“One good deal after another” – This old expression from my time of service in the USN popped into my head as I read news of the latest breach of information regarding Navy personnel. In sum, reported the Navy on November 23, the laptop of a government contractor supporting a naval contract was “compromised” and “unknown individuals” accessed sensitive information on over 130,000 sailors and former sailors, including Social Security numbers. At last report, there is no evidence the leaked data has been misused.
The facts so far, as reported, are facially similar to those at issue in In re Science Applications Int’l Corp. Litigation, 45 F.Supp.3d 14 (D.D.C. 2014) (“SAIC”) where an employee of SAIC, an information-technology company that handles data for the federal government, had her car broken into and back-up tapes containing health care information regarding millions of members of the armed services and their families were stolen. The SAIC court rejected plaintiffs’ claims for increased risk of identity theft and monitoring costs on the grounds set out in in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013) holding that, in addition to a substantially increased risk of harm resulting from the occurrence, there also had to be “a substantial probability of harm with that increase taken into account.” SAIC, 45 F. Supp. 3d at 16 (emphasis in original). Because there was little likelihood that the thief involved even knew what information he or she had come into, much less possessed the technology to access it, the SAIC court found no injury-in-fact for the bulk of the plaintiffs. However, the court allowed two claims to go forward, including a claim under the Privacy Act for previously unreceived unsolicited calls to an unlisted number pitching medical products and services targeted at a specific medical condition listed in the stolen medical records. Id. at 33.
We might note that news of this latest “compromise” came out the same month as the long awaited ruling in Welborn v. IRS, —- F. Supp. 3d —–, 2016 WL 6495399 (D. D.C. 2016), brought, as you will recall, as a result of 330,000 tax-related documents stolen during a cyberattack that extended from mid-February to mid–May 2015 and targeted the IRS’s “Get Transcript” program. Among other causes of action, the plaintiffs brought suit under the Privacy Act and the Internal Revenue Code. The Welborn court also rejected plaintiffs’ claims for an increased threat of future identity theft and fraud as a result of the IRS security breach as entirely speculative and depending on the decisions and actions of one or more independent, and unidentified, actors. Id. at *8 (quoting Clapper, 133 S.Ct. at 1150). However, the Welborn court found that three of the plaintiffs, two of whom alleged that they had suffered actual identity theft when someone filed false tax returns and claimed fraudulent refunds in their names, and one who alleged she had “been the victim of at least two occasions of fraudulent activity in her financial accounts, one of which resulted in the removal of funds from a personal financial account, which occurred after the IRS data breach,” had alleged sufficient injury-in-fact to maintain standing. The latter of these three was dismissed for lack of pleadings of causation as after in time is not sufficient to show causation. Id. at *9 – *10. The court then held that 1) the remaining two plaintiffs’ claims for unauthorized disclosure under the Privacy Act were preempted by the tax code, and 2) plaintiffs’ Privacy Act claims for “failure to safeguard” must be dismissed for failure to allege actual damages (as opposed to injury-in-fact). Id. at *12 (to plead any Privacy Act claim adequately, a plaintiff must plead “actual—that is, pecuniary or material—harm”). Ultimately, the court also dismissed the plaintiffs’ claims for unauthorized disclosure under the Tax Code on grounds of sovereign immunity. To allege improper disclosure under the Code, a plaintiff must allege (1) knowing or negligent, (2) disclosure, (3) of a return or return information. The IRS argued, and the court held, that plaintiffs’ attempt to present a “failure to protect” claim couched as an “improper disclosure” claim, but the Code does not authorize suit against the IRS based on a failure to protect. That is, the plaintiffs’ attempt to expand liability would expand the government’s waiver of sovereign immunity to include a claim not contemplated by the Code.
A very similar argument could also have been made with regard to the Privacy Act claims, but the court did not reach them due to its finding on no actual damages, and the holding has broad implications. Finally, the involvement of a government contractor in the scenario of the Navy breach could also implicate the recent Supreme Court decision in Campbell-Ewald Co. v. Gomez, No. 14-857, 2016 WL 228345 (2016), regarding “derivative sovereign immunity.” The Navy had contracted with Campbell to develop a recruiting campaign that included sending text messages to young adults, but the contract stated that messages could be sent only if those individuals had “opted in” to receive marketing solicitations. Campell-Ewald developed a list of cellular phone numbers for contacting users, and then transmitted the Navy’s message to more than 100,000 people. Gomez, who had not opted in by consenting to receive messages, received one anyway and filed a nationwide class action seeking damages and alleging that Campbell-Ewald had violated the Telephone Consumer Protection Act (“TCPA”). Campbell-Ewald argued that, as a contractor acting on the Navy’s behalf, it had acquired (i.e. had “derived”) immunity from the Navy’s sovereign immunity from suit under the TCPA. However, the Supreme Court held that Campbell-Ewald violated both federal law (the TCPA) and the Government’s explicit contractual instructions that messages were to be sent only to individuals who had “opted in.” The Court held that when a contractor violates both federal law and the Government’s explicit instructions, there is no “derivative immunity” and the contractor is not shielded from suit.