Senate Democrats


Akaka bill wouldestablish federal penalties for mishandling personal information in federal databases

Washington, DC–The recent revelations of incompetence in the Bush Administration’s handling of Americans’ personal information–most glaringly demonstrated at the Department of Veterans Affairs–highlight the need for new safeguards to protect the American people. Democrats have answered that need, and today Senators Daniel Akaka, Byron Dorgan, Patty Murray, Chuck Schumer, Hillary Clinton, and Ken Salazar announced new actions to get to the bottom of the VA’s identity theft and a new bill to ensure the security of personal information kept in federal databases.

The Data Theft Prevention Act of 2006, introduced yesterday by Hawaii Senator Daniel Akaka, Ranking Member of the Veterans Affairs Committee, would establish Federal criminal penalties for anyone who knowingly and without authorization views, uses, downloads, or removes any means of identification or individually identifiable health information that is in a Federal database. It sets a powerful standard to ensure that the Bush Administration’s failure to protect the American people will not be allowed to continue. The Democrats also released a letter to the Government Accountability Office, calling for a full and independent investigation into the shocking security breach at the Department of Veterans Affairs.

“It is important to recognize that although this loss of sensitive personal data involved a VA employee and VA-controlled data, it could have happened within virtually any other government department or agency.  Our efforts right now must be focused on VA with respect to the actual data loss, but we must not limit our attention to VA alone,” stated Senator Akaka. “One key element of preventing such events in the future is to make sure that unauthorized downloading or other misuse of personal data from federal databases is not only wrong, but against the law.  The legislation I introduced yesterday, the proposed “Data Theft Prevention Act of 2006,” is one way to make this happen.  It will hopefully deter careless and irresponsible handling of protected personal information.”

“The Administration needs to get serious about safeguarding the personal information it holds,” Senator Dorgan said. “Congress needs to make clear there will be severe penalties for anyone who gets unauthorized access to, or tries to make inappropriate use of, this information. America’s soldiers active and retired, deserve a lot better than this.”

"Over the past several weeks we have all become too familiar with how dangerous it can be when Americans’ private information is compromised," Senator Murray said.  "It is time for the Administration to step up and ensure that data collected from Americans is protected, encrypted, and only provided to those who absolutely need it. And if a situation like this occurs we need all the pertinent information reported immediately.  We need to be aware of the scope of the problem so that we can plan an appropriate response and ensure the public’s peace of mind."

“We can’t ask the private sector to put safeguards in place while our own government is asleep at the switch,” said Senator Schumer, author of the Comprehensive Identity Theft Prevention Act that would prevent large-scale security breaches by regulating data brokers, and create an Office of Identity Theft to assist those affected by such breaches recapture their stolen identities.  “There is a pattern of complacency at the highest levels of government and an inability to tackle one of the greatest privacy issues of our time.  Our legislation will close a gaping loophole in the law by focusing on protecting federal databases and the hackers and thieves who try to steal this very sensitive information for financial gain. The bottom line is, what bank robbery was to the Depression Era, ID theft is to the Information Age.”

"Our veterans served our nation and deserve better than to have their private information treated so carelessly.  And the American men and women now serving so selflessly today need less to worry about, not more,” said Senator Clinton.  “We owe it to our men and women in uniform to protect their privacy.  We need to get to the bottom of this and prevent it from happening again.”

“Our nation owes a debt to our veterans that can never be fully repaid,” Senator Salazar said. “It is deeply concerning to me that the very agency responsible for providing these veterans with the care and services they have earned failed to protect their most basic personal information. For that reason, I am hopeful that we can get to the bottom of these issues.”

Five years of Bush Republican incompetence has put the personal information of the American people at risk, and it is time for a new direction. What little America knows of the gross negligence at the Department of Veterans Affairs is a call for further investigation, and a sign that tough new legislation is needed. The DataTheft Prevention Act of 2006 will finally give the American people the protection they deserve.

A copy of the Senator’s letter to the GAO is attached to this release.


June 14, 2006

Mr. David M. Walker

Comptroller General of the United States

Government Accountability Office

441 G Street, NW

Washington, DC 20548

Dear Mr. Walker:

Last week, several major newspapers reported that the personal information of 80% of our active military personnel was included in the May 3rd heist of a personal computer belonging to a Department of Veterans Affairs employee.  According to the VA, the information contained the names, Social Security Numbers, and birthdates of 2.2 million military personnel.  A spokesman from the department said 1.1 million active duty personnel, 430,000 National Guard members, and 645,000 Reservists were among the 26.5 million identities stolen from the laptop computer.  

These recent revelations directly contradict the Department of Veterans Affairs initial response to the massive data breach that occurred in early May. The New York Times reported that the May 22nd announcement included the larceny “of up to 26.5 million veterans, and their spouses.”Yet, at no time were any active military personnel, or members of Congress, aware that the personal security of the bulk of our military apparatus was jeopardized.

Given this new revelation and the continued failure of the Department of Veterans Affairs to provide accurate, timely and complete information to the American people or the Congress, we are writing to request the Government Accountability Office further investigate this matter.

This security breach not only threatens the identity and financial security of millions of veterans and active military personnel, but also the safety and security of our troops and their families.  Security experts have suggested that the data theft may have profound consequences on the safety of our troops. “‘There is a global black market in this sort of information…and you suddenly have a treasure trove of information on the U.S. military that is available,’ said James Lewis, director of technology and public policy at CSIS.”

Unfortunately, this new disclosure by the VA is just the latest example in a long record of incompetence and deception within the Department of Veterans Affairs and the Bush administration.  

The Department of Veterans Affairs has shown a pattern of careless, and possibly even deceitful, communication, both within the department itself and to the Congress and the public at large with respect to this data loss. Secretary Nicholson was not informed about the data theft until 13 days after the burglary. When Senator Susan Collins asked him how it was possible he was not informed immediately, he replied that it was unclear.  Additionally, officials in the department did not report the May 3rd data theft until over two weeks later on May 22nd, leaving millions of veterans unknowingly at high risk of identity theft.  Also, when the department learned that the personal information of active military personnel was compromised, Secretary Nicholson badly underestimated the number of troops put in harms way.  His estimation of 50,000 Navy and National Guard members affected accounted for just a tiny fraction of the total number of American troops exposed.

The information security breach is even more egregious considering VA, after continual security audits, was well aware of the vulnerability of its data security. According to VA Inspector General George Opfer, “In all four audits of the VA Security Program issued since 2001, we reported serious vulnerabilities that remain uncorrected. These reports highlight specific vulnerabilities that can be exploited, but the recurring themes in these reports are the need for centralization, remediation, and accountability in VA information security. Since the FY 2001 report, we reported weakness in physical security, electronic security, wireless security, personnel security, and FISMA reporting.”

For all these reasons, we ask that the Government Accountability Office make an in-depth inquiry into the causes of this serious breach, the adequacy of the VA’s response, and the impact to the veterans and military community at large.  More specifically, we desire that the GAO: