«
»

If the Heartland story wasn’t depressing enough, the Veteran’s Administration just announced their settlement of a class-action lawsuit stemming from that lost laptop back in 2006. If you remember the case, a VA data analyst lost a laptop and external drive when his house was broken into. The device contained the names, birth dates and SSNs of over 25 million veterans. The laptop was later recovered intact by the FBI and a forensic analysis of the laptop and drive confirmed that no data was compromised.

That didn’t stop the lawsuits, though. Five groups alleging to represent the affected veterans filed suit asking for $1000 per person.

After three years in court, the VA agreed to pay $20 million into a fund which will pay out $75 to $1500 to any veteran who can “show harm from the data theft”. Any money left over will go to “veterans’ charities agreed to by the parties”. The judge still has to approve the settlement at this point that appears to be a formality.

The kicker here is that the veteran must show harm. Since the laptop was recovered intact and no data was compromised, I don’t see how anyone can make that claim in good faith. Maybe some people overreacted and canceled credit cards or paid for unnecessary monitoring services but I don’t see how that counts as harm. I didn’t cancel my credit cards when I got my notice from the VA. I don’t see why my tax dollars should pay for their overreaction. The payout is also available to anyone who “found themselves in extreme emotional distress” as a result of the breach. Again, this is a claim that I don’t see how anyone can make in good faith.

The only people who I see making money from this are the lawyers. I haven’t seen anything definitive yet on their take but one unofficial report estimates it at $5.5 million. Regardless of the amount, it’s going to come from your tax dollars.

This breach should never have occurred. But it did and the people responsible have already been fired. So were lots of other people at the VA. Congress held intrusive hearings and policies have been rewritten. For a non-breach, this breach has already been expensive enough. The settlement closes out the VA’s legal liability and admittedly, $20 million is less than the $25 billion that the suit originally sought but I just can’t convince myself that this outcome will be best for society.

This entry was posted by Mike Rossander on 2009 February 8 at 22:40 under Cybercrime Trends. You can leave a response, or trackback from your own site. Follow any responses to this entry through the RSS 2.0 feed.

Leave a Reply