The U.S. Supreme Court’s decision in Clapper v. Amnesty International USA again has been relied on by a federal district court to hold that the “mere loss of data” in a data breach case does not constitute an injury sufficient to confer standing. In re: Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation, U.S. District Court for the District of Columbia, Misc. Action No. 12-347 (JEB) MDL 2360 (May 9, 2014).
In SAIC, tapes containing personal and medical information for 4.7 million members of the U.S. military and their families, along with the car’s stereo and GPS, were stolen from the parked car of an SAIC employee. SAIC is an information technology company that was handling data for TRICARE, a government agency that provides insurance coverage and health care to active-duty service members and their families. The breach victims sued TRICARE and SAIC, among others, asserting 20 causes of action, including increased risk of identity theft; expenses related to mitigating the risk of identity theft, loss of privacy; loss of value of personal and medical information; loss of value of insurance premiums; SAIC’s failure to meet the requisite standard for data security; the lost right to truthful information; statutory or liquidated damages; and, for at least one plaintiff, actual identity theft. The court granted the Defendants’ motions to dismiss the claims of almost all of the Plaintiffs on the ground that they lacked standing. [Read more…]