The U.S. PIRG Consumer Blog gets “medieval” on the Veterans Administration for the horrifying data breach that was reported here May 22 (26 million veterans had their sensitive data exposed). Here’s some highlights.
…VA goes on to pass the buck by claiming that the employee "violated policy." So what? The breach is still VA's fault for having a weak, unenforceable data protection policy that fails to recognize its responsibilities. A potential thief or thieves now has the keys to establish false identities in the names of 26 million veterans. (The birthdates are a bonus -- just makes it easier-- SSNs would would have been enough.) Here are some questions we have:
1. Why weren't the data encrypted (no story claims the data were encrypted), after so many reported breaches of unencrypted data in the last 15 months?
It’s worth pointing out that while it’s not hugely difficult for a skilled programmer with the right software tools to securely encrypt data, it’s non-trivial. It’s not something that just anyone can do like saving a “file as” encrypted. That’s not an excuse, though.
3. On a related matter, why does the military still place Social Security Numbers on the health insurance cards and other IDs given to some 2.5 million or more active duty personnel and all of their dependents?
Yes, isn’t it clear by now that SSN’s should be eradicated from any and all identification cards and ID’s? This is a no-brainer.
4. Will industry lobbyists try to make lemonade for themselves and lemons for us by using this fiasco to try and convince Congress to pass weak, industry-approved data security and breach notice laws that preempt the better state laws that forced this public disclosure? See my blog on HR 3997, the worst data bill ever, for example. Will Congress go along with the industry requests and pass those weak industry-approved laws that don't protect us but prevent the states from doing so?
How’s that for possible irony. The U.S. government (VA) screws up, putting 26 million at risk, and the end result is that the credit bureaus might see tons of additional revenue for credit monitoring AND the credit bureaus might also benefit by a knee-jerk reaction from Congress that removes consumer protections in over a dozen states.
5. Even though sloppy creditor and credit bureau practices make it easy for unskilled ID thieves to use these "keys," will the credit bureaus and credit card companies brazeningly use this fiasco to market under-performing and over-priced credit monitoring services? Credit monitoring doesn't protect consumers from identity theft. Security freezes do.
I am fed up with expensive credit monitoring too. Think about it. If you buy into the idea that credit monitoring is a must, you are signing up to pay $120–150 per year for the rest of your life to monitor your data. And what you get for that expense is to be informed that maybe something bad is happening—after that fact. In fact, I am so fed up, I have done something about it. Stay tuned to this blog, I’ll be announcing something soon.
6. What should veterans do?
If you are a veteran that may have been effected, the U.S. PIRG blog post does a good job of telling you what you can do. Unfortunately, it means you now will be burdened with doing some extra work. That’s not fair, but it’s the reality. This includes checking your credit reports or putting a freeze on your credit file, depending what state you live in.