Last week, the Veteran's Affairs Department agreed to pay $20 million to settle class action lawsuits by five veterans groups relating to a 2006 security breach. The incident involved, as is so often the case, the theft of a laptop. The laptop, which was stolen in the burglary of a VA data analyst's home in Maryland, contained the names, dates of birth and Social Security numbers of 26.5 million veterans and active-duty service members. The laptop was later recovered and the VA discovered no evidence that the data had been misused.
The VA has agreed to use the $20 million settlement amount, which comes from the U.S. Treasury, to pay affected individuals between $75 and $1500 if they can prove that they suffered actual harm, such as emotional distress or expenses related to credit monitoring. It will be interesting to see how the VA will go about paying damages for emotional distress. What sort of "proof" will affected individuals be expected to submit? What settlement amounts will be paid for emotional distress? This is of particular interest because in other class action lawsuits related to security breaches, courts have thus far tended to deny claims for damages because an individual experiences emotional distress at the prospect that his or her personal information MIGHT be exposed to criminals or used to commit fraud. Could the VA settlement be viewed as an encouraging sign by plaintiffs' class action attorneys seeking to bring emotional distress claims in the wake of security breaches?
I tend to think that the substantial settlement reflects the VA's desire to satisfy its veteran and service member constituencies, as well as an attempt to mitigate some of the public relations damage that resulted from negative press coverage in 2006 and a scathing report by the VA Department's Inspector General that followed the breach.
