Military-Veterans Advocacy v. Secretary of Veterans Affairs
Military-Veterans Advocacy v. Secretary of Veterans Affairs
Opinion
Case: 23-1413 Document: 68 Page: 1 Filed: 03/06/2025
United States Court of Appeals for the Federal Circuit ______________________
MILITARY-VETERANS ADVOCACY, Petitioner
v.
SECRETARY OF VETERANS AFFAIRS, Respondent ______________________
2023-1413 ______________________
Petition for review pursuant to 38 U.S.C. Section 502. ______________________
Decided: March 6, 2025 ______________________
WILLIAM MILLIKEN, Sterne Kessler Goldstein & Fox PLLC, Washington, DC, argued for petitioner. Also repre- sented by PAIGE CLOUD, MICHAEL E. JOFFRE; JOHN B. WELLS, Law Office of John B. Wells, Slidell, LA.
ERIC LAUFGRABEN, Commercial Litigation Branch, Civil Division, United States Department of Justice, Wash- ington, DC, argued for respondent. Also represented by BRIAN M. BOYNTON, MARTIN F. HOCKEY, JR., PATRICIA M. MCCARTHY; CHRISTA A. SHRIBER, JONATHAN ELLIOTT TAYLOR, NICHOLAS XANTHAKOS, Office of General Counsel, United States Department of Veterans Affairs, Washing- ton, DC. ______________________ Case: 23-1413 Document: 68 Page: 2 Filed: 03/06/2025
2 MILITARY-VETERANS ADVOCACY v. SECRETARY OF VETERANS AFFAIRS
Before MOORE, Chief Judge, STOLL, Circuit Judge, and GILSTRAP, Chief District Judge.1 MOORE, Chief Judge. Military-Veterans Advocacy (MVA) filed a petition for review pursuant to 38 U.S.C. § 502, challenging Individu- als Using the Department of Veterans Affairs’ Information Technology Systems to Access Records Relevant to a Benefit Claim, 87 Fed. Reg. 121, 37744 (June 24, 2022) (Final Rule). Specifically, MVA challenges the validity of 38 C.F.R. § 1.601(a)(2), which requires users of Veterans Affairs’ (VA) Information Technology (IT) systems to poten- tially pass “a background suitability investigation” (the Background Check Provision), and 38 C.F.R. § 1.602(c)(1), which permits the VA to, “at any time without notice,” “in- spect the computer hardware and software utilized to ob- tain access to VA IT systems and their location” (the Inspection Provision). Because we hold the VA has author- ity to promulgate the Background Check Provision, but not the Inspection Provision, we grant-in-part and deny-in- part the petition and set aside 38 C.F.R. § 1.602(c)(1) of the Final Rule. BACKGROUND Title 38 of the United States Code establishes benefits for veterans who suffer from service-connected disabilities. In pursuit of these benefits, veterans may be represented by attorneys, agents, or a VA-recognized organization. 38 U.S.C. § 5904. To represent a veteran, an attorney or agent is provided access to the veteran’s claim file. 38 U.S.C. § 5701(b)(1); 38 C.F.R. § 1.577(a). Claim files of- ten include sensitive and confidential information, such as
1 Honorable Rodney Gilstrap, Chief Judge, United States District Court for the Eastern District of Texas, sit- ting by designation. Case: 23-1413 Document: 68 Page: 3 Filed: 03/06/2025
MILITARY-VETERANS ADVOCACY v. 3 SECRETARY OF VETERANS AFFAIRS
the veteran’s financial and medical records. Government Br. 5. Claim files can be accessed in three ways: (1) review- ing a paper copy at the VA, (2) requesting an electronic ver- sion on a compact disc or thumb drive, or (3) online through two internal VA electronic systems—Veterans Benefits Management System (VBMS) and Caseflow. Since 1994, the VA has permitted accredited individuals to apply for and obtain remote, read-only access to claim files on VBMS and Caseflow. The VA issued a Notice of Proposed Rulemaking to amend regulations 38 C.F.R. §§ 1.600, 1.601, 1.602, and 1.603, which address user requirements for accessing the VA IT systems. 85 Fed. Reg. 33, 9435 (Feb. 19, 2020). Rel- evant to MVA’s petition are 38 C.F.R. §§ 1.601(a)(2) and 1.602(c)(1). The proposed rule added the following lan- guage to 38 C.F.R. § 1.601(a)(2): To qualify for access to VBA IT systems, the applicant must comply with all security re- quirements deemed necessary by VA to en- sure the integrity and confidentiality of the data and VBA IT systems, which may include passing a background suitability investiga- tion for issuance of a personal identity verifi- cation badge. 85 Fed. Reg. at 9440. For 38 C.F.R. § 1.602(c)(1), the pro- posed rule maintained the prior language: (c) VBA may, at any time without notice: (1) inspect the computer hardware and soft- ware utilized to obtain access and their loca- tion[.] 85 Fed. Reg. at 9441. MVA submitted comments in response to the proposed rulemaking. J.A. 1174–83. MVA argued the regulations violated the pro-veteran canon of construction and due Case: 23-1413 Document: 68 Page: 4 Filed: 03/06/2025
4 MILITARY-VETERANS ADVOCACY v. SECRETARY OF VETERANS AFFAIRS
process, and are arbitrary and capricious by placing bur- dens on attorneys and violating attorney-client privilege. Id. The VA issued the relevant rules as proposed, with the exception of changing “VBA” to “VA,” and addressed some of MVA’s comments in its Final Rule. 87 Fed. Reg. at 37749–50. For the Background Check Provision, the VA explained attorneys who are in good standing with the bar cannot be excluded from the requirement because the pro- vision is required to implement personal identity verifica- tion badges. 87 Fed. Reg. at 37747. For the Inspection Provision, the VA noted the requirement had been in place since 1994 and applies to everyone who wants access to VA IT systems, and there is no law requiring the VA to provide access to the IT systems and no expectation of privacy when accessing the systems. Id. The Final Rule issued on June 24, 2022. 87 Fed. Reg. at 37744. MVA filed a petition for review of the Final Rule, spe- cifically the Background Check and Inspection Provisions. We have jurisdiction pursuant to 38 U.S.C. § 502. DISCUSSION I. Standing Before reaching the merits of MVA’s petition, we first determine whether MVA has Article III standing. “[S]tanding is an essential and unchanging part of the case- or-controversy requirement of Article III.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992). For a petitioner to have standing, it must show (1) an “injury in fact,” (2) “a causal connection between the injury and the conduct com- plained of,” and (3) a likelihood that “the injury will be ‘re- dressed by a favorable decision.’” Id. at 560–61 (quoting Simon v. E. Ky. Welfare Rts. Org., 426 U.S. 26, 38, 43 (1976)). To show standing as an organization, MVA must demonstrate the same requirements. Military-Veterans Case: 23-1413 Document: 68 Page: 5 Filed: 03/06/2025
MILITARY-VETERANS ADVOCACY v. 5 SECRETARY OF VETERANS AFFAIRS
Advoc. v. Sec’y of Veterans Affs., 7 F.4th 1110, 1129 (Fed. Cir. 2021). MVA argues it has organizational standing. Pet. 1–3; Reply Br. 5–6. The Government disagrees, arguing MVA cannot show injury-in-fact. Government Br. 20–21. We hold MVA has organizational standing to challenge the Fi- nal Rule because MVA demonstrated injury-in-fact. 2 Injury-in-fact is established by a “concrete and demon- strable injury to the organization’s activities.” Havens Re- alty Corp. v. Coleman, 455 U.S. 363, 379 (1982). MVA litigates, legislates, and educates on behalf of members of the military and military veterans. Pet. 1–2. In its repre- sentation of veterans, MVA uses, or would use if not for the Final Rule, VA IT systems governed by the Final Rule. Add. 4–6; Add. 8–11 (declarations of MVA members). 3 MVA argues the Final Rule frustrates its goal of represent- ing veterans by, for example, requiring its attorneys to use paper copies of client files rather than VBMS and Caseflow and causing its attorneys to lose veteran clients due to lack of VBMS and Caseflow access for failure to comply with the Background Check and Inspection Provisions of the Final Rule. Reply Br. 6; see also Add. 2–11. This is more “than simply a setback to the organization’s abstract social inter- ests,” but a concrete injury-in-fact. Havens, 455 U.S. at 379. Because MVA has organizational standing to
2 Because we hold MVA has organizational standing, we need not address whether MVA has associational stand- ing. 3 MVA moved to file an addendum containing two declarations from its members with the Reply Brief. E.C.F. No. 35. Because the Government did not oppose, id. at 2, we granted the motion, E.C.F. 40, and now consider these materials. Case: 23-1413 Document: 68 Page: 6 Filed: 03/06/2025
6 MILITARY-VETERANS ADVOCACY v. SECRETARY OF VETERANS AFFAIRS
challenge 38 C.F.R. §§ 1.601(a)(2) and 1.602(c)(1), we ad- dress the merits of MVA’s petition. II. The Final Rule We have jurisdiction to review the validity of both the rulemaking process and the challenged rules of the VA. McKinney v. McDonald, 796 F.3d 1377, 1383 (Fed. Cir. 2015); 38 U.S.C. § 502. We review the agency’s action pur- suant to 5 U.S.C. § 706(2) to determine whether the action was “arbitrary, capricious, an abuse of discretion, or other- wise not in accordance with law.” Serv. Women’s Action Network v. Sec’y of Veterans Affs., 815 F.3d 1369, 1374 (Fed. Cir. 2016). In our review, we “look to see whether the agency employed reasoned decisionmaking.” Id. A chal- lenge to the constitutionality of a regulation is a question of law we review without deference to the agency. Premin- ger v. Sec’y of Veterans Affs., 517 F.3d 1299, 1311–12 (Fed. Cir. 2008). A. The Background Check Provision The Background Check Provision of the Final Rule pro- vides: To qualify for access to VA IT systems, the ap- plicant must comply with all security require- ments deemed necessary by VA to ensure the integrity and confidentiality of the data and VA IT systems, which may include passing a background suitability investigation for issu- ance of a personal identity verification badge. 38 C.F.R. § 1.601(a)(2) (emphasis added). MVA argues the provision exceeds the VA’s statutory authority and is not the product of reasoned decision making. MVA Opening Br. 53–61. We do not agree. The Background Check Provision is within the VA’s statutory authority to promulgate regulations regarding information security. The VA cited 38 U.S.C. Case: 23-1413 Document: 68 Page: 7 Filed: 03/06/2025
MILITARY-VETERANS ADVOCACY v. 7 SECRETARY OF VETERANS AFFAIRS
§§ 501, 5721–28 as authority for promulgating 38 C.F.R. §§ 1.600–1.603, which includes the Background Check Pro- vision. 87 Fed. Reg. at 37749. Under 38 U.S.C. § 501, the VA, through the Secretary, “has authority to prescribe all rules and regulations which are necessary or appropriate to carry out the laws administered by the Department.” The VA is charged with prescribing rules to “establish and maintain a comprehensive Department-wide information security program to provide for the development and maintenance of cost-effective security controls needed to protect Department information, in any media or format, and Department information systems.” 38 U.S.C. § 5722(a). The VA, through the Assistant Secretary for In- formation and Technology, is also responsible for “[e]stab- lishing, maintaining, and monitoring Department-wide information security policies, procedures, control tech- niques, training, and inspection requirements as elements of the department information security program,” 38 U.S.C. § 5723(b)(1), and “[e]stablishing standards for ac- cess to Department information systems by organizations and individual employees, and to deny access as appropri- ate,” 38 U.S.C. § 5723(b)(6). These statutory provisions give the VA the authority to implement security require- ments for access to VA IT systems. The VA’s ability to promulgate regulations for IT secu- rity is tempered by the very same statute which provides the authority. The Secretary “shall ensure that the De- partment information security program . . . [p]olicies and procedures [] are based on risk assessments.” 38 U.S.C. § 5722(b)(2)(a). The VA conducted and considered risk as- sessments for VBMS and Caseflow. Government Br. 31; see, e.g., S. Appx. 1 (risk assessment for VBMS Cloud As- sessing); id. at 46 (risks of remote access from separate de- vices); id. at 48 (vulnerability summary relating to personal identity verification cards). The background check “for issuance of a personal identity verification Case: 23-1413 Document: 68 Page: 8 Filed: 03/06/2025
8 MILITARY-VETERANS ADVOCACY v. SECRETARY OF VETERANS AFFAIRS
badge,” 38 C.F.R. § 1.601(a)(2), is based on a risk assess- ment as required by the statute, 38 U.S.C. § 5722(b)(2)(a). MVA argues even if the VA has the authority to prom- ulgate the regulation, it is not reasonable because the VA failed to consider its impact on veterans’ access to attor- neys. MVA Opening Br. 60. MVA argues that attorneys already have background checks pursuant to their bar li- cense and that this additional background check is an un- reasonable exercise of VA authority. The Background Check Provision, however, is not directed only to attorneys. Rather than limiting access to VBMS and Caseflow to at- torneys, the Final Rule expands access to staff members such as paralegals and administrative support staff. 87 Fed. Reg. at 37745 (“VA further amends those regulations beyond the proposed rule to allow similar access to some staff members who are affiliated with recognized VSOs and VA-accredited attorneys or claims agents.”). Even if MVA were correct that the attorneys who access the systems al- ready have sufficient background checks, MVA fails to ad- dress the government’s argument that the additional support staff newly authorized to access these databases would not have had similar background checks. The VA explained the Background Check Provision applies equally to everyone who applies for remote access to VBMS and Caseflow. Government Br. 25. The VA also considered that “those who do not seek optional system access under the amended regulations may continue to receive records from VA as provided under the other provisions in 38 CFR part 1.” 87 Fed. Reg. at 37745. The Background Check Provision is therefore grounded in the risk assessment and tethered to the VA’s authority in protecting information se- curity and it is the product of reasoned decision making. B. The Inspection Provision The Inspection Provision of the Final Rule provides: Case: 23-1413 Document: 68 Page: 9 Filed: 03/06/2025
MILITARY-VETERANS ADVOCACY v. 9 SECRETARY OF VETERANS AFFAIRS
VA may, at any time without notice . . . in- spect the computer hardware and software utilized to obtain access and their location. 38 C.F.R. § 1.602(c)(1). MVA argues the provision: (1) is unconstitutional under the Fourth Amendment, (2) ex- ceeds the VA’s statutory authority, and (3) is not the prod- uct of reasoned decision-making. MVA Opening Br. 20–53. We address each argument in turn. MVA argues that this inspection provision is an unrea- sonable search which violates the Fourth Amendment. We may consider only facial challenges, rather than as applied challenges, to regulations. Preminger, 517 F.3d at 1308 n.5. With a facial challenge, if any application of the regu- lation would not violate the Fourth Amendment, we may not set the regulation aside. Here, there are applications of the Inspection Provision that do not violate the Fourth Amendment. For example, MVA agreed at oral argument that the Inspection Provision allows the VA to ensure that a user is accessing the systems from an approved location, and such an inspection would be reasonable. 4 And users expressly agree to the VA Rules of Behavior, which state users do not have any expectation of privacy, will comply with security measures, and agree to inspections to gain access to VA IT systems. J.A. 1948–49. Consent is an ex- ception to the Fourth Amendment’s prohibition on unrea- sonable search and seizures. See, e.g., Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973). Because there are some circumstances where the Inspection Provision does not violate the Fourth Amendment, it is not facially uncon- stitutional. See, e.g., United States v. Salerno, 481 U.S. 739, 745 (1987) (“the challenger must establish that no set
4 See Oral Argument at 6:16–58, available at https://oralarguments.cafc.uscourts.gov/default.aspx?fl= 23-1413_01072025.mp3. Case: 23-1413 Document: 68 Page: 10 Filed: 03/06/2025
10 MILITARY-VETERANS ADVOCACY v. SECRETARY OF VETERANS AFFAIRS
of circumstances exists under which the [regulation] would be valid”). MVA argues the Inspection Provision exceeds the VA’s statutory authority. We agree. The provision gives the VA the authority to inspect not only the computer hardware and software used to access the VA IT systems, but also the location where the hardware and software are used. As the regulation is written, this could include the user’s home of- fice, entire house, client files, or sensitive personal docu- ments, to name a few examples. The Government agrees that anywhere a user accesses the VA IT systems could be searched, including a user’s bedroom in their home. See Oral Argument at 35:32–50, 38:03–35. This scope is par- ticularly untethered to the statutory authority because the VA is generally an adverse party to the user of the VA IT system. This is a “markedly different” power than Con- gress likely envisioned in granting the VA the authority to promulgate information security policies. Ala. Ass’n of Realtors v. Dep’t of Health & Hum. Servs., 594 U.S. 758, 764 (2021). VA argues the provision is limited in scope and would not include “rummaging through attorneys’ drawers and cabinets.” Government Br. 61. But the language of the Inspection Provision is not so limited. Whether the VA chooses to utilize the full scope of the Inspection Provision does not bear on our analysis. The Inspection Provision also exceeds the VA’s statu- tory authority because it is not based on a risk assessment as required by VA regulations implementing information security policies and procedures. 38 U.S.C. § 5722(b)(2)(a). The VA argues the Inspection Provision is based on the VBMS and Caseflow risk assessments. Government Br. 54–55. But the VA’s citations to the risk assessment do not link any risk to confidentiality to computer hardware and software utilized to obtain access to VA IT systems or their location. S. Appx 2; S. Appx 157. Case: 23-1413 Document: 68 Page: 11 Filed: 03/06/2025
MILITARY-VETERANS ADVOCACY v. 11 SECRETARY OF VETERANS AFFAIRS
Even if the VA could demonstrate the Inspection Pro- vision is properly grounded in a risk assessment, given the breadth of the provision, it is not the product of reasoned decision making. The VA argues the Inspection Provision is reasonable because it addresses the risk of disclosing sensitive personal information with remote access to VA systems. Government Br. 52; 87 Fed. Reg. at 37747. That may be a reasonable goal, but this record does not demon- strate the VA has a rational basis to promulgate a regula- tion as broad as the Inspection Provision to effectuate that goal. The VA has not demonstrated that the breadth of the Inspection Provision is required to meet the goals of infor- mation security. CONCLUSION We have considered the parties’ remaining arguments and find them unpersuasive. For the forgoing reasons, we grant-in-part and deny-in-part MVA’s petition. GRANTED-IN-PART AND DENIED-IN-PART COSTS Costs to MVA.
Reference
- Status
- Published