Veterans Affairs Secretary Jim Nicholson promised Congress Tuesday he could turn his agency into a “model for information security” but said lawmakers are going to have to be patient.
Nicholson also said the Bush administration was asking for at least $160.5 million in emergency funds for credit counseling and other measures to protect veterans and military troops whose sensitive personal information was stolen.
Besides covering credit monitoring for about half of the 17.5 million people whose Social Security numbers were compromised, the money would pay for out-of-pocket expenses for those whose identities are stolen, he told a House panel.
But under questioning, Nicholson acknowledged that much more money may be needed to revamp information security at the VA and other agencies. He also left the door open to providing veterans more than one year of free monitoring following the May 3 burglary at a VA data analyst’s home.
“Unfortunately, a very bad thing happened,” Nicholson told a House Appropriations subcommittee. “I am outraged by it and the slow response of some of my otherwise very good subordinates. But I am the responsible person, and it is to me that you are entitled to look.”
“I think we can turn VA into the model for information security,” he added. “I will not try to mislead you and delude. This will not be easy and it will not be overnight.”
Of the $160.5 million, Nicholoson said, about $29 million will be taken from VA funds budgeted in 2006 to cover personnel costs at the Veterans Benefit Administration. That money would not have otherwise been used in 2006 due to hiring plans that had been already pushed back to 2007, he added. The other $131.5 million would be reallocated from other areas of the White House budget.
“It will take some belt tightening. It will not come out of veterans’ benefits,” he said.
No reports of identity theft have been reported in connection with the May 3 theft of a computer from the data analyst’s home in suburban Maryland. The laptop contained names, birth dates and Social Security numbers for up to 26.5 million people.
Last week, the Senate Appropriations Committee approved $160 million in emergency funds to pay for credit monitoring. It is one of many expected payments as the government struggles with fallout from data thefts and other breaches now crossing at least six agencies, including the Pentagon, Agriculture Department and Federal Trade Commission.
Earlier in the hearing, the House panel was urged to spend whatever necessary to avoid undue hardships for victims of data thefts at government agencies.
David McIntyre, president and CEO of TriWest Healthcare Alliance, which provides information security to the Pentagon, proposed creating a central government “nerve center” to assist agencies after any such security breach.
“Unfortunately, as we have all come to realize, the question is not whether another incident of information theft will occur but when,” he said. “Events such as these are happening with increased regularity — and, surely, spending a few million to prepare is preferable to spending hundreds of millions to react.
In his testimony, Nicholson called the burglary a “wake-up call” that should not come at the expense of veterans, who have challenged the free monitoring in federal court as potentially inadequate. He said about half of the affected veterans were expected to take the government’s offer.
Rep. James Walsh, chairman of the House subcommittee, chastised the VA for waiting three weeks to notify veterans about the theft. “This represents a significant lapse of time that could have been vital to protect identity theft,” said Walsh, R-N.Y.
Rep. Chet Edwards, the top Democrat on the panel, agreed. “Clearly this is a serious problem that Congress needs to partner in solving,” said Edwards, D-Tex.
The VA announced last week it would offer free credit monitoring for a year to millions of veterans and troops. It said it would send out letters in early August — after it solicits bids from contractors — on how to sign up for the free service.
But lawyers for veterans, calling the VA’s deal “incomplete and misleading,” said the VA must make clear whether veterans will have to give up their rights in court to a potentially larger payout.
U.S. District Judge William Bertelsman in Kentucky scheduled a hearing for Friday to determine whether the VA should revise its offer. Until then, he has barred the VA from publicizing its free credit monitoring offer to veterans.
The class-action lawsuits, which are pending in Covington, Ky., and Washington seek free monitoring and other credit protection for an indefinite period as well as $1,000 in damages for each person — or up to $26.5 billion total — in what has become one of the nation’s largest information security breaches.
Acknowledging the lawsuit Tuesday, Nicholson also said the VA might expand its credit monitoring beyond a year.
“If a year expires, we have a responsibility to determine whether to renew based on what we know at the time,” he said.
Veterans groups and lawmakers from both parties have criticized the VA about the theft and noted years of warnings by auditors that information security was lax. The data analyst — who was in the process of being dismissed — had taken the information home on a personal laptop for three years.