This bill prohibits the Department of Veterans Affairs from selling veterans' sensitive personal information and mandates that all VA contracts involving this data include clauses preventing its monetization or misuse by contractors.
Nicole (Nikki) Budzinski
Representative
IL-13
The Protect Veterans from the THIEF Act prohibits the Department of Veterans Affairs from selling sensitive personal information held by the VA. This legislation mandates that all VA contracts involving personal data must include clauses preventing contractors from selling or misusing that information. Furthermore, the VA must issue guidance to employees and contractors on identifying and preventing such misuse within one year of enactment.
Protect Veterans from the THIEF Act Bans VA Data Sales and Mandates Strict Contractor Privacy Standards
The Protect Veterans from the THIEF Act is a direct move to lock down the personal data of those who served. At its core, the bill prohibits the Secretary of Veterans Affairs from entering into any contract that allows a third party to sell a veteran's sensitive personal information. This isn't just about names and phone numbers; it covers 'covered information,' which includes protected health records under HIPAA and personally identifiable information, even if that data has been anonymized. By amending Section 5725 of title 38, the bill aims to ensure that a veteran’s medical history or private details don’t end up as a line item on a data broker's spreadsheet.
Locking the Digital Vault
Under Section 3, the VA has one year to overhaul its contracting process. Every new or existing contract involving personal data must now include a mandatory clause that explicitly forbids contractors and subcontractors from monetizing or misusing that info. Think of it like a non-negotiable digital prenup: if a company is hired to manage VA records or software, they are legally barred from turning that access into a side hustle. This applies to current contracts that haven't expired yet, meaning companies already working with the VA will have to fall in line with these stricter privacy standards or risk losing their standing.
Accountability and the Fine Print
To make sure these aren't just empty promises, the Secretary must issue a formal directive to VA employees and contractors on how to actually spot data misuse. This is the 'street smarts' part of the bill—it moves beyond policy and into active monitoring. Within a year, the VA has to hand over a report to Congress including the exact language of these new contract clauses and the guidance given to staff. While the bill is a major win for privacy, there is a bit of a 'wait and see' element: the definition of what counts as protected info can be expanded by the Secretary at any time. This gives the government flexibility to cover new types of data as technology evolves, but it also means the level of protection depends heavily on how strictly the VA chooses to define 'misuse' in their internal policies.