Stolen Laptops and Data Theft: Why the Privacy Act Lawsuit against the Veteran's Administration May Succeed, and Why We Need Similar Remedies in the Private Sector

By ANITA RAMASASTRY

Thursday, Jun. 15, 2006

Just a few weeks ago, the federal Veterans Administration (VA) revealed that the Social Security numbers and other personally identifiable information of 26.5 million veterans and their spouses had been compromised, when an employee' s laptop was stolen from his home. This was the reportedly the largest known data breach involving Social Security numbers in U.S. history.

Now, veterans who may have been affected by the breach are suing the VA under a federal statute - and, for reasons I will discuss in this column, they may well win their case. But if the defendant had been a private company, not a government agency, their case would have been much shakier - and lawmakers, I will argue, need to remedy that situation.

The Breach, and the VA's Response

As I discussed in detail in an earlier column, the VA data breach resulted from employee negligence: An employee violated rules by bringing home data files which included this sensitive personal data, and when the employee's laptop was stolen, so was the data.

The VA's response was less than comforting: It waited almost three weeks after the breach occurred - until May 22 -- to inform the public that millions of veterans' names, Social Security Numbers, and birthdates had been compromised. Then, it waited another two weeks after that to admit that the theft could also have included records of large numbers of active Navy and National Guard personnel.

And to this day, veterans still cannot find out whether their data, in particular, was among the data stolen.

The Recent Class Action Lawsuit, and the Remedies It Seeks

No wonder, then, that lawsuits have followed. Thus far, there have been two.

First, a Democratic activist sued the VA in federal court in Cincinnati. Second, five veterans groups -- Citizen Soldier in New York; National Gulf War Resource Center in Kansas City; Radiated Veterans of America in Carson City, Nev.; Veterans for Peace in St. Louis; and Vietnam Veterans of America in Silver Spring, Md. - filed a class action suit in U.S. District Court in Washington, D.C.. They are suing under the federal Privacy Act, which requires government agencies to have proper procedures for safeguarding personal data.

The class action suit demands that the VA fully disclose which military personnel, in particular, were affected by the data theft, and seeks $1,000 in damages - the minimum under the Privacy Act -- per veteran harmed, opening the way for a possible award of up to $26.5 billion total. Though that sum may sound large, it's worth keeping in mind that the data breach will cause significant worry to veterans - who must watch and wait to see if and when they become victims of identity theft, for the VA, as of now, is not providing free credit monitoring.

The veterans are also asking for a court order prohibiting VA employees from using sensitive data until independent experts determine that the VA has adequate safeguards to protect that data. Whether or not such an order actually issues, it seems very likely that, at a minimum, the lawsuit will send a message to governmentagencies that they need to increase security efforts, and will incentivize them to invest in proper safeguards to keep sensitive data safe and secure.

The Federal Privacy Act: How It Works.

The Privacy Act, passed in 1974, requires, among other things, that agencies "establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record, and instruct each such person with respect to such rules and the requirements of this section, including any other rules and procedures adopted pursuant to this section and the penalties for noncompliance."

The VA has said that it has, indeed, established procedures, and that the data analyst who took the relevant data home violated them. But its poor security report cards, over the years, open the way for plaintiffs to argue that these weren't the kind of procedures the Privacy Act contemplated.

Moreover, the Privacy Act also requires that agencies "establish appropriate administrative, technical and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained." Plaintiffs can argue that the safeguards in place were not appropriate or sufficient.

The Need for A Private Sector Counterpart to the Privacy Act

While the Privacy Act provides a sufficient basis for holding government agencies accountable in the event of data breaches, there is no similar statute that provides a cause of action against private companies.

Yet there is plainly a need for such a law. In June alone, the following companies had customer data compromised when, in each case, an employee's laptop was stolen: Ernst & Young (serving as auditor for Hotels.com), Ahold USA (the parent company of grocery store chains like Stop and Shop) through its subcontractor Electronic Data Systems, Humana, and the YMCA of Providence, Rhode Island.

Such data thefts have led to civil lawsuits against these companies, as I previously discussed in another column. Most of these lawsuits have been dismissed, however, because tort law typically does not allow parties to sue for purely economic loss, and because courts are characterizing identify theft as economic loss -- even though it can also have psychological consequences for those whose private data has been stolen, and who do not know when or if they will be the targets of identity theft. Courts are refusing to recognize this kind of harm, and turning a blind eye, also, to the harm of plaintiffs' having to spend hours monitoring their credit reports to make sure they prevent future identity theft.

The combination of the courts' refusal to recognize these genuine harms, and the increasing number of data breaches relating to the private sector, militate in favor of creating a new federal law - a counterpart to the Privacy Act that covers not the government, but private companies. (Credit freeze laws, too, should be put into place - as I discussed in a previous column.)

One might argue, in response, that the private sector is different: We are often required to give the government data, but we often voluntarily choose to give data to private companies, and if we like, we can inquire into their security policies before doing so.

But this objection overlooks the reality that it is often hard to know how adequate a company's security is until it is too late. Moreover, there are so many types of services that we truly need (phone service, electricity, various kinds of insurance) that we are practically - if not legally - compelled to provide personal data to private companies.

Moreover, shouldn't we force companies to internalize the cost of their own poor security practices? If we do not require companies to bear some responsibility for the negligent handling of our data, then we may only encourage them to cut costs and take few steps to protect our data. And encouraging negligence guarantees that identity theft - already a serious problem - will only grow in scope, threatening individuals' security, and further burdening our economy.


Anita Ramasastry is an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, and other legal issues for this site, which contains an archive of her columns.

FindLaw Career Center

    Select a Job Title


      Post a Job  |  Careers Home

    View More