VVA Logo

Contact Us

VVA Press Releases



VVA Files Lawsuit Read the Complaint:


FTC Consumer Alert
Latest Information on VA Data Security
Do you have questions for the VA?
For More Information,
Visit the VA website

VVA Letter to
Sec. Nicholson

Letter from Sec. Nicholson to

Do you want to belong to our Veteran community?


The VVA Guide to
Vietnam Veterans of America, Inc. et al. v. Nicholson et al.

See Complete Complaint

Questions and Answers About the Class Action Lawsuit Filed on June 6, 2006 to Seek Accountability and Damages for the VA Data Security Disaster of 2006

Q: Why was the lawsuit filed?

VVA joined with several other groups to seek the court's oversight and damages of the U.S. Department of Veterans Affairs' (VA) handling of personal information. VA has a long and well documented history of being lax about information security.  The May 3, 2006, incident involving a VA data analyst who took home electronic data reported to contain personal information for about 26.5 million veterans and others which was later reported to have been stolen from the analyst's home is, we believe, only the latest and most public indication of VA's information security problems. The recent Congressional hearings on the matter made it clear that Congress is completely frustrated by VA's inability or unwillingness to comply with fundamental legal requirements for protecting veterans' private information. VVA concluded that judicial oversight of VA is the last best chance for establishing control over the Department to insure that veterans' private information gets the necessary protection the law requires.

Q: What personal information about 26.5 million veterans and others was in the computer or storage device(s) that was stolen?

To date, the VA has not provided a detailed report of all the personal information that was stolen. According to the VA and news reports, the lost data is primarily limited to an individual’s name, date of birth, and social security number.  In some cases, spousal information may have been included. The VA has also said the data may have included the number of service-connected disabilities a veteran has and the veteran’s overall disability percentage rating. Some news reports have said the data may include VA diagnostic codes for some veterans. The four-digit VA diagnostic codes reveal diseases, disorders, injuries, or disabilities that a veteran has.

Q: When and where was the lawsuit filed?
A: The case was filed on June 6, 2006, in Washington, D.C., in the U.S. District Court for the District of Columbia  http://www.dcd.uscourts.gov/ . The case, Vietnam Veterans of America, Inc. et al. v. Nicholson et al., was assigned to Judge James Robertson.
Q: Where can I get a copy of the Complaint that was filed to start the law suit?

Click on Veterans Affairs Identity Theft on the VVA web site. http://www.vva.org/ This will take you to a VA Data Loss Class Action page  http://www.vva.org/ClassAction/index.htm  where you can download a free copy of the Complaint in Portable Document Format (PDF). If  you need the free software (Adobe Acrobat Reader) necessary to read a PDF document, you can use the "Adobe Acrobat Reader" button on the VVA website http://www.vva.org/SiteIndex/siteindex.htm to download that software.

Q: What does the lawsuit say the VA Secretary and the VA did wrong?
A: The Complaint alleges that the VA Secretary and the VA violated the Privacy Act of 1974, as amended (5 U.S.C. § 552a), and the Administrative Procedure Act by failing to ensure that VA employees comply with many of the Privacy Act requirements aimed at protecting citizens' private information. The Secretary is a named defendant in his official capacity only, which means he is sued because he is the official ultimately responsible for his employees' compliance with the law. We do not seek any damages from the Secretary, or any other VA employee, personally. The Department is named as the Defendant so that the judge has jurisdiction to order it as a government agency to comply with the court's orders.
Q: Where can I find information about the Privacy Act?

copy of the Privacy Act of 1974 is available on the U.S. Department of Justice website. http://www.usdoj.gov/04foia/privstat.htm The same site also provides an "Overview of the Privacy Act" http://www.usdoj.gov/04foia/04_7_1.html with detailed information and references to many previous Privacy Act cases. The VA's Office of Information and Technology has a page that includes the VA's Privacy Act regulations, directives, and handbooks.  http://www.va.gov/OIT/CIO/FOIA/default.asp 

That same office has an index to the detailed descriptions of the VA's Privacy Act "systems of records" http://www.va.gov/oit/cio/foia/systems_of_records.asp that agencies are required to publish in the Federal Register so that citizens can know what systems of records government agencies are keeping on them. Every two years the Federal Register is required to compile and publish: (1) descriptions of the systems of records maintained on individuals by Federal agencies which were published in the Federal Register; and (2) each agency's Privacy Act rules. http://www.gpoaccess.gov/privacyact/about.html  The biannual compilations are available online. http://www.gpoaccess.gov/privacyact/index.html
Q: What does the lawsuit ask the court to do?

The Complaint requests:

  • A declaratory judgment that the VA’s loss of these records violated and continues to violate both the Privacy and Administrative Procedure Acts.
  • A court order that the VA disclose the exact nature of its compromised records system and to individually inform each veteran of every record it maintains on him/her.
  • An injunction preventing the VA from altering any data-storage system and prohibiting any further use of these data until a court-appointed panel of experts determines how best to implement safeguards to prevent any further breaches.
  • A judgment awarding $1,000 to each veteran who can show that he or she has been harmed by the VA’s violation of the Privacy Act.
Q: Was the case filed as class action and how does that work?

The lawsuit was filed as a class action by five organizations (VVA, Citizen Soldier, Inc., National Gulf War Resource Center, Inc., Radiated Veterans of America, Inc., and Veterans for Peace, Inc.) and some individual veterans. After a case is filed as a class action, a court decides whether the case should be a class action or whether it should be a regular lawsuit that's not a class action. More legal papers (called a motion for class certification) will be filed later so that the judge can decide whether the case should be a class action and, if so, who should be in the class.

If a class is certified (in other words, if the judge decides a class action is appropriate), there will be a large effort to announce that a class has been formed and to provide directions on how to opt in or opt out of the class.  If you have heard of this lawsuit, it is likely that you will also hear of a class certification, if a class is formed.

Q: Why did VVA decide to team up with the other organizations who are in the lawsuit?

VVA believes, all veterans have a common interest in seeing that this unprecedented situation is addressed and resolved satisfactorily, even if they don't always agree about other issues. Sometimes litigation, like politics, is the art of the possible. When there is no disagreement about "an inexcusable betrayal of trust," VVA is not inclined to sit this one out. Some veterans organizations have preferred to let Congress and the VA handle the matter, but, as VVA's National President, John Rowan, said recently:

We’ve just seen the largest known unauthorized disclosure of Social Security numbers in history.  We hope this lawsuit will help Secretary Nicholson correct the known vulnerabilities in how the VA protects private information. Without the full weight of the Federal judiciary behind this effort there is no reason to believe that this Secretary will succeed where every single Secretary before him failed to adequately change the corporate culture to safeguard privacy, and to ensure IT security. This lawsuit seeks to insure that no harm will come to veterans as a result of this theft, and that such an incident can never occur again.

Q: Who does the Complaint say should be in the class?

There is no deadline for the court to do this. The U.S. government has sixty (60) days after it was served with a copy of the Complaint either to respond or to ask the court for more time to respond to the Complaint. When the government does respond, it might be: (1) with legal papers saying some or all of the case should be dismissed or (2) with an Answer,  which doesn't rule out the possibility of later asking the judge to rule for the government before a trial. If the government tries to dismiss some or all of the case before filing an Answer, which would not be unusual, then VVA's legal team would file legal papers opposing the dismissal and the government could file a reply before the court made a decision.

If the government tries to dismiss the case, the judge probably will not address class certification questions before deciding about dismissal of the case. If the case is not dismissed, then the schedule for the case (not yet determined) will establish deadlines for the rest of the case. Right now what will happen and when is still unclear, but as more specific information becomes available VVA will post it to VVA's website. The ball is now in the government's court and the government still has about two months to respond to the Complaint.

Q: Is the lawsuit a sure thing?
A: No. There are no guarantees that the lawsuit will be successful

Should I expect that I will soon be getting a VA check for $1,000 because the lawsuit was filed?

A: No.  The demand for $1,000 damages is only part of what the case is about. The Complaint also seeks what lawyers call "injunctive relief" (see # 15 below.)  There won't be any damages unless the case is won or settled and damages are part of the win or settlement. And settlements often involve tradeoffs or compromises.  Don't count on money until it's in your pocket and there is no guarantee that it will be.

Why does the Complaint request a uniform $1,000 for each class member who has been adversely effected?


The Privacy Act provides that $1,000 is the minimum amount of damages when: (1) an agency fails to comply with the Privacy Act or its regulations; (2) the failure to comply has an "adverse effect" on an individual; and (3) the court determines that the agency acted in a manner which was intentional or willful. All three conditions must be met. Any veteran suffering actual damages exceeding $1,000 can choose to "opt out" of the class action and file his or her own separate lawsuit when the opportunity to opt out is presented. Notwithstanding the potential differences in damages among class members, all class members are seeking the same injunctive relief.  

Q: What is "injunctive relief" and what injunctive relief does the Complaint request?

Injunctive relief is something other than money that a court can order in response to a claim of harm. An example of injunctive relief would be a court order that requires the VA and the VA Secretary to do (or not do) certain things. The Complaint (pages 15-16) describes the injunctive relief requested as follows:

(d) That this Court permanently enjoin [enjoin means prevent] Defendant VA, its officers, agents, employees, and those acting for and with them, from accessing, viewing, handling, disclosing, or in any way transferring any record or system of records subject to Privacy Act requirements until an independent panel of experts finds that adequate information security has been established and implemented by VA, unless such activity is explicitly allowed by Court order and under supervision of persons independent of VA, such supervision to be at VA expense;

(e) That this Court enjoin Defendant VA, its officers, agents, employees, and those acting for and with them from removing any device capable of storing, containing, or transferring any record or system of records, including, but not limited to, laptop computers, portable hard drives, memory stick or similar devices, and “iPods” and similar devices, from property under VA’s supervision and control until and unless VA demonstrates that adequate information security has been established to the Court’s satisfaction.

Q: How can I get news and information about what's happening in the case?
A: Click on Veterans Affairs Identity Theft on the VVA web site.   http://www.vva.org/ .  This will take you to the VA Data Loss Class Action page  http://www.vva.org/ClassAction/index.htm  where VVA will post news and press releases about the law suit.
Q: Who is the lawyer representing VVA and the others who filed suit?
A: Douglas J. Rosinski, of the law firm Ogletree Deakins,  is a veteran who was a Naval officer (nuclear engineer on a sub) before he was a lawyer. He handles many veterans cases.
Q: Can VVA give me legal advice about what I should do?
A: No. VVA can provide information about the lawsuit and references to information about related matters, but, if you need legal advice, you should get it from a lawyer, not VVA.

What should I do if I work for the VA and I have some information or documents that will help the veterans’ lawsuit?


We appreciate that there are many, many VA employees who do a tremendous job under difficult circumstances and who want to help change VA into the service agency it should be. VVA, however, cannot provide legal advice to VA employees regarding what to do with information or documents that may be important to the case. Organizations like the Government Accountability Project (GAP), http://www.whistleblower.org/template/index.cfm, a 28-year old nonprofit public interest organization in Washington, DC, do advise and represent citizens in similar circumstances, but VVA has had no contact with GAP about this matter.

If VVA receives information or documents that may help the veterans’ lawsuit, VVA will provide that information or documents to its legal team so that a decision cab be made the relevance if the information to the issues in this case. VVA's sense is that current and former VA employees who are knowledgeable about the VA's information security problems may have been expecting something like this to happen and can shed much light n the issues.

VVA's phone number and extension for information pertaining to the lawsuit is 301-585-4000, Extension 125. This is not a toll-free number. VVA's fax number and e-mail address for information about the lawsuit are: (301) 585-5245 and VAIdentityTheftLawsuit@vva.org. VVA does not record incoming audio telephone calls and there are no special security features on VVA's telephones, fax machines, or e-mail system. As someone in the military might say, "This is not a secure line." In this period when the government is reportedly engaged in a wide range of communications intercepts, all in the interests of national security, of course, anything is possible.  VVA's mailing address for information about the lawsuit is: Vietnam Veterans of America, Attn: Class Action Litigation, 8605 Cameron Street, Suite 400, Silver Spring, MD 20910

Q: Has anybody else sued the VA about this?
A: To the best of our knowledge, at least two  other class suits have been filed.   VVA has no involvement in those cases which we understand have only one or two veterans as plaintiffs.  Other cases may be filed and there are legal procedures for deciding who will be lead case, should any other cases move forward. 

Vietnam Veterans of America (VVA) is the nation's only congressionally chartered veterans service organization dedicated to the needs of Vietnam-era veterans and their families.  VVA's founding principle is “Never again will one generation of veterans abandon another.”