IN RE: DEPARTMENT OF VETERANS AFFAIRS (VA) DATA THEFT LITIGATION - MDL 1796MOTION for Discovery Pursuant to Rule 56D.D.C.March 2, 2007UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ____________________________________ In Re: DEPARTMENT OF VETERANS : AFFAIRS (VA) DATA THEFT : LITIGATION : ____________________________________: Misc. Action No. 06-0506 (JR) : MDL Docket No. 1796 This Document Relates To: : ALL CASES : ____________________________________: PLAINTIFFS’ RULE 56(f) MOTION FOR DISCOVERY Pursuant to Federal Rules of Civil Procedure 7 and 56(f) and Local Civil Rule 7, Plaintiffs hereby move the Court to order discovery and any other such action as the Court may deem just under the circumstances to enable Plaintiffs to fully and fairly respond to Defendants’ Defendants’ Motion to Dismiss Or, in the Alternative, For Summary Judgment (Feb. 22, 2007) (“Defs.’ Motion”). The Court should grant this Motion because Plaintiffs: (1) cannot fully present relevant facts in opposition to Defendants’ Motion; (2) can identify specific sworn interview testimony, documents, and other material in Defendants’ possession, but not available to Plaintiffs, that establish those facts; and (3) can demonstrate how discovery of the specific information and deposition of specific individuals will enable Plaintiffs to not only rebut Defendants’ assertions of no genuine issues of fact, but, upon information and belief, also establish one or more willful and intentional Privacy Act violations by Defendants. Fairness and judicial economy, as well as the purposes of Federal Rule of Civil Procedure 56(f), should compel the Court to grant Plaintiffs appropriate discovery, as discussed in the attached Memorandum of Points and Authorities. As unavailability of the facts contained in the discovery and depositions sought herein by Plaintiffs will have a material and adverse impact on the substance of Plaintiffs’ opposition to Defendants’ Motion, Plaintiffs respectfully request the Court to timely rule on the instant Motion Case 1:06-mc-00506-JR Document 13 Filed 03/02/2007 Page 1 of 13 2 or extend the date for filing Plaintiffs’ opposition until a reasonable time after such a ruling is forthcoming or the ordered discovery is completed. Plaintiffs are informed that Defendants will oppose this motion. Respectfully submitted, /s/ Douglas J. Rosinski Donald A. Cockrill Douglas J. Rosinski Ogletree, Deakins, Nash, Smoak & Stewart, P.C. 1320 Main Street, Suite 600 Columbia, SC 29201 (803) 252-1300 (803) 254-6517 (fax) Counsel in No. 1:06-CV-01943(JR) John C. Murdock Jeffrey S. Goldenberg Murdock Goldenberg Schneider & Groh, LPA 35 E. 7th Street, Suite 600 Cincinnati, OH 45202 (513) 345-8291 (513) 345-8294 (fax) Counsel in No. 1:06-CV-01943(JR) Marc D. Mezibov Christian A. Jenkins Mezibov & Jenkins, LLP 401 E. Court Street, Suite 600 Cincinnati, OH 45202 (513) 723-1600 (513) 723-1620 (fax) Counsel in No. 1:06-CV-01943(JR) Gary E. Mason Alexander E. Barnett The Mason Law Firm, P.C. 1225 19th Street, N.W., Suite 500 Washington, DC 20036 (202) 429-2290 (202) 429-2294 (fax) Counsel in No. 1:06-CV-01943(JR) Mark D. Smilow Weiss & Lurie The French Building 551 Fifth Avenue, Suite 1600 New York, NY 10176 (212) 682-3025 (212) 682-3010 (fax) Counsel in No. 1:06-CV-01944(JR) Dated: March 02, 2007 Case 1:06-mc-00506-JR Document 13 Filed 03/02/2007 Page 2 of 13 UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ____________________________________ In Re: DEPARTMENT OF VETERANS : AFFAIRS (VA) DATA THEFT : LITIGATION : ____________________________________: Misc. Action No. 06-0506 (JR) : MDL Docket No. 1796 This Document Relates To: : ALL CASES : ____________________________________: MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT OF PLAINTIFFS’ RULE 56(f) MOTION FOR DISCOVERY Defendants have published a detailed description of an extensive array of sworn interviews, policies, procedures, reports, and other documentation, and other physical evidence which Defendants have publicly asserted form the factual basis for their own legal conclusions regarding the causes underlying the May 3, 2006, theft of Privacy Act records from the home of a Department of Veterans Affairs (“Department” or “VA”) employee. Despite this trove of admittedly relevant, if not dispositive, factual information, Defendants elected to rely solely upon a report selectively summarizing and opining on the factual material as the primary support for their “Defendants’ Motion to Dismiss Or, in the Alternative, For Summary Judgment” (Feb. 22, 2007) (“Defs.’ Mot.” ) and the associated “Statement of Material Facts As To Which There Is No Genuine Dispute” (“Defs.’ Facts”). Unlike Defendants, Plaintiffs seek to base their submittals on the actual relevant facts, not inadmissible narrative and conclusory opinion. Clearly, Defendants have no legal duty to cite the original or most relevant sources of the “ facts” upon which they rely in seeking summary judgment and they have not done so. Pursuant to Federal Rule of Civil Procedure 56(f) (“Rule 56(f)” ), however, Plaintiffs have a right to the essential factual information needed to justify their opposition to a motion for summary judgment. The Court, therefore, should order Defendants to produce the factual information in their possession and control because Plaintiffs: (1) cannot fully present relevant facts in Case 1:06-mc-00506-JR Document 13 Filed 03/02/2007 Page 3 of 13 2 opposition to Defendants’ motion in the absence of any discovery; (2) can identify specific sworn testimony, documents, and other material in Defendants’ possession, but not available to Plaintiffs, that establish relevant facts; and (3) can demonstrate how discovery of specific information and deposition of specific individuals will enable Plaintiffs to fairly oppose summary judgment. DISCUSSION Plaintiffs are entitled to a fair opportunity to respond to a defendants’ summary judgment motion. When a plaintiff cannot by affidavit present “ facts essential to justify his opposition, the court may refuse the application for judgment or may order a continuance to permit affidavits to be obtained or depositions to be taken or discovery to be had or may make such other order as is just.” Fed. R. Civ. P. 56(f). Rule 56(f) “allows a summary judgment motion to be denied, or the hearing on the motion to be continued, if the non-moving party has not had an opportunity to make full discovery.” Celotex Corp. v. Catrett, 477 U.S. 317, 326 (1986). “Under Rule 56(f), a court ‘may deny a motion for summary judgment or order a continuance to permit discovery if the party opposing the motion adequately explains why at that timepoint, it cannot present by affidavit facts needed to oppose the motion.’ ” Banks v. Veneman, 402 F.Supp.2d 43, 47 (D.D.C. 2005) (quoting Strang v. U.S. Arms Control & Disarmament Agency, 864 F.2d 859, 861 (D.C. Cir. 1989)). The party seeking discovery bears the burden of identifying the facts to be discovered that would create a triable issue and why the party cannot produce those facts in opposition to the motion. Id. (citing Byrd v. United States EPA, 174 F.3d 239, 248 n.8 (D.C. Cir. 1999)). The party must also demonstrate a reasonable basis to suggest that discovery might reveal triable issues of fact. Id. (citing Carpenter v. Nat’ l Mortgage Ass’n, 174 F.3d 231 (D.C. Cir. 1999)). Plaintiffs here satisfy each of these conditions and are, therefore, entitled to discovery and depositions. Case 1:06-mc-00506-JR Document 13 Filed 03/02/2007 Page 4 of 13 3 Plaintiffs Are Unable to Provide the Needed Facts by Affidavit Plaintiffs cannot establish the relevant facts by affidavit as they were not personally involved in the Privacy Act violations or the subsequent investigation. Essentially all of the factual material relevant to this case, however, has been gathered and reviewed by Defendants. The VA Office of Inspector General (“VA OIG”) “ investigated the circumstances surrounding the theft of VA records containing veterans’ and other individuals’ personal identifiers.” “Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans” (Jul. 11, 2006) (“VA OIG Rep’ t” ) at 1. In performance of this review, [OIG] interviewed the employee, his supervisors, project managers, and co- workers; privacy, information security, and VA law enforcement officials; VA Austin Automation Center (AAC) officials; Office of General Counsel (OGC) attorneys, including the General Counsel and Deputy General Counsel; the Chief of Staff; the Deputy Secretary; and other Department officials. [OIG] reviewed the employee’s position description and performance standards; the local jurisdiction’s police report of the theft; e-mail, notes, memoranda, and other documentation; chronologies of events prepared by the employee, OPP&P staff, OGC staff, and others; documentation of the employee’s access to VA databases; the VA Security Operations Center (SOC) incident report; and other pertinent information. [OIG] reviewed cyber security and information security policies published by VA and its organizational components, relevant online training modules, and VA contract documents and contract administrative records. [OIG] also conducted a forensic analysis of the contents of the compact disks (CDs) and other media the employee had at his home on the day of the burglary, as well as a forensic search of the contents of two other computers at his home. Id. at 2 (emphasis added). The VA OIG Report contains no citation - not a single one - to any of the interviews, reviews, documents, or analyses identified as the factual basis of the document. There are, of course, no legal requirements regarding the underlying factual basis of a report by the VA OIG. This is not so, however, for a summary judgment motion submitted pursuant to Federal Rule of Civil Procedure 56. The “ judgment sought shall be rendered forthwith if the pleadings, depositions, answers to interrogatories, and admissions on file, together with the affidavits on file show that there is no genuine issue as to any material fact.” Fed. R. Civ. P. 56(c). Defendants failed to submit any depositions, answers to interrogatories, or Case 1:06-mc-00506-JR Document 13 Filed 03/02/2007 Page 5 of 13 4 admissions because there has been no discovery. Further, the few affidavits submitted by Defendants do not provide any basis for the majority of the purportedly uncontested facts. See generally, Defs.’ Facts (less than half of the asserted facts rely in any part on affidavits). Defendants, of course, have not yet submitted any pleadings. Thus, Defendants lengthy Motion is largely based on OIG’s interpretation of the underlying facts, which are unavailable to Plaintiffs. Plaintiffs Have Not Had Any Opportunity For Discovery There has been no discovery in this case because Defendants filed their Motion before the parties had even met and discussed a possible case schedule.1 This rush to file is curious as Defendants vigorously pleaded before the Judicial Panel on MultiDistrict Litigation that coordinated discovery was important to fair resolution of this case and Defendants identified the need for discovery regarding some of the very facts Plaintiffs seek to establish through this Motion. [T]he main issues for discovery will concern the manner in which the data was maintained at VA headquarters, the manner in which John Doe accessed the data at VA headquarters, and the manner in which that data was stolen from John Doe’s home. The overwhelming number of relevant witnesses are thus likely to be employees (or former employees) of VA and/or other individuals located in the Washington, D.C. area. “Memorandum in Support of Defendants Department of Veterans Affairs, Secretary of Veterans Affairs R. James Nicholson, Deputy Secretary Gordon G. Mansfield, And VA Employee John Doe’s Motion For Transfer and Coordination Pursuant to 28 U.S.C. § 1407” (Jul. 10, 2006) at 7- 8. Thus, Defendants submitted their Motion despite the previously admitted need for discovery and identification of the likely sources of relevant facts. Plaintiffs, therefore, should be allowed an opportunity to obtain the facts at issue in this litigation before submitting argument regarding those facts. 1 Following submittal of Defendants’ Motion, Plaintiffs’ counsel have conferred several times with Defendants’ counsel regarding the possibility of discovery on the issues raised in this Motion and in “Plaintiffs’ Proposed Scheduling Order” (Feb. 20, 2007). The parties, however, have not been able to reach an agreement. Case 1:06-mc-00506-JR Document 13 Filed 03/02/2007 Page 6 of 13 5 Facts Possessed By Defendants Establish Many Triable Issues In support of its critical factual assertions, Defendants’ mammoth submittal cites only the VA OIG Rep’t. Indeed, Defendants cited the VA OIG Report no less than thirty-one (31) times as the factual basis for their twenty-two (22) proposed “Material Facts As To Which There Is No Genuine Issue.” Defs.’ Facts at 2-9. The VA OIG’s opinions, however, are not facts and even if they were, Plaintiffs have a right to review the same information underlying such “facts” as Defendants. In this Motion, Plaintiffs seek information underlying Defendants’ factual assertions and that is reasonably calculated to lead to admissible evidence. Towards that end, Plaintiffs specify in detail the basis for each category of information sought in Exhibit A to this Motion. A similar basis for each deposition Plaintiffs seek is provided in Exhibit B. In summary form, some of the triable issues that the facts Plaintiffs seek will establish include: 1. Whether Defendants complied with the mandatory requirements of the “Privacy Act Guidelines - July 1, 1975” published in the Federal Register on July 9, 1975. 2. Whether Defendants complied with the mandatory requirements in 38 C.F.R. § 1.576 regarding safeguarding individuals against an invasion of privacy and to collect, maintain, use, or disseminate records of personally identifiable information in a manner that assures that such information is for a necessary and lawful purpose, and to ensure that adequate safeguards are provided to prevent misuse of such information. 3. Whether Defendants complied with the mandatory requirements in federal policies, procedures, and guidelines which established minimum standards for Defendants’ gathering, maintaining, disclosing, using, and safeguarding Privacy Act records including, but not limited to, Office of Management and Budget (“OMB”) Circular A-130, National Institute of Standards and Technology (“NIST”) Federal Information Case 1:06-mc-00506-JR Document 13 Filed 03/02/2007 Page 7 of 13 6 Processing Standards Publication 199, NIST Special Publication 800-14, NIST Special Publication 800-18, and NIST Special Publication 800-53, VA Directive 0710, and VA Handbook 6300.5. 4. Whether Privacy Act records or other personal information was copied from the computer hard drive stolen on May 3, 2006. 5. Whether Defendants only disclosed Plaintiffs’ personal information (1) upon written authorization of the individual to whom the information pertained or (2) to persons who had been authorized to access the information pursuant to applicable regulations and procedures and then only for specified “routine” uses. 6. Whether Defendants’ employee John Doe improperly accessed the BIRLS system of records that ultimately were stolen from his home by obtaining the requisite knowledge to do so from his supervisors and coworkers, who simply told John Doe how to access Privacy Act record information prepared for other purposes. 7. Whether Defendants intentionally or willfully failed to perform the employee background checks required by VA policies, procedures, and guidelines before allowing John Doe to access and transfer VA Privacy Act files. 8. Whether John Doe’s Position Sensitivity Level Designation was intentionally and willfully maintained at “limited impact” while he was able to access “mission critical” systems of records. 9. Whether Defendants intentionally and willfully improperly classified the sensitivity of the BIRLS system of records to avoid the more substantial and onerous safeguards requirements for a “mission critical” system. 10. Whether Defendants intentionally and willfully assigned an untrained and inexperienced employee the duties of “Position Sensitivity Designator,” who failed to perform a single Case 1:06-mc-00506-JR Document 13 Filed 03/02/2007 Page 8 of 13 7 evaluation of security risk factors or sensitivity designation of any data analyst in the office where John Doe worked. 11. Whether Defendants intentionally and willfully ignored OMB and NIST policies and procedures for technology security and threat analyses of VA computer systems containing Privacy Act records. 12. Whether Defendants ever conducted a security threat analysis of any sort or had any reasonable basis for their few Privacy Act safeguards requirements. 13. Whether Defendants intentionally and willfully failed to address inherent and obvious security risks to VA Privacy Act records identified in numerous relevant federal policies, procedures, guidelines, and Defendants’ own training materials. 14. Whether Defendants implemented or attempted to implement any software or hardware safeguards to protect VA Privacy Act records. 15. Whether Defendants’ employee training program was based on any security threat analysis or was arbitrarily, capriciously, and recklessly implemented without a basis to believe it was adequate to safeguard Privacy Act records. 16. Whether an employee’s ability to transfer Privacy Act records and files from VA computer systems lacking software or hardware safeguards while remaining undetected established a reasonably foreseeable security threat and, if so, was Defendants’ failure to consider such an obvious threat intentional and willful or the result of professional incompetence so reckless as to exceed gross negligence. 17. Whether the admitted “gap” between Defendants’ policies, procedures, and guidelines and Privacy Act requirements was the result of Defendants’ willful and intentional acts or the result of professional incompetence so reckless as to exceed gross negligence. Case 1:06-mc-00506-JR Document 13 Filed 03/02/2007 Page 9 of 13 8 18. Whether Defendants’ supervisors and managers knew of John Doe’s transfer of files containing VA Privacy Act information to his home, but intentionally and willfully failed to require appropriate safeguards in violation of regulations, policies, and procedures. 19. Whether the Federal Register description of the BIRLS system of records effective on May 3, 2006, was defective and whether Defendants intentionally and willfully violated the Privacy Act by failing to update the BIRLS system of records description in the Federal Register after changes to the records maintained in BIRLS were made in approximately 1993. 20. Whether John Doe or other VA employees coerced VA contractor Westat, Inc., to illegally disclose thousands of veterans’ Social Security Numbers for an improper purpose. 21. Whether Defendants intentionally and willfully ignored official reports of inadequate safeguards for Privacy Act records and, therefore, intentionally and willfully endangered those records. 22. Whether Defendant Nicholson intentionally and willfully mislead Congress and Plaintiffs regarding the date when he became aware of the May 3, 2006, records theft in order to cover-up his participation in efforts to diffuse responsibility and liability for the underlying Privacy Act violations. 23. Whether Defendants willfully and intentionally failed to preserve clearly relevant evidence in order to cover-up their own Privacy Act violations. 24. Whether Defendants’ nearly three-week delay in publicly announcing the May 3, 2006, theft of Privacy Act records was an intentional and willful attempt to cover-up Defendants’ Privacy Act violations and avoid a politically embarrassing disclosure conflicting with the President’s May 10, 2006, announcement of Executive Order 13402, entitled, “Strengthening Federal Efforts To Protect Against Identity Theft,” and Case 1:06-mc-00506-JR Document 13 Filed 03/02/2007 Page 10 of 13 9 designating Defendant Nicholson as a member of a federal “Identity Theft Task Force.” 25. Whether Defendants intentionally and willfully published a backdated version of the VA “Security Guidelines for Single User Remote Access” on May 22, 2006, and prepared false Congressional testimony that the backdated Guideline applied to the May 3, 2006, data theft. 26. Whether Defendant Nicholson was complicit with other officials in concocting Congressional testimony to conceal Defendants’ Privacy Act violations. 27. Whether the VA Inspector General failed to include numerous potential Privacy Act violations and other violations in the VA OIG report to protect Defendants and others from legal liability or to conceal the willful and intentional nature of such violations. These issues, and others, demonstrate that Plaintiffs seek discovery that well exceeds the requirement of “a reasonable basis to suggest that discovery might reveal triable issues of fact.” Carpenter, 174 F.3d at 237. Plaintiffs Seek Specific Facts Plaintiffs have identified specific facts and specific sources of those facts in Exhibit A (documents) and Exhibit B (deponents) which are necessary to respond to factual issues raised by Defendants’ summary judgment motion. The discovery sought by Plaintiffs is relevant, and not only needed to rebut Defendants’ factual allegations, but also calculated to lead to the discovery of admissible evidence. Defendants raised factual issues regarding, inter alia, John Doe’s authorization, Defs.’ Facts ¶¶ 16-21; Memorandum in Support of Defendants’ Motion to Dismiss Or, in the Alternative, For Summary Judgment (Feb. 22, 2007) (“Defs.’ Mem.”) at 58- 60, the adequacy of Defendants’ Privacy Act safeguards Defs.’ Facts ¶¶ 9-14; Defs.’ Mem. at 63- 69, whether any files were accessed or illegal “disclosures” occurred, Defs.’ Facts ¶ 3; Defs.’ Mem. at 60-61, whether the BIRLS database Federal Register notice was accurate, Defs.’ Facts ¶ 8; Defs.’ Mem. at 52 n.25, 62-63, and the actual contents of the stolen hard drive, Defs.’ Mem. at Case 1:06-mc-00506-JR Document 13 Filed 03/02/2007 Page 11 of 13 10 61-62, and whether the stolen Privacy Act records were accessed while missing. Defs.’ Facts ¶ 3; Defs.’ Mem. at 60-61. Thus, discovery is “necessary to allow the Court to make a fully informed decision on Defendant[s’] summary judgment motion.” Banks, 402 F.Supp.2d at 48 (denying Defendant’s motion because “discovery is necessary before summary judgment can be properly considered”). Plaintiffs Have Attempted To Obtain the Factual Information From VA Defendant VA has not responded to Plaintiffs’ requests for information submitted pursuant to the Freedom of Information Act (“FOIA”). Undersigned counsel submitted a detailed set of FOIA requests to the VA FOIA officer and to the VA OIG on January 5, 2007. Affidavit of Douglas J. Rosinski (Mar. 1, 2007) (“Rosinski Aff.”) (attached as Exhibit C) ¶ 4 and Att. 1. Further, counsel agreed to accept piecemeal responses and to assume responsibility for up to $500.00 in initial costs. Id., Att. 1 at 2. The requests were transmitted and received by facsimile and certified first class mail. Id., Atts. 2 and 3. Receipt by the VA OIG was confirmed in a telephone call from Ms. Sherie Landes, a supervisor in the VA OIG, to counsel’s litigation assistant on January 5, 2007. Affidavit of Jennifer Blackmon (Mar. 1, 2007) (“Blackmon Aff.”) (attached as Exhibit D) ¶¶ 4, 5. The information requested on January 5, 2007, is essentially the same information now sought in this Motion. Further, much of the information requested was admittedly complete, gathered, and organized by OIG no later than July 2006. Yet, as of the date of this motion, not a single page of information has been received, nor has counsel’s office received any further contact from VA regarding the requests. Rosinski Aff. ¶ 6, 7; Blackmon Aff. ¶¶ 6, 7. CONCLUSION Plaintiffs have demonstrated that they satisfy all the requirements to obtain an Order for discovery and depositions pursuant to Rule 56(f) because: (1) Plaintiffs cannot provide facts by affidavit; (2) there has been no opportunity for discovery; (3) the facts sought will establish a Case 1:06-mc-00506-JR Document 13 Filed 03/02/2007 Page 12 of 13 11 number of triable issues; (4) Plaintiffs have identified specific facts and witnesses relevant to the issues raised by Defendants which are calculated to lead to the discovery of admissible evidence; and (5) Plaintiffs have been unsuccessful in obtaining the required information from Defendants in another manner. The Court, therefore, should grant Plaintiffs’ motion, deny Defendants summary judgment, and order the discovery and depositions sought by Plaintiffs. Respectfully submitted, /s/ Douglas J. Rosinski Donald A. Cockrill Douglas J. Rosinski Ogletree, Deakins, Nash, Smoak & Stewart, P.C. 1320 Main Street, Suite 600 Columbia, SC 29201 (803) 252-1300 (803) 254-6517 (fax) Counsel in No. 1:06-CV-01943(JR) John C. Murdock Jeffrey S. Goldenberg Murdock Goldenberg Schneider & Groh, LPA 35 E. 7th Street, Suite 600 Cincinnati, OH 45202 (513) 345-8291 (513) 345-8294 (fax) Counsel in No. 1:06-CV-01943(JR) Marc D. Mezibov Christian A. Jenkins Mezibov & Jenkins, LLP 401 E. Court Street, Suite 600 Cincinnati, OH 45202 (513) 723-1600 (513) 723-1620 (fax) Counsel in No. 1:06-CV-01943(JR) Gary E. Mason Alexander E. Barnett The Mason Law Firm, P.C. 1225 19th Street, N.W., Suite 500 Washington, DC 20036 (202) 429-2290 (202) 429-2294 (fax) Counsel in No. 1:06-CV-01943(JR) Mark D. Smilow Weiss & Lurie The French Building 551 Fifth Avenue, Suite 1600 New York, NY 10176 (212) 682-3025 (212) 682-3010 (fax) Counsel in No. 1:06-CV-01944(JR) Dated: March 02, 2007 Case 1:06-mc-00506-JR Document 13 Filed 03/02/2007 Page 13 of 13 Exhibit A Specific Information In Defendants’ Possession or Control Needed For Plaintiffs to Fair ly Respond to Factual Asser tions Raised in Defendants’ Summary Judgment Motion 1. Audio and visual recordings and transcripts of the interviews and sworn testimony obtained by agents of the Department of Veterans Affairs, Office of Inspector General (“OIG”), subsequent to the May 3, 2006, theft of Privacy Act records from the home of a VA employee which are described on page 2 of Report No. 06-02238-163, “Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans” (Jul. 11, 2006) (“VA OIG Rep’ t” ). Upon information and belief those interviewed include, but are not limited to, the following individuals, some of whom were interviewed on more than one occasion:1 • John Baffa, Deputy Assistant Secretary for Security and Law Enforcement • Thomas Bowman, Chief of Staff • Pedro Cadenas, Associate Deputy Assistant Secretary for Cyber and Information Security • Johnny Davis, Acting Deputy Assistant Secretary for Security Operations • John Doe,2 Information Technology Specialist • Kevin Doyle, Team Leader, VA Police Operations • Dennis Duffy, Acting Assistant Secretary, OPP&P • Lorrie Johnson, Deputy Assistant General Counsel • Susan Krumhaus, Supervisory Statistician • Gordon Mansfield, Deputy Secretary • Deborah McCallum, Assistant General Counsel • Tim McClain, General Counsel • Michael McLendon, Deputy Assistant Secretary for Policy • Joe Salvatore, Information Technology Specialist • Jack Thompson, Deputy General Counsel • Dat Tran, Acting Director, Data Management and Analysis Service • Rae White, Information Security Manager • Mike Wortsell, Assistant Director for Business Management 1 For example, Dat Tran was interviewed at least 4 occasions between May 22 and June 19, 2006. 2 Plaintiffs will continue to refer the VA employee from whose home the Privacy Act records were stolen on May 3, 2006, as “John Doe.” Case 1:06-mc-00506-JR Document 13-2 Filed 03/02/2007 Page 1 of 7 2 Specific Basis: Defendants’ summary judgment arguments are largely based on facts purportedly established by the VA OIG Report. That report, however, merely summarizes (with unknown accuracy) the actual facts contained in statements made by Defendants’ employees, managers, and officials to OIG investigators. Moreover, OIG’s failure to provide any citations to the sources of these “ facts” leaves Plaintiffs - and the Court - without means to verify or challenge OIG’s interpretations. Defendants’ failure to cite any of these interviews (which were taken under oath) further requires that Plaintiffs have full and unfettered access to the original, unredacted statements of the key fact witnesses in this matter. 2. The documents provided to OIG by each of the individuals identified above or by other VA employees or officials, whether interviewed or not, provided before, during, or after the interviews. Specific Basis: Similar to the sworn testimony described above, upon information and belief OIG was provided with or assembled on its own, numerous relevant documents, including policies, procedures, and internal correspondence, used as exhibits during interviews or provided in response to OIG requests. As with the sworn testimony, Defendants cite only OIG’s filtered and untraceable summary of selected portions of these documents. Equally relevant, are the documents not found during the OIG investigation (e.g., “authorization” forms, etc.). Plaintiffs’ full and unfettered access to these documents or concession that such documents do not exist is critical to Plaintiffs’ ability to fully respond to Defendants’ factual assertions. 3. Copies of all drafts, comments, comment resolutions, and any other documents related to preparation of the VA OIG Report. Specific Basis: Upon information and belief, OIG investigators identified instances of potential violations of the Privacy Act, VA contractual terms and conditions, and VA policies, procedures and practices that were either not fully discussed or not discussed at all in the VA OIG report. Examples of significant issues identified to the Inspector General’s investigators, but not revealed in the VA OIG report, include: • On May 18, 2006, Tim McClain, VA General Counsel at the time, stated to OIG investigators that “ there’s no question” regarding the May 3, 2006, theft. “ It’s a Privacy Act violation.” • VA employees Susan Krumhaus and John Doe admitted causing disclosure of thousands of veterans’ Social Security Numbers (“SSNs”) in furtherance of a plan to knowingly violate VA’s representations of anonymity to veterans participating in the 2000/2001 NSV. • Dat Tran, Acting Director, Data Management and Analysis Service, reported to the OIG and the VA CIO that the “guidelines” document identified by Defendants as implementing security requirements that John Case 1:06-mc-00506-JR Document 13-2 Filed 03/02/2007 Page 2 of 7 3 Doe allegedly violated on May 3, 2006, was actually created on 4:12 pm on May 22, 2006, not on March 10, 2006, as the date on the document indicated. • Jack Thompson, Deputy General Counsel, stated to OIG investigators that he personally told Secretary Nicholson that the backdated “guidelines” document was (1) relevant to the May 3, 2006, theft and (2) provided a specific basis to charge John Doe with willful violation of office policy, both conclusions which the OIG specifically determined were unfounded. • OIG investigators were specifically told by VA employees of the Austin, Texas, data center that the current Federal Register notice describing the BIRLS database did not accurately describe the contents of the database and would not inform millions of individuals that VA had their personal information. • Pedro Cadenas, Associate Deputy Assistant Secretary for Cyber and Information Security, testified to OIG investigators that higher level officials in VA had ignored his specific recommendations to address Privacy Act safeguards issues. • Dennis Duffy, Acting Assistant Secretary of OPP&P, testified that he had reason to believe that Defendant Nicholson had been informed of the May 3, 2006, Privacy Act records theft well before the date that Defendant Nicholson testified to Congress. • Dennis Duffy also testified to OIG investigators that he believed the May 3, 2006, event was a “clear” Privacy Act violation. It is difficult to conceive that OIG investigators uncovering these potential violations did not provide this information to their superiors or include the information in an initial version of the report. It is not difficult, however, to recognize the importance of this information to Plaintiffs before responding to Defendants’ Motion. In any event, the VA OIG Report drafts should be provided to Plaintiffs to establish who eliminated these clearly damaging facts from the VA OIG Report and why. 4. The following specific documents or classes of documents and electronically stored information are particularly relevant to Plaintiffs’ opposition to summary judgment and were either referenced (indirectly) in the VA OIG Report or Defendants’ motion, but are not available to Plaintiffs. a. The native files, including metadata, web access logs, and other information and documentation, including all hardcopy and electronic drafts, associated with the document entitled “Security Guidelines for Single User Remote Access” discussed on page 29 of the VA OIG Report. b. The Home Use Agreement(s), if any, for the SAS computer program or any other computer hardware or software authorizing home use by Susan Krumhaus, Dat Tran, John Doe and Joe Salvatore; Case 1:06-mc-00506-JR Document 13-2 Filed 03/02/2007 Page 3 of 7 4 c. The VA Form 2280 (Position Sensitivity Level Designation), if any, existing on May 3, 2006, for Susan Krumhaus, Dat Tran, John Doe and Joe Salvatore; d. Requests or agreements, in whatever form, between VA Office of Policy, Planning, and Preparedness (“OPP&P”) personnel, including but not limited to Susan Krumhaus, Dat Tran, and John Doe, and the Veterans Records Support Division in Austin, Texas, regarding the creation, maintenance, or access to the “BIRLS” database or any extracts of the BIRLS database, including but not limited to, the “January 2006” BIRLS quarterly abstract; e. The procedure(s) specifying the process and requirements for authorization of access to VA databases and the procedure(s) specifying when and how employee background checks were required to be performed effective on May 3, 2006. f. Documents identifying which VA databases had access limited to properly authorized individuals on May 3, 2006; g. Documentation of all authorization(s) to access VA databases granted to Susan Krumhaus, Dat Tran, Joe Salvatore and John Doe; and h. Documents establishing whether or not background checks had been conducted or scheduled for employees and contractors assigned to John Doe’s work organization (VA OPP&P) in May 2006 (the actual background checks are not desired, only documents indicating status, such as the dates of the checks already performed or the schedule for future checks, etc.). Specific Basis: Defendants heavily rely on the purported fact that John Doe “was authorized” to access the Privacy Act records at issue. See e.g., Defs.’ Facts 16, 21; Defs.’ Mem. at 58-60. In each case, Defendants cite the VA OIG Report as the source of this “fact.” While the VA OIG report contains the statements relied upon by Defendants, the OIG did not cite any factual basis for its conclusion. Nor did Defendants or the OIG provide any of the procedures purportedly governing granting “authorization” to employees or any documentation required by those procedures supporting the “fact” that John Doe was authorized. The contents of the identified documents, in conjunction with the policies and procedures sought in other requests, are the factual basis for resolution of this critical issue. Once again, Defendants’ failure to support their factual assertions with these fundamentally relevant documents should compel the Court to order the requested production. 5. Documents related to any employment action taken against or voluntarily entered into, including resignations, by any VA employee who was interviewed by OIG regarding the May 3, 2006, Privacy Act records theft, including but not limited to, Merit Systems Protection Board records, VA correspondence, and notices of resignation or retirement submitted since May 3, 2006. Specific Basis: One of Defendants’ principle arguments in seeking summary judgment Case 1:06-mc-00506-JR Document 13-2 Filed 03/02/2007 Page 4 of 7 5 on Plaintiffs’ allegations of Privacy Act safeguards violations is that no one “commi[ted] any act that was ‘so patently egregious and unlawful that anyone undertaking the conduct should have known it unlawful.’ ” Defs.’ Mem. at 67. Yet, upon information and belief numerous officials, and at least one employee, have been removed from their positions as a direct result of the May 3, 2006, event. Upon further information and belief, at least one of those removals was involuntary and purportedly based on alleged violations of policy, procedure, or other legal requirements. It is inconsistent for Defendants to argue in this litigation that no one violated any legal requirements, having forced termination or resignation of individuals for violating those same requirements. Plaintiffs, therefore, have a right to establish the factual basis for any employment action with potential ties to the Privacy Act issues in this case. 6. Documents associated with Westat, Inc. (“Westat” ) and the handling of veterans’ Privacy Act records provided to Westat by VA: a. Discussing the terms and conditions of the contract or contracts between VA and Westat associated with the 2000 National Survey of Veterans, also known as the 2001 National Survey of Veterans (“NSV”), including, but not limited to, the contract, riders, or later modifications regarding the handling or security of personally identifying information provided to Westat by any VA employee or official. b. Records of communications, in whatever form, by any VA official or employee to or from Westat regarding transmittal or use of data from the 2000/2001 NSV, including, but not limited to documents regarding the transmittal of approximately 14,000 SSNs from Westat to John Doe or Susan Krumhaus between during the period from 2002 to 2006. Specific Basis: Upon information and belief, VA employees Susan Krumhaus and John Doe testified under oath to OIG that, in support of John Doe’s “ fascination project,” both undertook a concerted effort to force Westat to provide John Doe with thousands of veterans’ SSNs previously provided to Westat by VA for other purposes. Reportedly, Westat at first refused to turn over the SSNs because of concerns regarding doing so, but eventually provided the information. These SSNs ultimately ended up on the hard drive stolen from John Doe’s home on May 3, 2006. These facts strongly supports several of Plaintiffs’ allegations regarding Defendants’ willful and intentional Privacy Act violations. Moreover, and equally significant, is that the VA Inspector General did not identify, or apparently further investigate, the facial Privacy Act violation inherent in the admissions by Ms. Krumhaus and Mr. Doe, although those admissions were made directly to OIG investigators. As a minimum, this raises questions of the Inspector General’s independence and the credibility of the VA OIG Report as a “ factual” basis for any of Defendants’ assertions. 7. Documentation of a security threat analyses or any other VA determination or consideration of the administrative, software, or hardware controls required to reasonably safeguard Privacy Act records performed by VA upon which Defendants factually base Case 1:06-mc-00506-JR Document 13-2 Filed 03/02/2007 Page 5 of 7 6 their conclusion that the VA’s “Privacy and Security Courses” described in their motion “contained safeguards meeting the requirements of [5 U.S.C.] § 552a(e)(10).” Defs.’ Mem. at 64. Specific Basis: Defendants forcefully assert that VA employee security training fully satisfied the Privacy Act safeguards requirements, Defs.’ Mem. at 64, but provided no factual support for this conclusory assertion.3 Upon information and belief, Office of Management and Budget (“OMB”) and the National Institute of Standards (“NIST”) requirements that apply to VA require such analyses to determine the scope of safeguards required to satisfy the Privacy Act. In any event, the lack of any factual basis for the safeguards chosen by Defendants would eviscerate Defendants’ assertions of safeguards “adequacy” as a matter of fact. Moreover, implementing safeguards established without any factual basis is a quintessential “arbitrary and capricious” action. Plaintiffs, therefore, have a right to review the factual basis, if any, for Defendants’ assertions. 8. All documents, communications, or other information regarding destruction of one or more of the original compact disks (“CDs”) that John Doe stated he used to remove Privacy Act records from VA workspaces to his home and deletion of electronically stored information from a memory “stick” used for the same purpose. Specific Basis: Upon information and belief, Defendants made no effort to preserve potential evidence related to the removal of Privacy Act records from VA offices to Mr. Doe’s home. Plaintiffs are informed that Mr. Doe retained physical possession of approximately seventeen (17) CDs known or suspected to contain Privacy Act records for approximately two weeks after the May 3, 2006, theft was reported to VA officials. Further, Mr. Doe copied information from these CDs onto multiple other CDs and destroyed a number of the original CDs. Even more troubling, a senior VA official admitted ordering the deletion of files from Mr. Doe’s memory stick, which the official knew contained VA Privacy Act records removed from the VA system by Mr. Doe. This bald destruction of evidence is, of course, violative of Defendants’ duty of preservation of potentially relevant evidence. In addition, the degree of knowledge of and participation by one or more VA officials in the destruction of potential evidence clearly raises issues of spoliation motivated by fear of discovery of intentional and willful Privacy Act violations. Plaintiffs, therefore, have a right to this information. 9. The original results of the forensic examinations of the hard drive containing the VA Privacy Act records stolen from John Doe’s home on May 3, 2006, performed by the Federal Bureau of Investigation (“FBI”) and VA, including all associated notes, documentation, and relevant procedures and datasheets. 3 To be clear, Plaintiffs are not arguing here whether the training contained the substance asserted by Defendants or whether the training was conducted as asserted. Plaintiffs are challenging whether and how Defendants established that the described training satisfied the legal requirements of 5 U.S.C. § 552a(e)(10) and that the training alone, without software or hardware safeguards, as a matter of law, was adequate. Case 1:06-mc-00506-JR Document 13-2 Filed 03/02/2007 Page 6 of 7 7 Specific Basis: Almost inconceivably, Defendants cite two FBI press releases as the factual basis for their purported ‘ fact’ that the “data on the hard drive was never accessed after the theft.” Defs.’ Facts 3 (emphasis added). Notwithstanding that the press releases speak only of a degree of “confidence” that there was no data access, the only obvious evidentiary value of the press releases is to establish that FBI and VA forensically analyzed the hard drive. Plaintiff should not be forced to rely on press release summaries of critical evidence in responding to Defendants’ factual assertions and the Court should order production of this clearly relevant information. Case 1:06-mc-00506-JR Document 13-2 Filed 03/02/2007 Page 7 of 7 Exhibit B Specific Depositions Needed For Plaintiffs to Fair ly Respond to Factual Asser tions Raised in Defendants’ Summary Judgment Motion 1. Susan Krumhaus. Upon information and belief, Ms. Krumhaus was John Doe’s supervisor on one or more projects relevant to the issues in this litigation. Ms. Krumhaus, therefore, has unique information regarding: Mr. Doe’s alleged “authorization” to access VA Privacy Act Records; the “need” for Mr. Doe to remove Privacy Act records to his home; Mr. Doe’s and her own actions to cause Westat, Inc., to disclose SSNs to Mr. Doe; and related issues. 2. Dat Tran. Mr. Tran, Acting Director, Data Management and Analyses Service, was a co- worker of John Doe’s on several projects requiring access to VA Privacy Act records. In addition, Mr. Tran investigated the circumstances of the publication of the “Security Guidelines for Single User Remote Access” document, which he determined from the metadata was created on May 22, 2006, not on March 10, 2006, as reported in the OIG Report. Further, Mr. Tran stated that he polled his workforce and determined that no one he spoke with, including remote access users, was aware of the Guidelines. Based on these curious discoveries, Mr. Tran requested the Chief Information Officer investigate the matter further. 3. Jack Thompson. Mr. Thompson is the VA Deputy General Counsel who initially received the request for a legal opinion regarding the department’s responsibilities in light of the May 3, 2006, data theft. He was also present at a meeting to prepare Defendant Nicholson’s Congressional testimony. At that meeting, Mr. Thompson asserted to the Secretary that the “Security Guidelines for Single User Remote Access” document was relevant and provided a basis for firing the employee (John Doe), both positions which the OIG concluded were clearly erroneous. Information available to Plaintiffs does not indicate how Mr. Thompson, a deputy counsel, learned of an obscure guidance document on remote computer access that was virtually unknown to the technical employees using the remote access system or explain the coincidence of the creation of this document on May 22, 2006, and his recommendation to the Secretary on or about May 23, 2006. 4. George J. Opher. Mr. Opher is the VA Inspector General and held that position on May 3, 2006, and during the preparation and publication of the VA OIG Report. As such, Mr. Opher is uniquely situated to provide facts regarding: the failure to include numerous facts regarding potential Privacy Act or other violations in the VA OIG report, whether such omissions were directed by Defendants or other VA officials in furtherance of a cover-up of intentional and willful violations and related issues. Case 1:06-mc-00506-JR Document 13-3 Filed 03/02/2007 Page 1 of 2 2 5. Joseph Hunt. Mr. Hunt is CEO of Westat, Inc., a VA contractor. He either was, or can identify other Westat officials that were, contacted by Ms. Krumhaus and Mr. Doe regarding disclosure of SSNs associated with the 2000/2001 NSV. Mr. Hunt is also uniquely situated to describe the internal discussions and analyses conducted by Westat before finally disclosing the SSNs, the conditions under which Westat disclosed the information and related issues. 6. Dennis Duffy. At the time of the May 3, 2006, records theft, Mr. Duffy was the VA Acting Assistant Secretary of OPP&P. Upon information and belief, Mr. Duffy stated to OIG investigators that he believed there had been a “clear” Privacy Act violation, personally directed destruction of potential electronically stored evidence and expressed his belief that Defendant Nicholson learned of the May 3, 2006, records theft before the date claimed in Congressional testimony. 7. Unknown FBI Agent(s). Defendants concede that the FBI conducted forensic examinations of John Doe’s recovered hard drive. The testimony agent or agents most knowledgeable of the examinations and the actual examination results are clearly the best, if not only, evidence to establish the critical fact of the probability of disclosure of the stolen Privacy Act records. Case 1:06-mc-00506-JR Document 13-3 Filed 03/02/2007 Page 2 of 2 Case 1:06-mc-00506-JR Document 13-4 Filed 03/02/2007 Page 1 of 12 Case 1:06-mc-00506-JR Document 13-4 Filed 03/02/2007 Page 2 of 12 Case 1:06-mc-00506-JR Document 13-4 Filed 03/02/2007 Page 3 of 12 Case 1:06-mc-00506-JR Document 13-4 Filed 03/02/2007 Page 4 of 12 Case 1:06-mc-00506-JR Document 13-4 Filed 03/02/2007 Page 5 of 12 Case 1:06-mc-00506-JR Document 13-4 Filed 03/02/2007 Page 6 of 12 Case 1:06-mc-00506-JR Document 13-4 Filed 03/02/2007 Page 7 of 12 Case 1:06-mc-00506-JR Document 13-4 Filed 03/02/2007 Page 8 of 12 Case 1:06-mc-00506-JR Document 13-4 Filed 03/02/2007 Page 9 of 12 Case 1:06-mc-00506-JR Document 13-4 Filed 03/02/2007 Page 10 of 12 Case 1:06-mc-00506-JR Document 13-4 Filed 03/02/2007 Page 11 of 12 Case 1:06-mc-00506-JR Document 13-4 Filed 03/02/2007 Page 12 of 12 Case 1:06-mc-00506-JR Document 13-5 Filed 03/02/2007 Page 1 of 2 Case 1:06-mc-00506-JR Document 13-5 Filed 03/02/2007 Page 2 of 2 UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ____________________________________ In Re: DEPARTMENT OF VETERANS : AFFAIRS (VA) DATA THEFT : LITIGATION : ____________________________________: Misc. Action No. 06-0506 (JR) : MDL Docket No. 1796 This Document Relates To: : ALL CASES : ____________________________________: [Proposed] ORDER THIS MATTER having come before the Court on Plaintiffs’ Rule 56(f) Motion For Discovery, and good cause having been shown, it is hereby ORDERED that Plaintiffs’ Motion is GRANTED; It is further ORDERED that within fifteen (15) days of the date of this Order, Plaintiffs serve on Defendants requests for discovery as described in Exhibit A to Plaintiffs’ Rule 56(f) Motion For Discovery pursuant to the applicable Federal Rules of Civil Procedure; It is further ORDERED that within thirty (30) days of service of Plaintiffs’ requests for discovery, Defendants produce the requested information or objections thereto; and It is further ORDERED that within forty-five (45) days of Defendants’ production, Plaintiffs notice and perform the deposition of individuals who are listed in Exhibit B to Plaintiffs’ Rule 56(f) Motion For Discovery pursuant to the applicable Federal Rules of Civil Procedure. SO ORDERED. Dated:______________. ______________________________ JAMES ROBERTSON United States District Judge Case 1:06-mc-00506-JR Document 13-6 Filed 03/02/2007 Page 1 of 1