What would persuade you to use data encryption to protect your data like AlertBoot? Would $4.9 billion (that’s right, billion) prompt you to encrypt three backup tapes? Cause that’s the lawsuit that’s been recently filed for the US Military’s Tricare data breach.
Class Action Suit
The suit was filed in Washington, D.C. by four individuals. They are asking for $1,000 for each person that was affected by the theft of backup tapes (the breach was actually suffered by a contractor, SAIC, but under the law Tricare is responsible for the data as the original collector and user of the data). The Department of Defense and Defense Secretary Leon Panetta are listed as defendants as well, although SAIC is not.
4.9 million people were affected in the breach so, if successful, the damages would total $4.9 billion. Free credit monitoring is also sought (my emphasis, from govinforsecurity.com):
The suit, filed by the law firm Shulman, Rogers, Gandal, Pordy & Ecker, seeks $1,000 in damages for each of the 4.9 million TRICARE beneficiaries who had information on the tapes, alleging violations of the Privacy Act of 1974 and the federal Administrative Procedures Act. It alleges “intentional, willful and reckless violations of the privacy rights” of the beneficiaries.
The defendants’ “inexplicably failed to properly encrypt the information,” the suit states. It also alleges that TRICARE “authorized an untrained or improperly trained individual to take the highly confidential information off of government premises and to leave the unencrypted information in an unguarded car parked in a public location, from which it was stolen…”
It seems to be implied in the suit that, had encryption software been used, there wouldn’t be such a lawsuit. Well, that’s the point behind the use of encryption, no? You adequately protect the data to ensure that when (not if) something untoward happens, you’re protected (while not tested, I’m pretty sure that the courts would view that privacy rights weren’t violated when encrypted data is lost) and your clients are protected.
Not using it? Apparently $4.9 billion. Plus, another $100 million or so for free credit monitoring. Tack on another 500 million and you’ve got the price of Virginia-class submarine.
Not Going Anywhere
As I’ve remarked in the past, lawsuits like these, where there are no actual damages — just the possibility of a future one occurring — are likely to be tossed by the courts.
Computerworld.com has a pretty good summary of this:
In many cases, courts however have tended to dismiss lawsuits in data breach cases. Several courts have held that consumers cannot claim compensatory or punitive damages in data breach cases unless they can demonstrate that they have suffered actual monetary damage as the result of a breach.
The notion that someone might become the victim of ID theft in future because of a data breach cannot be used as a basis for claims, courts have held.
That “notion” is often termed “future harm.” The courts have ruled, again and again, that they cannot hand out some kind of penalty base on “what might happen,” as seen in this case, where Bank of New York Mellon was sued for the loss of a backup tape.
All such cases, as far as I know, have been summarily dismissed: “I might be harmed” is not the same as “I might be harmed in the future.”
Related Articles and Sites: