The VVA Guide to
Vietnam Veterans of America, Inc. et al. v. Nicholson et al.
Questions and Answers About
the Class Action Lawsuit Filed on June 6, 2006 to Seek Accountability
and Damages for the VA Data Security Disaster of 2006
||Why was the lawsuit filed?
VVA joined with several other groups to seek the court's
oversight and damages of the U.S. Department of Veterans Affairs'
(VA) handling of personal information. VA has a long and well
documented history of being lax about information security. The
May 3, 2006, incident involving a VA data analyst who took
home electronic data reported to contain personal information
for about 26.5 million veterans and others which was later
reported to have been stolen from the analyst's home is, we
believe, only the latest and most public indication of VA's
information security problems. The recent Congressional hearings
on the matter made it clear that Congress is completely frustrated
by VA's inability or unwillingness to comply with fundamental
legal requirements for protecting veterans' private information.
VVA concluded that judicial oversight of VA is the last best
chance for establishing control over the Department to insure
that veterans' private information gets the necessary protection
the law requires.
||What personal information about 26.5 million
veterans and others was in the computer or storage device(s)
that was stolen?
To date, the VA has not provided a detailed
report of all the personal information that was stolen. According
to the VA and news reports, the lost data is primarily limited
to an individual’s name, date of birth, and social security
number. In some cases, spousal information may have been
included. The VA has also said the data may have included the
number of service-connected disabilities a veteran has and
the veteran’s overall disability percentage rating. Some
news reports have said the data may include VA diagnostic codes
for some veterans. The four-digit VA diagnostic codes reveal
diseases, disorders, injuries, or disabilities that a veteran
||When and where was the lawsuit filed?
||The case was filed on June 6, 2006, in Washington,
D.C., in the U.S. District Court for the District of Columbia http://www.dcd.uscourts.gov/ .
The case, Vietnam Veterans of America, Inc. et al. v. Nicholson
et al., was assigned to Judge James Robertson.
||Where can I get a copy of the Complaint
that was filed to start the law suit?
Click on Veterans Affairs Identity
Theft on the VVA web site. http://www.vva.org/ This
will take you to a VA Data Loss Class Action page http://www.vva.org/ClassAction/index.htm where
you can download a free copy of the Complaint in Portable
Document Format (PDF). If you need the free software
(Adobe Acrobat Reader) necessary to read a PDF document,
you can use the "Adobe Acrobat Reader" button on
the VVA website http://www.vva.org/SiteIndex/siteindex.htm to
download that software.
||What does the lawsuit say the VA Secretary
and the VA did wrong?
||The Complaint alleges that the VA Secretary and
the VA violated the Privacy Act of 1974, as amended (5 U.S.C. § 552a),
and the Administrative Procedure Act by failing to ensure that
VA employees comply with many of the Privacy Act requirements
aimed at protecting citizens' private information. The Secretary
is a named defendant in his official capacity only, which means
he is sued because he is the official ultimately responsible
for his employees' compliance with the law. We do not seek any
damages from the Secretary, or any other VA employee, personally.
The Department is named as the Defendant so that the judge has
jurisdiction to order it as a government agency to comply with
the court's orders.
||Where can I find information about the
copy of the Privacy Act of 1974 is available
on the U.S. Department of Justice website. http://www.usdoj.gov/04foia/privstat.htm The
same site also provides an "Overview of the Privacy Act" http://www.usdoj.gov/04foia/04_7_1.html with
detailed information and references to many previous Privacy
Act cases. The VA's Office of Information and Technology has
a page that includes the VA's Privacy Act regulations, directives,
and handbooks. http://www.va.gov/OIT/CIO/FOIA/default.asp
That same office has an index to the detailed descriptions of
the VA's Privacy Act "systems of records" http://www.va.gov/oit/cio/foia/systems_of_records.asp that
agencies are required to publish in the Federal Register so that
citizens can know what systems of records government agencies
are keeping on them. Every two years the Federal Register is
required to compile and publish: (1) descriptions of the systems
of records maintained on individuals by Federal agencies which
were published in the Federal Register; and (2) each agency's
Privacy Act rules. http://www.gpoaccess.gov/privacyact/about.html The
biannual compilations are available online. http://www.gpoaccess.gov/privacyact/index.html
||What does the lawsuit ask the court to
The Complaint requests:
- A declaratory judgment that the VA’s loss
of these records violated and continues to violate both the
Privacy and Administrative Procedure Acts.
- A court order that the VA disclose the exact nature
of its compromised records system and to individually inform
each veteran of every record it maintains on him/her.
- An injunction preventing the VA from altering any
data-storage system and prohibiting any further use of these
data until a court-appointed panel of experts determines
how best to implement safeguards to prevent any further breaches.
- A judgment awarding $1,000 to each veteran who can show
that he or she has been harmed by the VA’s violation
of the Privacy Act.
||Was the case filed as class action and
how does that work?
The lawsuit was filed as a class action by
five organizations (VVA, Citizen Soldier, Inc., National Gulf
War Resource Center, Inc., Radiated Veterans of America, Inc.,
and Veterans for Peace, Inc.) and some individual veterans.
After a case is filed as a class action, a court decides whether
the case should be a class action or whether it should be a
regular lawsuit that's not a class action. More legal papers
(called a motion for class certification) will be filed later
so that the judge can decide whether the case should be a class
action and, if so, who should be in the class.
If a class is certified (in other words, if the judge decides
a class action is appropriate), there will be a large effort
to announce that a class has been formed and to provide directions
on how to opt in or opt out of the class. If you have
heard of this lawsuit, it is likely that you will also hear
of a class certification, if a class is formed.
||Why did VVA decide to team up with the
other organizations who are in the lawsuit?
VVA believes, all veterans have a common interest
in seeing that this unprecedented situation is addressed and
resolved satisfactorily, even if they don't always agree about
other issues. Sometimes litigation, like politics, is the art
of the possible. When there is no disagreement about "an
inexcusable betrayal of trust," VVA is not inclined to
sit this one out. Some veterans organizations have preferred
to let Congress and the VA handle the matter, but, as VVA's
National President, John Rowan, said recently:
We’ve just seen the largest known unauthorized disclosure
of Social Security numbers in history. We hope this
lawsuit will help Secretary Nicholson correct the known vulnerabilities
in how the VA protects private information. Without the full
weight of the Federal judiciary behind this effort there
is no reason to believe that this Secretary will succeed
where every single Secretary before him failed to adequately
change the corporate culture to safeguard privacy, and to
ensure IT security. This lawsuit seeks to insure that no
harm will come to veterans as a result of this theft, and
that such an incident can never occur again.
||Who does the Complaint say should be in
There is no deadline for the court to do this.
The U.S. government has sixty (60) days after it was served
with a copy of the Complaint either to respond or to ask the
court for more time to respond to the Complaint. When the government
does respond, it might be: (1) with legal papers saying some
or all of the case should be dismissed or (2) with an Answer, which
doesn't rule out the possibility of later asking the judge
to rule for the government before a trial. If the government
tries to dismiss some or all of the case before filing an Answer,
which would not be unusual, then VVA's legal team would file
legal papers opposing the dismissal and the government could
file a reply before the court made a decision.
If the government tries to dismiss the case, the judge probably
will not address class certification questions before deciding
about dismissal of the case. If the case is not dismissed,
then the schedule for the case (not yet determined) will establish
deadlines for the rest of the case. Right now what will happen
and when is still unclear, but as more specific information
becomes available VVA will post it to VVA's website. The ball
is now in the government's court and the government still has
about two months to respond to the Complaint.
||Is the lawsuit a sure thing?
||No. There are no guarantees that the lawsuit will
Should I expect that I will soon be
getting a VA check for $1,000 because the lawsuit was filed?
||No. The demand for $1,000 damages is only
part of what the case is about. The Complaint also seeks what
lawyers call "injunctive relief" (see # 15 below.) There
won't be any damages unless the case is won or settled and damages
are part of the win or settlement. And settlements often involve
tradeoffs or compromises. Don't count on money until it's
in your pocket and there is no guarantee that it will be.
Why does the Complaint request a uniform
$1,000 for each class member who has been adversely effected?
The Privacy Act provides that $1,000 is the
minimum amount of damages when: (1) an agency fails to comply
with the Privacy Act or its regulations; (2) the failure to
comply has an "adverse effect" on an individual;
and (3) the court determines that the agency acted in a manner
which was intentional or willful. All three conditions
must be met. Any veteran suffering actual damages
exceeding $1,000 can choose to "opt out" of the class
action and file his or her own separate lawsuit when the opportunity
to opt out is presented. Notwithstanding the potential
differences in damages among class members, all class members
are seeking the same injunctive relief.
||What is "injunctive relief" and
what injunctive relief does the Complaint request?
Injunctive relief is something other than money
that a court can order in response to a claim of harm. An example
of injunctive relief would be a court order that requires the
VA and the VA Secretary to do (or not do) certain things. The
Complaint (pages 15-16) describes the injunctive relief requested
(d) That this Court permanently enjoin [enjoin means prevent]
Defendant VA, its officers, agents, employees, and those acting
for and with them, from accessing, viewing, handling, disclosing,
or in any way transferring any record or system of records
subject to Privacy Act requirements until an independent panel
of experts finds that adequate information security has been
established and implemented by VA, unless such activity is
explicitly allowed by Court order and under supervision of
persons independent of VA, such supervision to be at VA expense;
(e) That this Court enjoin Defendant VA, its officers, agents,
employees, and those acting for and with them from removing
any device capable of storing, containing, or transferring
any record or system of records, including, but not limited
to, laptop computers, portable hard drives, memory stick
or similar devices, and “iPods” and similar devices,
from property under VA’s supervision and control until
and unless VA demonstrates that adequate information security
has been established to the Court’s satisfaction.
||How can I get news and information about
what's happening in the case?
||Click on Veterans Affairs Identity Theft on
the VVA web site. http://www.vva.org/ . This
will take you to the VA Data Loss Class Action page http://www.vva.org/ClassAction/index.htm where
VVA will post news and press releases about the law suit.
||Who is the lawyer representing VVA and
the others who filed suit?
|| Douglas J. Rosinski, of the law firm Ogletree
Deakins, is a veteran who was a Naval officer (nuclear
engineer on a sub) before he was a lawyer. He handles many veterans
||Can VVA give me legal advice about what
I should do?
||No. VVA can provide information about the lawsuit
and references to information about related matters, but, if
you need legal advice, you should get it from a lawyer, not VVA.
What should I do if I work for the
VA and I have some information or documents that will help
the veterans’ lawsuit?
We appreciate that there are
many, many VA employees who do a tremendous job under difficult
circumstances and who want to help change VA into the service
agency it should be. VVA, however, cannot provide legal advice
to VA employees regarding what to do with information or documents
that may be important to the case. Organizations like the Government
Accountability Project (GAP), http://www.whistleblower.org/template/index.cfm,
a 28-year old nonprofit public interest organization in Washington,
DC, do advise and represent citizens in similar circumstances,
but VVA has had no contact with GAP about this matter.
If VVA receives information or documents that may help the
veterans’ lawsuit, VVA will provide that information
or documents to its legal team so that a decision cab be made
the relevance if the information to the issues in this case.
VVA's sense is that current and former VA employees who are
knowledgeable about the VA's information security problems
may have been expecting something like this to happen and can
shed much light n the issues.
VVA's phone number and extension for information pertaining
to the lawsuit is 301-585-4000, Extension 125. This is not
a toll-free number. VVA's fax number and e-mail address for
information about the lawsuit are: (301) 585-5245 and VAIdentityTheftLawsuit@vva.org.
VVA does not record incoming audio telephone calls and there
are no special security features on VVA's telephones, fax machines,
or e-mail system. As someone in the military might say, "This
is not a secure line." In this period when the government
is reportedly engaged in a wide range of communications intercepts,
all in the interests of national security, of course, anything
is possible. VVA's mailing address for information about
the lawsuit is: Vietnam Veterans of America, Attn: Class Action
Litigation, 8605 Cameron Street, Suite 400, Silver Spring,
||Has anybody else sued the VA about this?
||To the best of our knowledge, at least two other
class suits have been filed. VVA has no involvement
in those cases which we understand have only one or two veterans
as plaintiffs. Other cases may be filed and there are legal
procedures for deciding who will be lead case, should any other
cases move forward.
Vietnam Veterans of America (VVA) is the
nation's only congressionally chartered veterans service organization
dedicated to the needs of Vietnam-era veterans and their families.
VVA's founding principle is “Never again will one generation of veterans