The government must spend whatever necessary to avoid undue hardships for people in connection with the theft of data from several agencies, a House panel was told Tuesday.
"Unfortunately, as we have all come to realize, the question is not whether another incident of information theft will occur but when," said David McIntyre, president and CEO of TriWest Healthcare Alliance, which provides information security to the Pentagon.
He suggested creating a central government "nerve center" to assist agencies after any such security breach.
"Events such as these are happening with increased regularity — and, surely, spending a few million to prepare is preferable to spending hundreds of millions to react," McIntyre told a House Appropriations subcommittee.
On Tuesday, the Veterans Affairs Department was asking Congress for more money to help protect millions of veterans and members of the military from identity theft linked to the burglary of a computer last month at a VA data analyst's home.
The protections the VA wants to provide, which would include insurance against expenses the veterans could incur, were to be outlined by VA Secretary Jim Nicholson.
No reports of identity theft have been reported in connection with the May 3 theft of a computer from the data analyst's home in suburban Maryland. The laptop contained names, birth dates and Social Security numbers for up to 26.5 million people.
Last week, the Senate Appropriations Committee approved $160 million in emergency funds to pay for credit monitoring. It is one of many expected payments as the government struggles with fallout from data thefts and other breaches now crossing at least six agencies, including the Pentagon, Agriculture and Federal Trade Commission.
Nicholson called the burglary a "wake-up call" that should not come at the expense of veterans, who have challenged the free monitoring in federal court as potentially inadequate.
"We are making an effort to be responsive to concerns ... that we provide 'detection, protection and insurance' for those possibly affected," he said in written testimony prepared for Tuesday's hearing. "It is only right that we, the government, do everything possible to protect our veterans and to keep them from incurring loss or expense."
During the hearing, Rep. James Walsh, chairman of the House subcommittee, chastised the VA for waiting three weeks to notify veterans about the theft. "This represents a significant lapse of time that could have been vital to protect identity theft," said Walsh, R-N.Y.
Rep. Chet Edwards, the top Democrat on the panel, agreed. "Clearly this is a serious problem that Congress needs to partner in solving," said Edwards, D-Tex.
But he added: "Clearly, it is not confined to one agency. My hope is this hearing will be part of coming up with a system to protect private information."
The VA plans to offer free credit monitoring for a year to millions of veterans and troops. It said it would send out letters in early August — after it solicits bids from contractors — on how to sign up for the free service.
Lawyers for veterans said the VA's deal was "incomplete and misleading," according to court papers. They said the VA must make clear whether veterans will have to give up their rights in court to a potentially larger payout.
U.S. District Judge William Bertelsman in Kentucky scheduled a hearing for Friday to determine whether the VA should revise its offer. Until then, he has barred the VA from publicizing its free credit monitoring offer to veterans.
The class-action lawsuits, which are pending in Covington, Ky., and Washington seek free monitoring and other credit protection for an indefinite period as well as $1,000 in damages for each person — or up to $26.5 billion total — in what has become one of the nation's largest information security breaches.
A VA spokesman declined to comment Monday on the judge's order, saying it was being reviewed by department attorneys.
In his testimony Tuesday, Nicholson said he had ordered a review to ensure that all virus and security software was current, but he said he had placed that directive on hold until the VA received additional guidance from the courts.
"Unfortunately, a very bad thing happened," he said. "Even today we can't say with certainty just what data was contained on the computer and hard drive that were taken. We have done everything we can to attempt to ascertain what was there. But we can't be certain."
Veterans groups and lawmakers from both parties have criticized the VA about the theft and noted years of warnings by auditors that information security was lax. The data analyst — who was in the process of being dismissed — had taken the information home on a personal laptop for three years.
The VA also has been criticized for waiting nearly three weeks — until May 22 — to notify veterans about the theft.
Since then, the VA has spent more than $14 million to notify veterans by letter and set up a call center, and it is spending an additional $200,000 a day to maintain the call center. Another roughly $7 million was expected to be spent to notify veterans by letter in early August of the free monitoring.