Magazine article Information Today

VA Data Breach and the Privacy Act

Magazine article Information Today

VA Data Breach and the Privacy Act

Article excerpt

Who would have thought that the theft of one laptop computer could have the potential for a judgment against the government for billions of dollars? In May 2006, a laptop computer belonging to a Veterans Administration (VA) employee was stolen from his home. The laptop's hard drive contained personal records (including Social Security numbers and other personal identity information) for more than 26 million veterans and dependents.

Although the computer was later recovered, the VA data breach raised questions about the reliability and security of the government's information management systems. Those questions are now being explored in a series of lawsuits filed in response to the theft. In late 2007, a federal court in Washington rejected the VA's motion to dismiss the lawsuits, setting up the possibility (although remote) of a multibillion-dollar verdict.

Data Breach Lawsuits

Lawsuits stemming from data breach incidents have a spotty track record. Many data breaches are the result of criminal activity against the data company as well as fraud, hacking, or theft of a laptop or other storage device. When this happens, the company that owns the information is considered the criminal victim, not the person whose information was stolen. Courts often are reluctant to find these companies liable for damages because the criminal action is usually considered a random, intervening act outside of the company's control.

Even if a court is willing to find a company liable for a data breach, the people whose data may have been released must often show actual damages to recover any judgment. In many cases, this means only actual losses due to identity theft and not emotional distress, fear of identity theft, or other noneconomic loss. Expenses such as credit monitoring may be recovered. However, these are usually not enough to justify a lawsuit unless a class action suit can be pursued, such as in a data breach at TJX Co. (parent company of the T.J. Maxx chain) that was recently settled for $107 million.

At first glance, the VAcase has all the problematic elements: The laptop was stolen in a seemingly random, intervening act; 3 months later, the stolen laptop was recovered, and an FBI analysis determined that the files "were not compromised after the burglary"; and the VA warned veterans to be "vigilant" and monitor their "recent financial transactions," but credit monitoring was not paid for or provided.

Privacy Act of 1974

What keeps this case in the courts and in the eye of the information industry is that the VA, as a government agency, is subject to the federal Privacy Act of 1974. Enacted in response to information abuses stemming from the Watergate scandal, the act requires federal government agencies to provide safeguards in the collection, use, storage, and access of "identifiable personal information." The Privacy Act also lets individuals sue for "intentional or willful" violations of the act and recover damages of at least $1,000 per person, plus attorney fees. (Do the math: $1,000 per person times 26.5 million individuals amounts to $26.5 billion.)

The lawsuit alleges that the VA failed to meet the Privacy Act's requirements in safeguarding information that led to the theft of the data. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.