Current Trends in Data Security Litigation

Both companies continue to face civil lawsuits filed in the California courts, with plaintiffs seeking injunctive relief and damages stemming from the data security breaches. In the ChoicePoint consolidated class action litigation, the California district court dismissed two claims, but ChoicePoint still faces claims under the federal Fair Credit Reporting Act ('FCRA') and the California Credit Reporting Agencies Act ('CCRAA'), among others. See, Harrington v. ChoicePoint Inc., No. 05-cv-1294 MRP (JWJx) (C.D. Cal., Sept. 15, 2005). CardSystems faces a similar suit in California Superior Court, with plaintiffs alleging that the defendants violated certain provisions of the state's data protection statute, namely Cal. Civ. Code '1798.81. See, Parke et al. v. CardSystems Solutions, Inc., No. CGC-05-44264 (S.F. Cty. Super. Ct., First Am. Comp., filed July 6, 2005).

More recently, in May of this year, a laptop belonging to an analyst at the U.S. Department of Veterans Affairs ('VA') was stolen, resulting in the potential loss of 26.5 million Social Security Numbers of veterans. A month later, it was reported that an AIG company computer containing Social Security Numbers and personal information of potentially 970,000 customers was also stolen. In fact, as catalogued by the Privacy Rights Clearinghouse (a consumer privacy interest group), there were at least 40 reported data security breaches involving sensitive personal information in June 2006 alone. See, Chronology of Data Breaches, available at: www.privacyrights.org/ar/ChronDataBreaches.htm. In the end, the FBI eventually recovered the VA laptop, with no apparent evidence of access to the personal information. Interestingly, however, in early August, a second unrelated VA security breach was reported, involving a desktop computer containing personal information of approximately 38,000 veterans that was missing from the office of a VA subcontractor responsible for insurance collection in certain Pennsylvania VA medical centers. As a result of the VA laptop theft, a class action suit was filed by several veterans groups, seeking, among other things, monetary damages for each veteran harmed by the privacy breach, a declaratory judgment that the VA's loss of these records violated federal privacy and administrative laws, and an injunction prohibiting the VA from altering any data storage system until a court-appointed panel of experts examines the best methods to implement proper data security safeguards. See, Press Release, 'VVA, Veterans' Coalition File Class Action Suit Seeking Redress, Safeguards to VA's Files on 26.5 Million Veterans' (June 6, 2006), available at: www.vva.org/ClassAction/index.htm. (A copy of the Complaint is also available on the VVA Web site.) On the legislative front, in response to the VA breach, a number of data security bills were introduced in Congress, with one notable bill, the Veterans Identity and Credit Security Act (which would require all federal agencies to notify victims of data security breaches), currently working its way through the House of Representatives.