Court Tosses Much of Giant Data Breach Lawsuit
A federal district judge has dismissed much of a class action lawsuit filed against the Department of Defense, its TRICARE health insurance program and vendor Science Applications International Corp. following a massive data breach in 2011 that affected 4.7 million individuals including military members and their families.
A thief broke into an SAIC employees car in September 2011, taking a GPS system, stereo and several data backup tapes. Protected health information on the tapes included names, addresses, phone numbers, medical information such as clinical notes and lab tests, and Social Security numbers, but no credit/debit or bank account data. The tapes contained data on patients treated in San Antonio, Tex., facilities between 1992 and Sept. 7, 2011. TRICARE in notifying patients did not initially offer protected services, but after further investigation, SAIC offered affected individuals one year of paid credit monitoring and identity theft protection services.
In his May 9 ruling, U.S. District Judge James Boasberg of the District of Columbia acknowledges that a handful of the 33 plaintiffs selected to participate in the suit on behalf of the entire class claim to have suffered actual identity theft and have clearly suffered an injury. However, at least 24 other plaintiffs cannot demonstrate harm, alleging only a risk of identity theft. At this point, the likelihood that any individual Plaintiff will suffer harm remains entirely speculative, he notes in the ruling.
Boasberg then walks through multiple steps a criminal would have to take to understand the value of the tapes, find and attach a tape reader to a computer, acquire software to upload data from the tapes to a computer, decrypt a portion of the data that was encrypted, understand TRICAREs database format which may require special software, and then either misuse a particular Plaintiffs name and Social Security number (out of 4.7 million TRICARE customers) or sell that Plaintiffs data to a willing buyer who would then abuse it. The vast majority of Plaintiffs has not alleged that any of those things happened--because they cannot. Those events are entirely dependent on the actions of an unknown third party--namely, the thief.
Using she to identify the unknown thief, Boasberg writes that she could have done all the work to access and use the information on the tapes, or they could be lying in a landfill somewhere in Texas because she trashed them after achieving her main goal of boosting the car stereo and GPS. Unfortunately, there is simply no way until either the crook is apprehended or the data is actually used. Courts for this reason are reluctant to grant standing where the alleged future injury depends on the actions of an independent third party.
Boasberg acknowledges the finding is of cold comfort to the millions affected who must watch their credit reports until something untoward occurs. The Supreme Court, however, has held that an objectively reasonable likelihood of harm is not enough to create standing, even if it is enough to engender some anxiety. Plaintiffs thus do not have standing based on risk alone, even if their fears are rational.
Nor is the cost involved in preventing future harm enough to confer standing, even when such efforts are sensible. There is, after all, nothing unreasonable about monitoring your credit after a data breach. In fact, that is exactly what TRICARE and SAIC advised Plaintiffs to do--and what SAIC, in part, offered to pay for.
In ruling on several other issues asserting legal standard to proceed with the lawsuit, Boasberg consistently ruled against the plaintiffs, citing numerous legal precedents. On the allegation that privacy was invaded, he said until harm can be proven to have resulted from access to the data on the backup dates, any harm remains speculative. On standing because of loss of value of personal and medical information, he concluded that no harm exists. Boasberg concurred that SAIC failed to meet legal standards for data security, but standing demands some form of injury.
On the issue of standing related to actual misuse, he acknowledged that some plaintiffs data was accessed and misused, but the injury must still be linked to defendants conduct and was not in this case. Boasberg also dismissed legal standing for claims of identity theft, saying a handful of plaintiffs experienced unauthorized access to debit/credit and bank accounts, but such information was not breached.
In his conclusion, he states: Since the majority of Plaintiffs has been dismissed--potentially altering the scope of the remaining litigants claims moving forward, the Court will pause to confer with the parties before determining which, if any, of the Complaints twenty counts has been properly alleged. The Court thus reserves the issue of whether Defendants Rule 12(b)(6) Motions should be grated for a future date. It further notes that it expects the parties to confer before the forthcoming status to determine if they can reach some agreement on the next procedural steps in the case. For the aforementioned reasons, the Court will grant in part and deny in part Defendants Motions to Dismiss.
The full 28-page ruling is available here.