Case Studies and Examples

The following case highlights unclear federal policies about data breach notification. At the time of this incident, federal law did not require agencies to have breach notification policies. In fact, there is still no federal law that requires this. However, because of this incident, most federal agencies have implemented internal breach notification policies.

In 2006, an employee of the U.S. Department of Veterans Affairs (VA) took home a laptop computer and external hard drive. The hard drive held the personal information of every veteran discharged since 1975. It was not encrypted. On May 3, 2006, the employee’s home was burglarized. Thieves stole the laptop and hard drive. The local police department investigated the burglary.

The employee immediately informed his supervisors about the theft, but they did not take the matter seriously. The secretary of the VA did not learn about it until almost 2 weeks later. The VA secretary then notified the Federal Bureau of Investigations (FBI) about the theft. The FBI began to investigate the theft with the local police department.

The VA issued a statement reporting the facts about the theft on May 22, 2006. It also said that the data stolen included names, SSNs, and dates of birth for 26.5 million veterans, as well as data on some of their spouses. At the time, the VA reported that the hard drive did not contain any health or financial information.

Congress was outraged that the VA waited so long to make a public statement. On May 25, 2006, the secretary of the VA appeared at hearings before the U.S. House and Senate to discuss the issue. In his Senate testimony, he stated that he was furious that he was not notified in a timely manner. He also stated that the VA was planning to notify all people affected by the theft. He said that it would take time to prepare the mailing because the VA had to verify addresses. He also said that 26 million envelopes “were not immediately available.” The VA began mailing the notification letters on June 9, 2006.

As it carried out its investigation, the VA learned that the hard drive held some health information for 2.6 million people. It also learned that the hard drive contained the personal information of active-duty military personnel. On June 6, 2006, the VA reported that the hard drive held the data of 1.1 million active-duty troops. It also had information on 430,000 members of the National Guard and 645,000 members of the Reserves.

The police recovered the stolen laptop and hard drive in late June 2006. The FBI reported that a forensic review of the equipment showed that the database containing the personal information had not been accessed. In August 2006, the VA mailed a follow-up letter to people affected by the event.

The VA Inspector General investigated the incident and found that the VA employee was not permitted to take the laptop or hard drive home. The report faulted the employee for using poor judgment in taking the data home. It also faulted the employee for not properly protecting it. The report also criticized VA supervisors for not taking initial reports about the data loss seriously.

In January 2009, the VA agreed to pay $20 million to veterans whose information was potentially exposed in the incident. It paid this amount to settle lawsuits brought by five veterans groups. The money was used to create a compensation fund. Veterans who wished to make a claim against the fund needed to file claims by November 27, 2009.

Congress created the Veterans Affairs Information Security Act of 2006 in response to the breach. The law requires the VA to create a comprehensive information security program. It also requires it to create breach notification regulations. The VA issued those regulations in April 2008. They require the VA to notify people in the event of a security breach if there is a reasonable risk for the potential misuse of their personal information.⁴⁶