The U.S. Court of Appeals for the Fourth Circuit has made it more difficult to establish Article III standing in data breach cases both at the pleading stage and at summary judgment by requiring plaintiffs to allege and show that data thieves intentionally targeted the personal information that is stolen in a data breach. The decision in the case, Beck, et. al. v. McDonald, et. al., No. 15-1395, came down on February 6, 2017.
Privacy Act of 1974
The Privacy Act of 1974 governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. The Privacy Act provides that: "No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains," and under other limited exceptions articulated in the statute. 5 U.S.C. s. 552a(b).
Background: Court Considers Whether Data Breaches Caused Actual Damages
On February 11, 2012, a laptop containing the unencrypted personal information of 7,400 patients, including names, birthdates, the last four digits of social security numbers, and physical descriptors (such as age, race, gender, height and weight), was likely stolen from the William Jennings Bryan Dorn Veteran Affairs Medical Center. Dorn VAMC officials notified every patient whose information was on the missing laptop and offered each one year of free credit monitoring. Richard Beck filed a putative class action complaint on behalf of the 7,400 patients alleging that the data breach constituted negligence and a violation of the Privacy Act which caused "embarrassment, inconvenience, unfairness, mental distress and threat of current and future substantial harm from identity theft and other misuse of their personal information." Beck further alleged that the threat of identity theft caused him to monitor his account statements and purchase credit monitoring services. Beck also brought a claim for injunctive relief under the Administrate Procedure Act to require the VA to account for all the records in the possession of the Dorn VAMC and destroy any improperly maintained records.
The district court dismissed Beck's negligence claim at the pleading stage but allowed the Privacy Act and APA claims to go forward. After extensive discovery, the defendant again moved...