U.S. DOJ: Letter to Rep. Kitty Rhoades On V.A. Security Breach

May 31, 2006

The Honorable Kitty Rhoades

Wisconsin State Assembly

State Capitol, Room 320 East
Madison, WI 53702

Dear Representative Rhoades:

            I am writing in response to your letter dated May 26, 2006 to Attorney General Lautenschlager in which you inquire about our request that the United States Department of Veterans Affairs (VA) provide the Wisconsin Department of Justice with information related to the massive security breach announced last week involving the personal identifying information of 26.5 million veterans.  As you are aware, our request was similar to requests in previous security breaches.  We issue these requests because the Department of Justice has both consumer protection obligations and law enforcement responsibilities.  With the exception of the unusually high number of people affected, this breach appears no different than those involving private businesses – it resulted from the failure of an entity charged with storing personal information to adequately control and protect that information.

Security breaches involving the personal information of Wisconsin residents put the residents at risk of becoming victims of identity theft and other crimes.  Our office is charged with investigating crimes that are statewide in nature and often we are the first and most accessible place residents turn to for help.  Knowing the names and contact information of those affected by the breaches, along with the nature of the information compromised (note we do not request the information itself), allows us to answer inquiries from Wisconsin residents as accurately as possible.  Whatever federal authorities may or may not do in response to this particular security lapse does not discharge us from our duty to protect Wisconsin residents and investigate violations of state law.

As you note, the VA and federal government have announced efforts to rectify this situation and to contact individuals affected by the breach.  The Attorney General is concerned, however, that these efforts will fall short – at the expense of Wisconsin veterans.  As I stated above, this breach affected an extremely high number of people, second only to one other breach that I am aware of in June of last year (CardSystems).  Furthermore, the VA has been criticized by lawmakers of both political parties and other public officials for poorly handling the breach thus far.  The VA knew the breach took place weeks before taking action or even informing its Secretary.   You may believe that the VA’s actions to date should result in the confidence of Wisconsin’s citizens, but we do not share that conviction. 

The fact that this matter involves the federal government, not a private business, makes little difference. The federal government did not have adequate protections set-up to prevent this breach in the first place (such as encrypting the personal information), so how can we assume that it has adequate “procedures in place to investigate and rectify the situation?” Moreover, identity theft is an increasingly detrimental offense impacting scores of new victims each day. It should be apparent to anyone even casually aware of this type of criminal activity, and its devastating consequences to victims, that a significant and timely response by authorized agencies to a security breach this extensive is not optional, it is vitally important.  

In February, you and 95 other State Representatives voted unanimously to pass security breach notification legislation.  The legislation, now signed into law, requires entities that store personal information belonging to Wisconsin residents to notify residents in the event the information is compromised.  The legislation does not apply to the federal government, however it does explicitly define “entity” to include state agencies, offices and departments as well as the legislature and courts.  I believe this sheds light on our legislature’s resolve that governmental bodies, no less than private companies, should be treated no differently where the personal information of individuals has been compromised.

You stated in your letter that Wisconsin Veterans deserve to know that this initiative is being done for the sole purpose of their protection. Given the various functions of this department and the enormity of this security breach, I would expect that a failure on our part to take action would give rise to question, rather than the opposite. In any event, I trust that the explanation provided has satisfied your concerns.

                                                                        Very truly yours,

                                                                        Daniel P. Bach

                                                                        Deputy Attorney General