In re: Science Applications International Corp. (SAIC) is an opinion issued by the U.S. District Court for D.C. earlier this month. It’s the latest chapter in a long-running case, which all began with a simple burglary. The opening paragraph of the opinion sets the scene:
In September 2011, a thief broke into a car sitting in a San Antonio parking garage and stole the car’s GPS system, stereo, and several data tapes. This seemingly run-of-the mill theft has spawned massive litigation. Why? Because of the contents of those pilfered tapes. The car, as it turns out, belonged to an employee of Science Applications International Corporation, an information-technology company that handles data for the federal government. And the tapes contained personal information and medical records concerning 4.7 million members of the U.S. military (and their families) who were enrolled in TRICARE health care, which contracts with SAIC – somewhat ironically – to protect patients’ data.
The fallout from this theft involved lots of lawsuits, all over the country, filed by potential victims of the data breach, “alleging harm from an increased likelihood of identity theft and from an invasion of their privacy, among other things.” Several of those suits were consolidated into for this opinion, and the key question is one of standing. Plaintiffs say they have it, defendants – including TRICARE, the Department of Defense and DOD Secretary Chuck Hagel – move to dismiss. Here’s the difficulty, as the court sees it, in this matter:
This case presents thorny standing issues regarding when, exactly, the loss or theft of something as abstract as data becomes a concrete injury. That is, when is a consumer actually harmed by a data breach – the moment data is lost or stolen, or only after the data has been accessed or used by a third party?
The court goes along with the prevailing opinion among various courts, that “the mere loss of data – without evidence that it has been either viewed or misused – does not constitute an injury sufficient to confer standing.” As a result, the majority of the plaintiffs are dismissed from the case; two individuals that could “plausibly assert that their data was accessed or abused” are allowed to proceed.
Plaintiffs had claimed various types of damage suffered, including an “increased risk of harm and monitoring costs”, invasion of privacy, and identity theft, though the court dismisses these fears as “entirely speculative”, particularly for the latter:
For identity theft to occur, after all, the following chain of events would have to transpire: First, the thief would have to recognize the tapes for what they were, instead of merely a minor addition to the GPS and stereo haul. Data tapes, after all, are not something an average computer user often encounters. The reader, for example, may not even be aware that some companies still use tapes – as opposed to hard drives, servers, or even CDs – to back up their data. Then, the criminal would have to find a tape reader and attach it to her computer. Next, she would need to acquire software to upload the data from the tapes onto a computer – otherwise, tapes have to be slowly spooled through like cassettes for data to be read. After that, portions of the data that are encrypted would have to be deciphered. Once the data was fully unencrypted, the crook would need to acquire a familiarity with TRICARE’s database format, which might require another round of special software. Finally, the larcenist would have to either misuse a particular Plaintiff’s name and social security number (out of 4.7 million TRICARE customers) or sell that Plaintiff’s data to a willing buyer who would then abuse it.
Later, the court would describe the theft as “low tech”, “garden-variety” and “hardly a black ops caper”. The two plaintiffs who weren’t dismissed were able to show harm that could potentially be linked to the breach, though they’ve still got a long way to go before they could prevail.
This case emphasizes again that there has to be real, demonstrable harm suffered in order to sustain a credible lawsuit following a data breach. The fear that harm may occur, or may have occurred, is not enough.