[Dataloss] Agency Delayed Reporting Theft of Veterans' Data

Wed May 24 06:33:16 EDT 2006

Agency Delayed Reporting Theft of Veterans' Data
By DAVID STOUT and TOM ZELLER Jr.
http://www.nytimes.com/2006/05/24/washington/24identity.html?_r=1&oref=slogi
n&pagewanted=print

WASHINGTON, May 23 ‹ The Veterans Affairs Department learned about the theft
of electronic data on 26.5 million veterans shortly after it occurred, on
May 3, but waited two weeks before telling law enforcement agencies,
officials said Tuesday.

The officials said investigators in the Justice Department and the Federal
Bureau of Investigation were furious with the leaders of the veterans agency
for initially trying to handle the loss of the data as an internal problem
through the agency's inspector general before coming forward.

Officials said the investigators in the Justice Department and F.B.I. had
complained that the delay might have cost them clues to the whereabouts of
the data, stored on computer disks that were stolen in a burglary on May 3
at the home of an agency employee in Maryland.

A spokesman for the agency, Matt Burns, declined to comment on the timing of
the announcement.

The disks carried names and accompanying Social Security numbers and dates
of birth, practically keys to identity in the computer age.

It was not clear, in the absence of an explanation from the agency, why its
officials waited for days to disclose the theft to law enforcement people
and still more days to announce it to the public or what internal
discussions might have prompted them to change their minds.

As the department sought to reassure veterans not privy to the bureaucratic
machinations here and to deal with a security lapse that was becoming a
public relations disaster, some veterans were uneasy and suspicious.

"Why did the V.A. wait 19 days to notify veterans?" John Rowan, president of
the Vietnam Veterans of America, asked.

Perhaps, Mr. Rowan suggested, the department learned that the news was about
to be leaked.

The wife of a disabled veteran of the gulf war, Penny Larrisey of
Doylestown, Pa., expressed what countless crime victims have said.

"Just right about now, the only way you can feel is you've been violated,"
Mrs. Larrisey said in a telephone interview.

The department has emphasized that there was as yet no indication that the
data, taken home without authorization by the employee, had been put to ill
use.

But Mrs. Larrisey, whose husband, Bob, was an Air Force sergeant, was not
soothed.

"This puts us in a position of one paycheck away from disaster," she said,
worrying that a computer-savvy thief with access to specifics about her
husband's disability payments could tap into their bank account.

The authorities continued to investigate the activities of the employee, who
is on administrative leave.

Officials familiar with the case said that while investigators had no reason
to dispute the employee's account, they were nonetheless puzzled why little
else of value besides the data-laden disks were stolen. In an added twist,
the officials said investigators were having trouble finding the employee
but did not think that he was necessarily trying to be evasive.

Several aspects remained murky, including how much communication, if any,
there was between the Montgomery County police in Maryland and federal
investigators about the disks.

Mr. Rowan of the Vietnam veterans' group said the Veterans Affairs
Department should do more than just post information on its Web site
advising veterans to scrutinize their financial records and telling them
what to do if they find something wrong.

"The V.A. has put veterans at risk for identity theft," he said. "If this
were the private sector, they would be required to provide each veteran with
free credit-reporting services."

A spokesman for Senator Larry E. Craig, the Idaho Republican who is chairman
of the Veterans Affairs Committee, said the panel would consider just such
measures when it holds a hearing on the case on Thursday morning. The
spokesman, Jeff Schrade, said government agencies should treat personal data
as "top secret information."

Christopher Walsh, a lawyer here who specializes in security cases, said the
theft conveyed a disturbing message, that "the government has paid far less
attention to the issue of data security than the people think ‹ and far less
than business."

Recent federal laws entitle every consumer the right to one free credit
report from each major consumer credit-reporting agency ‹ Experian, Equifax
and TransUnion ‹ every year. But for closer monitoring of credit status, the
kind that some consumers turn to when they fear that their records have been
compromised, the companies charge a fee. Ten dollars a month after a free
30-day trial is typical.

If veterans feel threatened enough to enter such arrangements, "the
government ought to pay for it, in my view," Mr. Walsh said.

At least two companies offering identity-theft protection, LifeLock and
MyPublicInfo, said they had discount packages for veterans affected by the
theft.

Senator Craig's spokesman, Mr. Schrade, declined to predict what would
happen at the hearing on Thursday or how the security breach would be
repaired.

"But," he said, "I don't think we're going to get out of this on the cheap."

Maureen Balleza contributed reporting from Houston for this article.