The government has argued that veterans who are suing the William Jennings Bryan Dorn VA Medical Center for a data breach did not formally experience any harm, and that the lawsuit ought to be dismissed. Honestly, I don’t know why the government is this position. Per my understanding, the VA was set to have laptop encryption on all portable computers by February 2012. The data breach occurred on February 11, 2013, a full year after the VA supposedly had 100% of their laptops encrypted.
On February 11, 2013, a laptop computer containing personal information for over 7,500 US veterans was stolen from the Dorn VAMC Respiratory Therapy Department. The hard drive contained names, addresses, phone numbers, SSNs, and dates of birth, as well as medical and disability information for an “unknown number” of vets.
The information was not protected with medical encryption software. Because the VA had been promising to encrypt laptops (and, among other things, implied that they were fully protected), and because it had already experienced numerous data failings – including the 2006 data breach where 26 million veterans were affected when a laptop was stolen – the plaintiffs are claiming that the VA and assorted defendants “failed to properly performs the duties and responsibilities of their respective VA positions.”
The claim is further supported by an Office of Inspector General report:
VA’s own Office of Inspector General reported only a few months before the February 13, 2013, incident that, although VA spent $3,700,000.00 in 2006 to purchase encryption software, the Department had installed that software on only 16% of the devices for which it was purchased. [Official complaint, Civil Action No.: 3.13-CV-999-TLW]
I’m not sure that the software will ever be installed. My understanding is that the software was found to be incompatible with most of the VA’s computers, forcing the VA to purchase new encryption software. So, the fact that on 16% of devices were protected with this particular software is a moot point: the VA could have protected the remaining 84% with something that was purchased after 2006.
The only thing incompetent here is that the VA blew $3.7 million on software they can’t use.
Government Makes Hackneyed Argument
Regardless, the government’s position is that the lawsuit should be dismissed because the plaintiffs have not been harmed. Yes, a laptop full of their information was stolen. But, aside from the fact that some of the more paranoid members decided to sign up for credit monitoring, what actual harm did they suffer, especially as a collective?
Plus, the US courts don’t judge on future harm that derives from an event. They need to rule on something that has happened. For example, perhaps the names and SSNs found on that list were used in mortgage fraud or for opening fraudulent lines of credit at banks across and outside the US; that’s a concrete harm resulting from the VA data breach and fair game.
The problem with this argument – aside from the fact that it’s the go-to defense of choice for the many inept companies that can’t seem to bother to secure their clients’ data – is that the courts are slowly beginning to shy away from such an interpretation.
How will this end up? As a clusterfrock that shouldn’t have happened (or wouldn’t have happened with a liberal application of encryption software and other data security tools).
Related Articles and Sites: