Victims of VA data theft offered free credit services

Veterans Affairs Department Secretary James Nicholson on Wednesday announced plans to provide free credit monitoring for millions of veterans and active-duty military personnel whose data was stolen.

Nicholson said police have no further leads on what became of a laptop that contained personal information on 26.5 million people that was stolen from a former employee's home. "We have no evidence of use being made of this data that was stolen," he said.

While veterans can get free credit reports themselves, Nicholson said hiring a credit-monitoring service is the right thing to do. He said he does not know the cost; the department will take bids from three leading monitoring companies.

He said the service will be offered to 17.5 million veterans, as some of the 26.5 million are deceased or did not have Social Security numbers or addresses.

VA staff said sending the letters to 17.5 million veterans, once a contractor is hired, would cost about $7 million, as that was the cost to print and mail the initial letters to veterans confirming news reports of the security breach.

"We will get the money to pay for it," Nicholson said. "The money will not result in a diminution of any services provided to veterans."

At a hearing earlier this week, the VA said it was spending $200,000 a day to operate a call center for veterans seeking information on the data breach. Nicholson said they have not received as many calls as expected, just 200,000 so far.

"The VA has learned the hard way that the cost to not securing sensitive personal information is clearly very high," said Paul Kurtz, executive director for the Cyber Security Industry Alliance. "It's not just in terms of monetary costs, but reputation and the overall drag it has on the confidence people and businesses have on the Internet, computers and our digital society."

"You can encrypt information very cheaply or far more cheaply than what is now under way at the VA," Kurtz said.

Gartner, a security research firm, has estimated the average cost of a data breach at $90 per person. Avivah Litan recently told the House Veterans Affairs Committee that a company's cost to encrypt 10,000 accounts would be as little as $6 per customer.

The House Veterans' Affairs Committee has another hearing on the data breach scheduled Thursday. It will look at the academic and legal implications of the data loss.

The department plans to retrain employees on security procedures by the end of the month and will hold a security awareness week June 26-30.

"What the VA is doing is important, but Congress really has an opportunity now to put in a national standard for securing personal information," Kurtz said.

"They've been staring at several bills for more than a year," he added. "They just need to close the deal." The bills include S. 1326, S. 1408, S. 1789, H.R. 3997, H.R. 4127 and H.R. 5318.