The U.S. Department of Veterans Affairs could pay up to $20 million to veterans affected by a stolen laptop and external drive containing the personal information of millions of veterans.
The VA announced a proposed settlement to several class-action lawsuits seeking compensation for the data security breach. The massive VA data security breach took place in 2006, when a laptop was reported stolen from the home of a VA employee. It contained the personal data of more than 26 million veterans and 2.2 million active duty personnel. The VA laptop was recovered and a forensics analysis determined that the files containing the sensitive data were not accessed or copied.
Three class action lawsuits were filed seeking compensation for the breach. Negotiations began in 2007, which included four separate mediation sessions that resulted in a settlement.
An independent organization, VA Watchdog posted the settlment agreement. Under the terms of the proposed settlement, the VA would pay up to $1,500 to active duty military personnel and veterans who can prove they were affected by the breach. Veterans who were emotionally distressed or incurred costs associated with monitoring credit records would be compensated. Every veteran who submits a valid claim would receive at least $75, according to the settlement.
"Without admitting any wrongdoing or liability whatsoever, [the VA is] nevertheless willing to agree to the terms of the settlement agreement, to resolve fully and finally all issues regarding to the subject matter of this action," according to the motion for preliminary approval filed in U.S. District Court in Washington D.C.
The massive data breach put a spotlight on securing data leakage at the endpoint as well as using encryption technology to protect sensitive data. Anecdotally, it appears that companies are heeding the message about locking down laptops and storage devices, said Mark Diodati, senior analyst at the Burton Group. Full disk encryption is on the rise and some firms are considering the use of portable security devices for employees that travel with sensitive information.
"They look like USB thumb drives, but are encrypted," Diodati said. "They secure sensitive data as long as you ensure end users are using the devices." Diodati said.
The proposed settlement would also pay out up to $5 million in compensation and $500,000 in costs to the attorney's involved in the class-action lawsuit. The compensation will be drawn from the proposed $20 million settlement amount.
If the settlement is approved by U.S. District Judge, the VA will publish information about the settlement with information on how to apply for compensation. A website would be established called VetransClass.com. (currently not active). Remaining funds would be donated to the Rockville, Md.-based Fisher House Foundation and The Intrepid Fallen Heroes Fund based in New York, the VA said.