United States District Court, D. Columbia.
IN RE: SCIENCE APPLICATIONS INTERNATIONAL CORP. (SAIC) BACKUP TAPE DATA THEFT LITIGATION. This document relates to: ALL CASES Misc. Action No. 12-347 (JEB)
[Copyrighted Material Omitted]
[Copyrighted Material Omitted]
[Copyrighted Material Omitted]
For SCIENCE APPLICATIONS INTERNATIONAL CORP. (SAIC) BACKUP TAPE DATA THEFT LITIGATION- MDL 2360, In Re: Richard L. Coffman, LEAD ATTORNEY, THE COFFMAN LAW FIRM, Beaumont, TX.
For VIRGINIA E. GAFFNEY, J.G., by his mother and legal guardian Virginia E. Gaffney, E.G., by her mother and legal guardian Virginia E. Gaffney, ADRIENNE TAYLOR, on behalf of themselves and all others similarly situated, Plaintiffs: David Scott Wachen, LEAD ATTORNEY, WACHEN LLC, Potomac, MD; James R. Denlea, Jeremiah Frei-Pearson, LEAD ATTORNEYS, PRO HAC VICE, MEISELMAN DENLEA PACKMAN CARTON & EBERZ PC, White Plains, NY; Jeffrey I. Carton, LEAD ATTORNEY, PRO HAC VICE, MEISELMAN, DENLEA, PACKMAN, CARTON & EBERZ P.S., White Plains, NY; Richard L. Coffman, LEAD ATTORNEY, THE COFFMAN LAW FIRM, Beaumont, TX.
For VON W. RICHARDSON, ALLIE J. RICHARDSON, III, on behalf of themselves and all others similarly situated, Plaintiffs: Jamie L Sheller, LEAD ATTORNEY, PRO HAC VICE, SHELLER, P.C., Philadelphia, PA; Richard L. Coffman, LEAD ATTORNEY, THE COFFMAN LAW FIRM, Beaumont, TX; Rosalee Belinda Connell Thomas, LEAD ATTORNEY, Laurel, MD; Tracy Diana Rezvani, LEAD ATTORNEY, REZVANI VOLIN & ROTBERT P.C., Washington, DC.
For JAMES F. BIGGERMAN, JR., on behalf of himself and all others similarly situated, Plaintiff: Andrew N. Friedman, LEAD ATTORNEY, COHEN MILSTEIN SELLERS & TOLL PLLC, Washington, DC; Lynn A. Toops, Richard E. Shevitz, LEAD ATTORNEYS, PRO HAC VICE, COHEN & MALAD LLP, Indianapolis, IN; Richard L. Coffman, LEAD ATTORNEY, THE COFFMAN LAW FIRM, Beaumont, TX.
For MURRY MOSKOWITZ, BARBRA MOSKOWITZ, Plaintiffs: Joseph H. Weiss, Mark D. Smilow, LEAD ATTORNEYS, PRO HAC VICE, WEISS & LURIE, New York, NY; Richard L. Coffman, LEAD ATTORNEY, THE COFFMAN LAW FIRM, Beaumont, TX; Rosalee Belinda Connell Thomas, LEAD ATTORNEY, Laurel, MD; Tracy Diana Rezvani, LEAD ATTORNEY, REZVANI VOLIN & ROTBERT P.C., Washington, DC.
For JESSICA PALMER, Plaintiff: David Scott Wachen, LEAD ATTORNEY, WACHEN LLC, Potomac, MD; Jeremiah Frei-Pearson, LEAD ATTORNEY, PRO HAC VICE, MEISELMAN DENLEA PACKMAN CARTON & EBERZ PC, White Plains, NY; Peter J. Mougey, LEAD ATTORNEY, LEVIN PAPANTONIO, THOMAS, MITCHELL RAFFERTY & PROCTOR, P.A., Pensacola, FL; Richard L. Coffman, LEAD ATTORNEY, THE COFFMAN LAW FIRM, Beaumont, TX.
For CLAUDIA FALUBEBRES, On behalf of themselves and all others similarly situated, H. P., by her stepmother and legal guardian, Jessica Palmer, C. P., by her mother and legal guardian, Jessica Palmer, C. P., III, by his mother and legal guardian, Jessica Palmer, SHANNA HARTMAN, ANTIONETTE MORELLI, Plaintiffs: David Scott Wachen, LEAD ATTORNEY, WACHEN LLC, Potomac, MD; Richard L. Coffman, LEAD ATTORNEY, THE COFFMAN LAW FIRM, Beaumont, TX.
For FERNANDO ARELLANO, on behalf of himself and all others similarly situated, MICHAEL BACON, MICHAEL ERICKSON, JOSHUA GORRELL, THEODORE MARTIN, BRIAN MCUMBER, BENNY MILLER, ALFRED NEWMAN, AMANDAH PETING, JENNIFER PINEIROVIGO, KYLE ROE, MATTHEW WALTERS, HENRY WARNER, Plaintiffs: Ben Barnow, Erich P. Schork, LEAD ATTORNEYS, BARNOW & ASSOCIATES, PC, Chicago, IL; Gregory E. Del Gaizo, LEAD ATTORNEY, ROBBINS UMEDA LLP, San Diego, CA; Kevin A. Seely, LEAD ATTORNEY, PRO HAC VICE, ROBBINS ARROYO LLP, San Diego, CA; Richard L. Coffman, LEAD ATTORNEY, THE COFFMAN LAW FIRM, Beaumont, TX; Thomas J. O'Reardon, Timothy G. Blood, LEAD ATTORNEYS, BLOOD HURST & O'REARDON LLP, San Diego, CA.
For DOROTHY YARDE, Plaintiff: Ben Barnow, LEAD ATTORNEY, BARNOW & ASSOCIATES, PC, Chicago, IL; Gregory E. Del Gaizo, LEAD ATTORNEY, ROBBINS UMEDA LLP, San Diego, CA; Kevin A. Seely, LEAD ATTORNEY, PRO HAC VICE, ROBBINS ARROYO LLP, San Diego, CA; Richard L. Coffman, LEAD ATTORNEY, THE COFFMAN LAW FIRM, Beaumont, TX; Thomas J. O'Reardon, Timothy G. Blood, LEAD ATTORNEYS, BLOOD HURST & O'REARDON LLP, San Diego, CA.
For MARK LOSACK, on Behalf of Himself and All Others Similarly Situated, Plaintiff: Ben Barnow, LEAD ATTORNEY, BARNOW & ASSOCIATES, PC, Chicago, IL; Brian J. Robbins, LEAD ATTORNEY, ROBBINS UMEDA LLP, San Diego, CA; Richard L. Coffman, LEAD ATTORNEY, THE COFFMAN LAW FIRM, Beaumont, TX; Thomas J. O'Reardon, Timothy G. Blood, LEAD ATTORNEYS, BLOOD HURST & O'REARDON LLP, San Diego, CA.
For ELLA DEATRICK, individually and on behalf of all others similarly situated, Plaintiff: Alan Dale Harris, Priya Mohan, LEAD ATTORNEYS, HARRIS & RUBLE, Los Angeles, CA; Darryl Antonio Stallworth, LEAD ATTORNEY, LAW OFFICE OF DARRYL A. STALLWORTH, Oakland, CA; Timothy G. Blood, LEAD ATTORNEY, BLOOD HURST & O'REARDON LLP, San Diego, CA.
For ALL PLAINTIFFS, Plaintiff: Richard L. Coffman, LEAD ATTORNEY, THE COFFMAN LAW FIRM, Beaumont, TX; Tracy Diana Rezvani, LEAD ATTORNEY, REZVANI VOLIN & ROTBERT P.C., Washington, DC.
For TRICARE MANAGEMENT ACTIVITY, UNITED STATES DEPARTMENT OF DEFENSE, LEON PANETTA, in his Official Capacity as Secretary of Department of Defense, Defendants: Paul Freeborne, LEAD ATTORNEY, U.S. DEPARTMENT OF JUSTICE, Washington, DC.
For SCIENCE APPLICATIONS INTERNATIONAL CORPORATION (SAIC), Defendant: Angel A. Garganta, Julian Y. Waldo, LEAD ATTORNEYS, ARNOLD & PORTER LLP, San Francisco, CA; Gunjan Rashmikant Talati, Lawrence S. Sher, LEAD ATTORNEYS, REED SMITH LLP, Washington, DC; Joshua Brody Marker, Steven J. Boranian, LEAD ATTORNEYS, REED SMITH LLP, San Francisco, CA; Kenneth Lee Chernof, Robert J. Katerberg, LEAD ATTORNEYS, Allyson Himelfarb, ARNOLD & PORTER LLP, Washington, DC; Lamont Alan Jefferson, LEAD ATTORNEY, HAYNES & BOONE, L.L.P., San Antonio, TX; Lawrence Morales, II, LEAD ATTORNEY, MORALES LAW FIRM, San Antonio, TX; Mark S. Melodia, LEAD ATTORNEY, REED SMITH, LLP, Princeton, NJ.
JAMES E. BOASBERG, United States District Judge.
In September 2011, a thief broke into a car sitting in a San Antonio parking garage and stole the car's GPS system, stereo, and several data tapes. This seemingly run-of-the mill theft has spawned massive litigation. Why? Because of the contents of those pilfered tapes. The car, as it turns out, belonged to an employee of Science Applications International Corporation, an information-technology company that handles data for the federal government. And the tapes contained personal information and medical records concerning 4.7 million members of the U.S. military (and their families) who were enrolled in TRICARE health care, which contracts with SAIC - somewhat ironically - to protect patients' data.
Plaintiffs, who are potential victims of the data breach, filed a number of lawsuits in various courts around the country alleging harm from an increased likelihood of identity theft and from an invasion of their privacy, among other things. Eight of those suits have been consolidated here as a multi-district litigation. Recently, SAIC and the three Government Defendants - TRICARE, the Department of Defense, and its Secretary, Chuck Hagel - moved to dismiss the now-consolidated Complaint. Defendants claim that the service members can show no injury based on the data breach and hence lack standing to sue in federal court; in addition, SAIC and the Government contend, none of the victims has stated a claim for relief under any of the many federal and state laws that might protect them. Plaintiffs rejoin that they have, in fact, been injured by the breach and that their various causes of action - ranging from state tort law to the federal Privacy Act of 1974 - are sound.
This case presents thorny standing issues regarding when, exactly, the loss or theft of something as abstract as data becomes a concrete injury. That is, when is a consumer actually harmed by a data breach - the moment data is lost or stolen, or only after the data has been accessed or used by a third party? As the issue has percolated through various courts, most have agreed that the mere loss of data - without evidence that it has been either viewed or misused - does not constitute an injury sufficient to confer standing. This Court agrees. Mere loss of the data is all that most Plaintiffs allege here, so the majority must be dismissed from this case. Two Plaintiffs, however, do plausibly assert that their data was accessed or abused, and those victims may move forward with their claims.
Standing thus resolved, the Court would typically next delve into the merits of the remaining Plaintiffs' claims. In this case, however, the Court believes it more advisable to pause and confer with the litigants. The dismissal of most Plaintiffs will have serious consequences moving forward, which may well alter the parties' perceptions of the case and how they prefer to proceed. Not every count in the Complaint applies to every Plaintiff, for example - so many of the counts may fall on that basis alone. Given that many of the Plaintiffs have been dismissed, moreover, they may desire to appeal immediately, which the Court might sanction. See Fed.R.Civ.P. 54(b). This matter was, after all, intended to proceed as a class action, and the number of potential class members has now considerably diminished. The Court will thus hold a status hearing to assess the parties' intentions before taking up the question of whether the two remaining Plaintiffs have stated a legal claim.
A. Factual Background
As outlined above, this case revolves around the theft of several data tapes from an SAIC employee's car in 2011. See Compl., ¶ ¶ 99-100. As the police report indicates, those tapes were taken along with a GPS and stereo when a criminal smashed a window and broke into the vehicle in mid-September. See SAIC Mot., Exh. A (San Antonio Police Report of Sept. 14, 2011) at 2-3; Compl., ¶ 100. Despite the efforts of law enforcement, the thief was never apprehended.
The tapes were backup copies of medical data related to over 4 million TRICARE beneficiaries who had received medical treatment or testing in San Antonio, Texas. See Compl., ¶ 93. On September 29, 2011, TRICARE released a statement detailing the data breach to alert customers to the situation.
See id. In November, SAIC mailed letters to affected service members explaining the scope of the theft and noting that " the information contained on the tapes may include names, Social Security Numbers, addresses, dates of birth, phone numbers," and a variety of medical information. SAIC Mot., Exh. B (Letter from SAIC to Customer (Nov. 16, 2011)) at 1; see Compl., ¶ 94. But the tapes did not include " any financial data, such as credit card or bank account information." Letter from SAIC at 1. SAIC also observed, " The chance that [any] information could be obtained from these tapes is low since accessing, viewing and using the data requires specific hardware and software." Id. SAIC nevertheless offered all affected parties free credit monitoring and identity-theft protection and restoration services for one year.
Still, Plaintiffs claim that the data breach caused them substantial harm. Twenty-four of the thirty-three Plaintiffs here allege that they have been injured because of the disclosure alone. They
claim that, even if no one has yet used their personal information, they face an increased risk of identity theft, which they view as a distinct and palpable harm. See Compl., ¶ ¶ 20, 23. They also claim that the data breach violated their expectation of privacy, as codified in various statutes, state tort law, and possibly through contract. See id., ¶ ¶ 1, 20, 21, 24. In addition, five of those twenty-four Plaintiffs claim that they have spent time or money monitoring their credit or interfacing with their banks since the theft, and that their time and effort should be compensable.
Six Plaintiffs also claim that someone used their credit cards or bank accounts without their authorization, although no one alleges that financial information was actually on the stolen tapes. One of those six additionally claims that loans have been opened in his name using his personal information - presumably including his social security number, name, date of birth, and address, all of which were on the backup tapes. Yet another Plaintiff alleges that she was harmed because her medical identity has disappeared. Finally, two Plaintiffs allege that they have received unwanted phone calls or " phishing" emails, and one of those Plaintiffs claims that marketers have information about her medical condition that they likely obtained from the tapes.
Plaintiffs filed this lawsuit against TRICARE, which is a government agency that provides insurance coverage and health care to active-duty service members and their families, see 10 U.S.C. § § 1074, 1076, 1079; 32 C.F.R. pt. 199; Compl., ¶ 3, and against the Department of Defense and its Secretary. The breach victims are also suing SAIC, a security firm that contracts with TRICARE to ensure the security of the personally identifiable information (PII) and protected health information (PHI) in its records. See Compl., ¶ 67.
In their Consolidated Amended Complaint, Plaintiffs allege no fewer than twenty separate causes of action, ranging from the violation of various federal statutes - such as the Privacy Act, the Fair Credit Reporting Act, and the Administrative Procedure Act - to the contravention of state statutes and common law - such as claims of negligence, breach of contract, and violation of various state consumer-protection laws. The injuries alleged include: (i) increased risk of identity theft, which Plaintiffs peg at 9.5 times their pre-theft risk; (ii) expenses incurred in mitigating the risk of identity theft; (iii) loss of privacy through the exposure of their personal information; (iv) loss of the value of their personal and medical information; (v) loss of the value of their insurance premiums, which should have been used to pay for proper security measures; (vi) SAIC's failure to meet the requisite standard for data security; (vii) the lost right
to truthful information about their data security; (viii) statutory (or liquidated) damages; and, in at least one case, (ix) actual identity theft. Compl., ¶ ¶ 20-23. The Court will address each theory of injury in turn as it analyzes the standing of Plaintiffs to proceed.
B. Procedural Background
This action encompasses eight separate cases filed in four different courts around the country. While most of those actions originated here in D.C., others were transferred from the Northern and Southern Districts of California as well as the Western District of Texas. See ECF No. 1 (Transfer Order) at 1-3. Consolidation of those cases for pretrial purposes took effect in June 2012, id., and in August of that year the Court held a hearing to sort out the administrative details of the newly combined multi-district litigation. See ECF No. 13 (Hearing Tr.) at 6. In October 2012, Plaintiffs filed a Consolidated Amended Complaint encompassing the allegations of thirty-three Plaintiffs from twenty-four states. See Compl., ¶ ¶ 1, 154. In November 2012, Defendants moved to dismiss all thirty-three Plaintiffs for lack of standing or, in the alternative, to dismiss each cause of action as unsupported by the ...