A federal court dismissed a multidistrict lawsuit asserting the view that the loss of personal medical data and other information did not actually harm the consumer plaintiffs.
Two plaintiffs did prove their medical data were accessed and abused; their cases against the US Department of Defense and technology firm Science Applications International Corporation (SAIC) were allowed to proceed.
The US District Court for the District of Columbia compiled cases from several districts from the 2011 theft of data tapes stolen from the vehicle of a SAIC employee in San Antonio, Texas.
“The tapes contained personal information and medical records concerning 4.7 million members of the U.S. military (and their families) who were enrolled in TRICARE health care, which contracts with SAIC – somewhat ironically – to protect patients’ data,” the Court noted.
The tapes included names, Social Security numbers, addresses, birth dates, phone numbers and medical information. They did not include any credit card or bank information.
Of 33 plaintiffs, 24 said disclosure of this information left them harmed by the “increased risk of identity theft” as well as by violated expectations of privacy under state tort law and contracts with the defendants. Five plaintiffs said they spent time and money monitoring their credit or changing bank information. Six plaintiffs said their credit cards or bank accounts were accessed; another plaintiff had loans opened in his name using the accessed information.
Under the consolidated complaint, the plaintiffs made their case under federal statutes including the Privacy Act, the Fair Credit Reporting Act and the Administrative Procedure Act to bring claims of negligence and breach of contract. But the court was not convinced the plaintiffs were harmed.
“This case presents thorny standing issues regarding when, exactly, the loss or theft of something as abstract as data becomes a concrete injury,” the court stated in its opinion. “That is, when is a consumer actually harmed by a data breach – the moment data is lost or stolen, or only after the data has been accessed or used by a third party? As the issue has percolated through various courts, most have agreed that the mere loss of data – without evidence that it has been either viewed or misused – does not constitute an injury sufficient to confer standing. This court agrees. Mere loss of the data is all that most plaintiffs allege here, so the majority must be dismissed from this case.”
The court cited a 2013 U.S. Supreme Court case regarding the Foreign Intelligence Surveillance Act in which several organizations with foreign clients argued they were more likely to be targeted for surveillance. The high court’s finding in that case – that “respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending” – has application in data theft cases, the District Court determined.
The cost of credit monitoring isn’t enough to pursue a claim, the court added, and although the fear is reasonable, the plaintiffs did not prove that the risk is “substantial.”
While noting that victims are estimated to be 9.5 times more likely to have their identity stolen, the plaintiffs also acknowledged in their complaint that only 19 percent of all data breach victims actually experience identity theft.
“Unfortunately, there is simply no way to know until either the crook is apprehended or the data is actually used. Courts for this reason are reluctant to grant standing where the alleged future injury depends on the actions of an independent third party,” said court records.