- Contact the Committee

STATEMENT OF LOUIS IRVIN,

ACTING DEPUTY EXECUTIVE DIRECTOR,
PARALYZED VETERANS OF AMERICA

BEFORE THE HOUSE COMMITTEE ON VETERANS’ AFFAIRS

CONCERNING

DRAFT LEGISLATION RELATING TO DATA PROTECTION

AND THE RIGHTS OF VETERANS TO RECEIVE

CREDIT PROTECTION SERVICES

JULY 18, 2006

On behalf of Paralyzed Veterans of America (PVA) I would like to thank you for the opportunity to testify today on the need for data protection and the rights of veterans to receive credit protection services in the event of a data breach containing sensitive personal information from the Department of Veterans Affairs (VA). We are greatly concerned about this major breach of trust that veterans have experienced as a result of the recent theft of their personal data. It is incumbent upon the VA and Congress to ensure that this does not happen again, and to ensure that the interests of veterans are protected.

In light of the events surrounding the theft of 26.5 million veterans’ personal information, PVA recognizes the need for reform in the VA information management structure. Although we support many of the principles and provisions contained in the “Veterans Identity and Credit Protection Act,” we also have concerns about aspects of the legislation which I will address individually.

PVA generally supports the idea of strengthening the authority that a Chief Information Officer (CIO) would have in the VA. However, we do not believe that the importance of this individual should rise to a level equivalent to the Under Secretaries for Health, Benefits, and the National Cemetery Administration. We would point out that the Veterans Health Administration (VHA), Veterans Benefits Administration (VBA), and National Cemetery Administration (NCA), carry out the mission of the VA by providing health care and benefits to “ him who shall have borne the battle and for his widow and his orphan.” Information services and systems merely function as a support service to these entities. Information technology is not a mission level program within the Department.

The responsibilities of the CIO are much like those of the Assistant Secretary for Operations, Security, and Preparedness. The Assistant Secretary ensures through his or her department that the life and property of both veterans and VA employees is protected. Personal information is certainly equally important, but it does not necessarily supersede these concerns.

PVA understands the need to centralize certain functions and responsibilities with the CIO; however, we do not believe all of the functions and responsibilities should be consolidated as outlined in the legislation. We support centralizing the development, approval, and implementation of policies and procedures, including information security, with the CIO. However, we believe that control of the activities and systems that support information services should be retained within VHA, VBA, and NCA. Furthermore, the management of all mission applications, information resources, personnel, and infrastructure should be retained at that level as well. Although the CIO can adequately drive the information systems policy for the entire VA, he or she does not necessarily know what systems and applications work best to actually provide health care or benefits. Information technology is not the mission, it is the tool, and the individuals responsible for the mission should have the authority to manage their tools the best way they see fit.

PVA fully supports the data breach reporting requirements established by this legislation. Rapid disclosure of similar occurrences should help the VA avoid similar embarrassments and allow Congress to take necessary actions to fix this situation, if appropriate.

PVA recognizes the need to put in place credit protection services as outlined in the legislation. It is important that if veterans’ personal data is stolen in the future, that their credit be protected from criminal behavior. To this end, allowing veterans to receive up to four free credit reports for a year, credit-monitoring services, and identity theft insurance should ease some of their worries. However, it is important to emphasize that the VA must notify veterans immediately if a data breach occurs. It should be done within days, not weeks. The three weeks that it took to notify the public about the most recent data theft is wholly unacceptable.

We would like to address a few concerns with the legislation and offer some advice. Specifically, we do not believe that it is necessary to move forward with credit monitoring and other protections for veterans if it is clearly determined that none of their personal information has been compromised. Furthermore, we do not understand the arbitrary date that was chosen as a retroactive starting point to offer these services. At most, the services should not be offered prior to the theft of the laptop from the VA employee’s home in May. Otherwise, there would be no shield for the VA from seemingly frivolous requests for credit protection from veterans who may have experienced identity theft in the past year due to their own or others actions.

We must also emphasize that if the VA is forced to provide these services due to some data breach in the future, that separate funding must be appropriated to provide these services. The VA should not be forced to compromise veterans’ health care and benefits by transferring funding away from those accounts to provide credit protection services. In fact, the VA should develop a separate line item in its budget request to support these programs year after year.

PVA also supports the creation of a new unique identification system for veterans who have claims files with the VA. Nearly 20 years ago, the VA assigned veterans file numbers, principally because many veterans did not have a social security number. However, in the late 1980’s, the VA began using service members social security numbers as their claims file numbers. We believe that now is the right time to move away from the practice once again. Maintaining veterans’ social security numbers for record keeping purposes is just one more threat that could lead to future data theft. If the VA does return to a unique identification system, it must ensure that those veterans who have claims numbers with the old identification system, prior to the use of social security numbers, receive an entirely new number altogether.

Finally, PVA is concerned that although this legislation would provide protection in the future for veterans and their families affected by data breaches, there are no specific protections provided for active duty service members, National Guardsmen, or Reservists. We should not forget that all of our men and women currently serving in uniform were also affected by this most recent breach. We believe that as this legislation moves forward, the Committee should explore ways to offer the same types of protections to those men and women who are currently serving.

PVA would like to thank you again for the opportunity to testify. We would be happy to answer any questions that you might have.

Information Required by Rule XI 2(g)(4) of the House of Representatives

Pursuant to Rule XI 2(g)(4) of the House of Representatives, the following information is provided regarding federal grants and contracts.

Fiscal Year 2006

Court of Appeals for Veterans Claims, administered by the Legal Services Corporation — National Veterans Legal Services Program— $252,000 (estimated).

Fiscal Year 2005

Court of Appeals for Veterans Claims, administered by the Legal Services Corporation — National Veterans Legal Services Program— $245,350.

Paralyzed Veterans of America Outdoor Recreation Heritage Fund – Department of Defense – $1,000,000.

Fiscal Year 2004

Court of Appeals for Veterans Claims, administered by the Legal Services Corporation — National Veterans Legal Services Program— $228,000.