11th Cir Rejects Veterans Affairs Data Breach Class Action

The Eleventh Circuit decided a case about a month ago that is worth a brief mention:  Perkins v. Dept of Veterans Affairs.  [pdf]

The case arose out of the loss of a Veterans Affairs hard drive which contained "names, social security numbers, birth dates, and healthcare files of more than 198,000 living veterans."  In the class action that predictably ensued, plaintiffs brought suit under the Privacy Act, alleging that the VA's security plan did not comply with their own rules for securing data and the VA had failed to adequately supervise an IT specialist who was involved.  (These were the findings of the Office of the Inspector General.)  So far so good.

The problems centered around damages:
Perkins and Qualls claim the stress caused by their fear of identity theft and arising from their loss of trust in the VA as the provider of their medical care aggravated their PTSD symptoms. Both men assert that the sleeplessness, isolation, anxiety, and anger that characterize their PTSD have grown worse than before.  Perkins received additional medication from his doctor, and Qualls has had his dosage increase.
The district court dismissed the claims for failure to show actual pecuniary damages.  The Eleventh Circuit found that the Privacy Act required proof of actual damages in order to be entitled to statutory damages, and found that here there was no showing by plaintiffs on actual damages.

Quick thoughts about the decision:
  1. It seems pretty much in line with the recent state law data breach cases - no out of pocket, no recovery..the only tweak was that here there was some allegation of physical damage, and under the laws of some states this may suffice.
  2. There was plenty of precedent to back up the court's conclusion, but it sure seems based on a strained reading of the statute ("in no case shall a person entitled to recovery receive less than the sum of $1,000") - what's the point of having statutory damages if you require actual damages (from a standing standpoint, plaintiffs made a sufficient showing).
  3. There was actually an allegation of out of pocket damages made by plaintiffs but they seemed to have abandoned it?  Not really sure what to make of this.
  4. This is neither here nor there, but I was not a fan of the military references in the opinion ("Perkins and Qualls attempt to march around Fitzpatrick"; "Perkins and Qualls attempt to tunnel under it"; "Perkins and Qualls lay siege to it") - this really doesn't work in an opinion for me, and I have no idea why judges do this.  It almost felt condescending in this opinion and typically distracts from the substance.  Note to judges:  avoid infusing your opinion with any sort of a "theme" at all costs!
I'm not sure what's at all remarkable about the case.  I'm torn as to whether it's an unduly harsh result, or whether the court sensed a lawyer-fueled class action supported by no actual damages.  Either way, it illustrates that regardless of the magnitude of a data breach, the consumer/end user rarely ends up recovering money damages.

Addedcomments from David Sugerman who is handling a health records data breach class action in Oregon against Providence.
  • No trackbacks exist for this post.
  • No comments exist for this post.
Leave a comment

Submitted comments are subject to moderation before being displayed.

 Name (required)

 Email (will not be published) (required)


Your comment is 0 characters limited to 3000 characters.