The Veterans Administration and Data Privacy

I woke up this morning to learn that I might be one of the more than 26 million veterans whose personal information - including name, social security number, and date of birth - is now in the hands of a (presumably) common thief. I won’t be certain that I am one of the individuals affected until I receive notification in the mail from the Department of Veterans Affairs. But I’m reasonably sure, given that I joined the service after 1975, that my personal information has now been compromised.

The Washington Post is certainly correct that this is a case of “incompetence” – the VA employee in question removed the data to his home, from whence it was stolen. The Post editors note:

Mr. Nicholson says that the employee was not authorized to take this information home, but his department clearly failed to do enough to enforce its own guidelines. It now promises to restrict access to sensitive data to those who need it and to conduct background checks on those who do. It’s extraordinary that this approach did not prevail already.

It is indeed. But the larger point is this: If we depend upon government to defend us from compromises of our personal information, and if we assume that such violations are most likely to be perpetrated by negligent, incompetent or mendacious individuals in private firms, then who is to protect us from negligence, incompetence or mendacity on the part of government officials?

In the case of the private firms, I retain some capacity for limiting the scope of my liability by tearing up that credit card application, or by hanging up on the telemarketer trying to sell me (another) home equity loan. Meanwhile, I subjected myself to a degree of scrutiny that most Americans avoid when I joined NROTC in 1985, and the active duty Navy in 1989. In a sense, I “opted in” and my name appears in a VA database. On the other hand, most Americans “opted out” by having never served in any branch of the military; and in this particular case, their personal data is not at risk. 

But unlike credit card solicitations and telemarketers, letters and phone calls from the federal government cannot be ignored, meaning that Americans are not always afforded the opportunity to opt in to a particular database. Nearly every American has a social security number, most have filed federal income taxes, and millions of American males are required to register with the federal government under the Selective Service Act. Each of these cases involve an obligation under the law; choosing to opt out is a criminal offense.

So I ask again: Given that we cannot limit our liability without penalty of fine or imprisonment when the government demands personal information from us, who protects us from identity theft when the government is at fault?