its good points, it would still pre-empt state laws. The worst bill - in fact, the worst identity theft bill we've ever seen - is H.R. 3997. You can learn more at Congress's web site, http://thomas.loc.gov. Now is the time to also tell your Congressional leaders that it is long overdue for the Pentagon to discontinue the use of the SSN as the military ID number. Members of the military and their families are over-exposed for identity theft because the SSN is the military ID number. The VA's security breach is the perfect tipping point for Congress and the Pentagon to take the steps necessary to use a number other than the SSN for ID purposes.

 

Visit these web sites for more information on what's happening in Congress on these vitally important issues:

File a HIPAA complaint with the DHHS's Office of Civil Rights

News stories indicated that medical diagnostic codes were included in the electronic records stolen from the VA employee's home. With this "protected health information" having been compromised in the security breach, the VA could have well been in violation of the federal medical privacy and security rules, known as HIPAA (Health Insurance Portability and Accountability Act). You can learn more about these rules at the websites listed below. And you can read our HIPAA guide here, www.privacyrights.org/fs/fs8a-hipaa.htm.

 

You can file a complaint with the U.S. Dept. of Health and Human Services (DHHS) Office of Civil Rights about HIPAA violations. Following is their contact information:

U.S. Department of Health and Human Services (DHHS)
Office of Civil Rights
200 Independence Avenue, S.W.
Washington, D.C., 20201
(866) 627-7748
www.hhs.gov/ocr/hipaa


For the regional office nearest you, www.hhs.gov/ocr/hipaahealth.txt
Or email: OCRComplaint@hhs.gov

 

The nonprofit Health Privacy Project provides a complaint form and instructions on how to file HIPAA complaints on its web site: www.healthprivacy.org/usr_doc/Privacy_Complaint_Form.pdf

 

Purchase your credit report - and invoke the Privacy Act's damages clause

The Privacy Act of 1974 governs how federal government agencies collect and use personal information. Legal experts claim that the VA likely violated the spirit and perhaps the letter of the law in its mishandling of the electronic data file that contained the sensitive personal information of 26.5 million veterans.

 

The Privacy Act of 1974 provides a legal remedy with the possibility of an award of actual damages. The law is convoluted, but the Supreme Court has ruled that to win the statutory minimum damage award of $1000 (plus attorney fees), a plaintiff must have suffered actual damages. While there is uncertainty about what constitutes actual damages, it seems clear that out-of-pocket expenses are sufficient. Emotional distress because of the fear of identity theft may not qualify unless the distress has been sufficient to result in medical expenses.

 

For those who want to read more and draw their own conclusions about the law, read the Supreme Court's decision in Doe v. Chao at <http://supct.law.cornell.edu/supct/html/02-1377.ZD1.html>. You can find the text of the Privacy Act of 1974 (5 U.S.C. 552a) at <http://supct.law.cornell.edu/uscode/html/uscode05/usc_sec_05_00000552---a000-.html>.

 

Anyone who may have an interest in suing under the Privacy Act of 1974 should keep in mind the importance of incurring an out-of-pocket expense. Obtaining a free credit report will not qualify as an out-of-pocket expense. However, paying for a credit report because of the VA data breach should qualify. So will subscribing to a fee-based credit monitoring service because of the VA data breach. We do not endorse credit monitoring services, however, and believe that there is little need to pay out of your own pocket and enrich the credit reporting industry when there are free alternatives to their fee-based services.

 

Why might you pay for a credit report when you can obtain a free report by filing a fraud alert or by using the free annual credit report service? One answer is that you may be able to obtain a report faster by paying for it. Online services can provide immediate access to you credit report in many cases. If you pay for a credit report, be sure to print out and save a receipt for the payment. That receipt may be the proof that you need to show out-of-pocket expenses.

 

Whether you should consider preserving your right to sue is up to you to decide. Litigation can be long and difficult and unpredictable. Not everyone will or should be interested. However, we want you to know the law and the procedures so that you can decide.

 

We acknowledge and thank privacy consultant Bob Gellman for his analysis of the Privacy Act (www.bobgellman.com).