WASHINGTON - Angry veterans aren't waiting for Congress to take action over the recent Veterans Administration loss of 26.5 million personal records of veterans.
Tuesday afternoon, a coalition of veterans groups filed a class action lawsuit demanding the VA name those who are at risk for identity theft. The suit seeks $1,000 in damages for each person, a payout that could reach $26.5 billion.
According to the lawsuit, the VA's loss of the records violated both the U.S. Privacy Act and the Administrative Procedure Acts.
"It is appalling to all veterans that their personal information -- information that is supposed to be held in confidence -- is potentially in the hands of individuals who can wreak identity-theft havoc," John Rowan, the national president of Vietnam Veterans of America and a plaintiff in the lawsuit, said in a statement.
Other veteran groups backing the lawsuit include the National Gulf War Resource Center, Radiated Veterans of America, Citizen Soldier and Veterans for Peace.
The lawsuit also seeks a court order to prevent the VA from any further use of veterans' data until a court-appointed panel of security experts determines appropriate safeguards to prevent future data breaches.
"This lawsuit seeks to insure that no harm will come to veterans as a result of this theft, and that such an incident can never occur again," Rowan said.
In late May, the VA disclosed it had suffered the second largest known data breach in U.S. history and the largest Social Security numbers breach ever.
The breach occurred when a VA employee violated agency policy and took a laptop with the records on it home, where it was stolen in a burglary.
"The VA has been criticized for years about lax information security and that includes criticism from the VA's own Inspector General. The VA still hasn't properly secured all the personal information under its control," Rowan said.
He added: "We hope this lawsuit will help Secretary [Jim] Nicholson correct the known vulnerabilities in how the VA protects private information."
The breach sparked new interest in Congress to pass data protection and disclosure laws.
While more than 10 bills were introduced in the aftermath of the ChoicePoint data breach 17 months ago, neither the U.S. House or Senate has been able to actually pass a measure.
The legislation has bogged down over issues of just exactly what is the trigger to publicly disclose a data breach. Should it be a "reasonable" or "substantial" threat to result in identity theft?