Thursday, June 29, 2006

VA asking for more money to protect veterans after data theft

USA Today
VA asking for more money to protect veterans after data theft

WASHINGTON (AP) — Veterans Affairs Secretary Jim Nicholson promised Congress on Tuesday he could turn his agency into a "model for information security" but said lawmakers will have to be patient.

Nicholson also said the Bush administration was asking for at least $160.5 million in emergency funds for credit monitoring and other measures to protect veterans and military troops whose sensitive personal information was stolen from a VA employee's laptop computer.

Besides covering monitoring for about half of the 17.5 million people whose Social Security numbers were compromised, the money would pay for out-of-pocket expenses ranging from $10,000 to $20,000 for those whose identities are stolen, Nicholson told a House panel.

Under questioning, Nicholson acknowledged that much more money may be needed to revamp information security at the VA and other agencies. He also left the door open to providing veterans more than one year of free credit monitoring following the May 3 burglary at a VA data analyst's home.

"Unfortunately, a very bad thing happened," Nicholson told a House Appropriations subcommittee that oversees VA spending.

"I think we can turn VA into the model for information security," he added. "I will not try to mislead you and delude. This will not be easy and it will not be overnight."

Of the $160.5 million requested for monitoring, Nicholson said, about $29 million will be taken from VA funds budgeted in 2006 to cover personnel costs at the Veterans Benefit Administration. That money would not have been used this year due to hiring plans that already had been pushed back to 2007, he added. The other $131.5 million would be reallocated from other areas of the White House budget.

"It will take some belt tightening. It will not come out of veterans' benefits," Nicholson said.

No reports of identity theft have been reported in connection with the May 3 theft of a computer from the data analyst's home in suburban Maryland. The laptop contained names, birth dates and Social Security numbers for up to 26.5 million people.

Last week, the Senate Appropriations Committee approved $160 million in emergency funds to pay for credit monitoring. It is one of many expected payments as the government struggles with fallout from data thefts and other breaches now crossing at least six agencies.

Earlier in the hearing, the House panel was urged to spend whatever necessary to avoid undue hardships for data theft victims.

David McIntyre, president and CEO of TriWest health care Alliance, which administers the Pentagon's health care program in 21 Western states, proposed creating a central government "nerve center" to assist agencies after any such security breach.

"Unfortunately, as we have all come to realize, the question is not whether another incident of information theft will occur but when," McIntyre said. "Events such as these are happening with increased regularity — and, surely, spending a few million to prepare is preferable to spending hundreds of millions to react."

Rep. James Walsh, R-N.Y., chairman of the House subcommittee, chastised the VA for waiting three weeks to notify veterans about the theft. "This represents a significant lapse of time that could have been vital to protect identity theft," Walsh said.

In his testimony, Nicholson called the burglary a "wake-up call" that should not have come at the expense of veterans, some of whom have challenged the free monitoring in court as potentially inadequate. He said about half of the affected veterans were expected to take the government's offer.

Separately, the VA asked a federal judge to revise his order barring the VA from publicizing its free credit monitoring offer. The VA said it wished to continue providing information to veterans through its website and call center and had no intention of asking veterans to relinquish their rights to a potentially larger payout in court.

U.S. District Judge William Bertelsman in Kentucky scheduled a hearing for Friday to determine whether the VA should revise its deal.

The class-action lawsuits, which are pending in Covington, Ky., and Washington, seek free monitoring and other credit protection for an indefinite period as well as $1,000 in damages for each person — or up to $26.5 billion total.

Stacy Hinners, an attorney representing veterans, said veterans did not wish to shut down the call center and website but simply wanted the VA to be clear what rights veterans would have if they accepted the free offer.

Veterans groups and lawmakers from both parties have criticized the VA for the theft and noted years of warnings by auditors that information security was lax. The data analyst — who was in the process of being dismissed — had taken the information home on a personal laptop for three years.