Wednesday, May 24, 2006

Agency Delayed Reporting Theft of Veterans' Data

The New York Times
Agency Delayed Reporting Theft of Veterans' Data
By DAVID STOUT and TOM ZELLER Jr.

WASHINGTON, May 23 — The Veterans Affairs Department learned about the theft of electronic data on 26.5 million veterans shortly after it occurred, on May 3, but waited two weeks before telling law enforcement agencies, officials said Tuesday.

The officials said investigators in the Justice Department and the Federal Bureau of Investigation were furious with the leaders of the veterans agency for initially trying to handle the loss of the data as an internal problem through the agency's inspector general before coming forward.

Officials said the investigators in the Justice Department and F.B.I. had complained that the delay might have cost them clues to the whereabouts of the data, stored on computer disks that were stolen in a burglary on May 3 at the home of an agency employee in Maryland.

A spokesman for the agency, Matt Burns, declined to comment on the timing of the announcement.

The disks carried names and accompanying Social Security numbers and dates of birth, practically keys to identity in the computer age.

It was not clear, in the absence of an explanation from the agency, why its officials waited for days to disclose the theft to law enforcement people and still more days to announce it to the public or what internal discussions might have prompted them to change their minds.

As the department sought to reassure veterans not privy to the bureaucratic machinations here and to deal with a security lapse that was becoming a public relations disaster, some veterans were uneasy and suspicious.

"Why did the V.A. wait 19 days to notify veterans?" John Rowan, president of the Vietnam Veterans of America, asked.

Perhaps, Mr. Rowan suggested, the department learned that the news was about to be leaked.

The wife of a disabled veteran of the gulf war, Penny Larrisey of Doylestown, Pa., expressed what countless crime victims have said.

"Just right about now, the only way you can feel is you've been violated," Ms. Larrisey said in a telephone interview.

The department has emphasized that there was as yet no indication that the data, taken home without authorization by the employee, had been put to ill use.

But Mrs. Larrisey, whose husband, Bob, was an Air Force sergeant, was not soothed.

"This puts us in a position of one paycheck away from disaster," she said, worrying that a computer-savvy thief with access to specifics about her husband's disability payments could tap into their bank account.

The authorities continued to investigate the activities of the employee, who is on administrative leave.

Officials familiar with the case said that while investigators had no reason to dispute the employee's account, they were nonetheless puzzled why little else of value besides the data-laden disks were stolen. In an added twist, the officials said investigators were having trouble finding the employee but did not think that he was necessarily trying to be evasive.

Several aspects remained murky, including how much communication, if any, there was between the Montgomery County police in Maryland and federal investigators about the disks.

Mr. Rowan of the Vietnam veterans' group said the Veterans Affairs Department should do more than just post information on its Web site advising veterans to scrutinize their financial records and telling them what to do if they find something wrong.

"The V.A. has put veterans at risk for identity theft," he said. "If this were the private sector, they would be required to provide each veteran with free credit-reporting services."

A spokesman for Senator Larry E. Craig, the Idaho Republican who is chairman of the Veterans Affairs Committee, said the panel would consider just such measures when it holds a hearing on the case on Thursday morning. The spokesman, Jeff Schrade, said government agencies should treat personal data as "top secret information."

Christopher Walsh, a lawyer here who specializes in security cases, said the theft conveyed a disturbing message, that "the government has paid far less attention to the issue of data security than the people think — and far less than business."

Recent federal laws entitle every consumer the right to one free credit report from each major consumer credit-reporting agency — Experian, Equifax and TransUnion — every year. But for closer monitoring of credit status, the kind that some consumers turn to when they fear that their records have been compromised, the companies charge a fee. Ten dollars a month after a free 30-day trial is typical.

If veterans feel threatened enough to enter such arrangements, "the government ought to pay for it, in my view," Mr. Walsh said.

At least two companies offering identity-theft protection, LifeLock and MyPublicInfo, said they had discount packages for veterans affected by the theft.

Senator Craig's spokesman, Mr. Schrade, declined to predict what would happen at the hearing on Thursday or how the security breach would be repaired.

"But," he said, "I don't think we're going to get out of this on the cheap."

Maureen Balleza contributed reporting from Houston for this article.