[ISN] VA Asking for More Money After Data Theft

InfoSec News isn at c4i.org
Wed Jun 28 01:13:48 EDT 2006 

http://www.washingtonpost.com/wp-dyn/content/article/2006/06/27/AR2006062700134.html

By HOPE YEN
The Associated Press
June 27, 2006

WASHINGTON -- Veterans Affairs Secretary Jim Nicholson promised
Congress on Tuesday he could turn his agency into a "model for
information security" but said lawmakers will have to be patient.

Nicholson also said the Bush administration was asking for at least
$160.5 million in emergency funds for credit monitoring and other
measures to protect veterans and military troops whose sensitive
personal information was stolen from a VA employee's laptop computer.

Besides covering monitoring for about half of the 17.5 million people
whose Social Security numbers were compromised, the money would pay
for out-of-pocket expenses ranging from $10,000 to $20,000 for those
whose identities are stolen, Nicholson told a House panel.

Under questioning, Nicholson acknowledged that much more money may be
needed to revamp information security at the VA and other agencies. He
also left the door open to providing veterans more than one year of
free credit monitoring following the May 3 burglary at a VA data
analyst's home.

"Unfortunately, a very bad thing happened," Nicholson told a House
Appropriations subcommittee that oversees VA spending.

"I think we can turn VA into the model for information security," he
added. "I will not try to mislead you and delude. This will not be
easy and it will not be overnight."

Of the $160.5 million requested for monitoring, Nicholson said, about
$29 million will be taken from VA funds budgeted in 2006 to cover
personnel costs at the Veterans Benefit Administration. That money
would not have been used this year due to hiring plans that already
had been pushed back to 2007, he added. The other $131.5 million would
be reallocated from other areas of the White House budget.

"It will take some belt tightening. It will not come out of veterans'
benefits," Nicholson said.

No reports of identity theft have been reported in connection with the
May 3 theft of a computer from the data analyst's home in suburban
Maryland. The laptop contained names, birth dates and Social Security
numbers for up to 26.5 million people.

Last week, the Senate Appropriations Committee approved $160 million
in emergency funds to pay for credit monitoring. It is one of many
expected payments as the government struggles with fallout from data
thefts and other breaches now crossing at least six agencies.

Earlier in the hearing, the House panel was urged to spend whatever
necessary to avoid undue hardships for data theft victims.

David McIntyre, president and CEO of TriWest Healthcare Alliance,
which administers the Pentagon's health care program in 21 Western
states, proposed creating a central government "nerve center" to
assist agencies after any such security breach.

"Unfortunately, as we have all come to realize, the question is not
whether another incident of information theft will occur but when,"  
McIntyre said. "Events such as these are happening with increased
regularity _ and, surely, spending a few million to prepare is
preferable to spending hundreds of millions to react."

Rep. James Walsh, R-N.Y., chairman of the House subcommittee,
chastised the VA for waiting three weeks to notify veterans about the
theft. "This represents a significant lapse of time that could have
been vital to protect identity theft," Walsh said.

In his testimony, Nicholson called the burglary a "wake-up call" that
should not have come at the expense of veterans, some of whom have
challenged the free monitoring in court as potentially inadequate. He
said about half of the affected veterans were expected to take the
government's offer.

Separately, the VA asked a federal judge to revise his order barring
the VA from publicizing its free credit monitoring offer. The VA said
it wished to continue providing information to veterans through its
Web site and call center and had no intention of asking veterans to
relinquish their rights to a potentially larger payout in court.

U.S. District Judge William Bertelsman in Kentucky scheduled a hearing
for Friday to determine whether the VA should revise its deal.

The class-action lawsuits, which are pending in Covington, Ky., and
Washington, seek free monitoring and other credit protection for an
indefinite period as well as $1,000 in damages for each person _ or up
to $26.5 billion total.

Stacy Hinners, an attorney representing veterans, said veterans did
not wish to shut down the call center and Web site but simply wanted
the VA to be clear what rights veterans would have if they accepted
the free offer.

Veterans groups and lawmakers from both parties have criticized the VA
for the theft and noted years of warnings by auditors that information
security was lax. The data analyst _ who was in the process of being
dismissed _ had taken the information home on a personal laptop for
three years.

-=-

On the Net:

For veterans suspecting identity theft: http://www.firstgov.gov or
1-800-FED-INFO

More information about the ISN mailing list