Head of the Department of Veterans Affairs Jim Nicholson has told U.S. lawmakers that a recent leak of private data could cost the government up to $500 million. However, the InfoWatch analytical centre has described that figure as somewhat optimistic. The real cost to U.S. taxpayers could exceed $4 billion.
InfoWatch has already reported on the leak, which has been described as the biggest ever. Unauthorized activity by an insider was reportedly to blame for the theft of private details on 26.5 million former military personnel, though a lack of details made it difficult to assess the overall damage. But officials at the department could not keep the details of the leak a secret for long. Last Thursday Veterans Affairs Secretary Jim Nicholson faced the House Committee on Veterans Affairs to report how a device the size of an iPod could cost U.S. taxpayers $500 million. According to experts at InfoWatch, however, a figure in the region of $4 billion would be a far more realistic estimate.
“I am mad as hell,” Jim Nicholson stated at the beginning of his report to the committee. Nicholson went on to relate how the data was stolen from the home of a department employee in the state of Maryland. The incident was on such a scale – 26.5 million people are at risk of identity theft – that he said the government could not promise to cover all the potential losses that may result from misuse of credit cards or financial fraud by criminals.
The angry lawmakers were quick to ask Nicholson what he meant by “potential losses”. The VA secretary estimated "way north of $100 million" and did not rule out a total cost as high as $500 million. Obviously the department does not have those kinds of assets at its disposal, and without a new law that would have to be passed by Congress to release budget funds, compensation payments could not be made.
According to Jim Nicholson, the Social Security numbers of the former servicemen were compromised as a result of the leak, but he was quick to stress that medical records on the state of health of the veterans were not stolen. However, after sustained questioning the secretary revealed that the stolen information contained some medical data on 3 million veterans.
Nicholson was also forced to reveal that the private data had been stolen along with a hard drive. It was unclear whether it was a portable disk drive or a hard drive in a laptop computer. One thing that is known for certain is that none of the information was encrypted.
The theft took place on May 3 of this year when thieves broke into the home of an unnamed department employee. Three weeks later the incident was made public. Information has already appeared on the Internet suggesting the private data had been in the employee’s home for three years. It suggests that no matter what kind of safeguards that Jim Nicholson took now, he still couldn’t guarantee that all the department’s confidential data were secure and under surveillance, considering the amount of data that could have been removed from the workplace in the last three years.
As the committee chairman pointed out, this is a defining moment in Nicholson’s career. Several legislators have already called for his resignation and some politicians could go even further. A number of them have reached the conclusion that low levels of protection against data breaches and insiders are a typical feature of every government organization. The heads of many government departments could well find themselves having to prove that all the private details of the nation’s citizens are securely protected.
Serious doubts have also been raised as to whether the head of the Department of Veterans Affairs has done his sums properly. Jim Nicholson believes the costs could reach $500 million, but after some simple calculations the experts at InfoWatch came up with a much higher figure. For example, the typical response to such incidents is to provide free credit monitoring services to all those affected. This is considered to be in line with best practices and not one U.S. company which has suffered a data leak in the last two years has failed to do this for their customers. The cost of one year of monitoring at the credit agency Equifax costs $130. The company offers its services for $10-20 less than most other firms on the U.S. market. So, in order to offer all the affected veterans some protection against identity theft, it would be necessary to spend in the region of $3.5 billion.
However, if any of them were to fall victim to some kind of fraud as a result of the data leak, they could go to court to claim compensation. According to Federal Trade Commission statistics, the average losses caused by identity theft in 2005 amounted to $2,400. Let’s say that the criminals target the bank accounts of just 1% of the veterans, then the damage would come to $636 million. Therefore, the U.S. government can expect to pay out at least $4 billion. If the private information finds its way on to the international black market, however, then the effects of identity theft could push that figure up several times.
Finally, even if the U.S. authorities decide not to offer the standard credit monitoring services and save $3.5 billion, they will probably still end up paying out at least $636 million, which exceeds Jim Nicholson’s worst case scenario of $500 million. Of course, without any credit monitoring the percentage of those likely to be affected by identity theft will also grow significantly.
“The leak from the veterans’ private database promises to be the most costly ever. The previous record holders – ChoicePoint spent $55-60 million after it leaked the personal details of 140,000 Americans, and Martin Lockheed lost a $1 billion contract after confidential documents were leaked – look like spare change in comparison. If the U.S. government wants to save face, then it will have no choice but to pay its former military personnel. Already there are people who want to make a name for themselves by proposing a new law that would protect the veterans from identity theft with a multi-billion dollar budget,” says Denis Zenkin, marketing director at InfoWatch.
Source: Reuters