IN RE: DEPARTMENT OF VETERANS AFFAIRS (VA) DATA THEFT LITIGATION - MDL 1796

Memorandum in opposition to re MOTION to Dismiss or, in the Alternative MOTION for Summary Judgment

D.D.C.March 28, 2007

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ____________________________________ In Re: DEPARTMENT OF VETERANS : AFFAIRS (VA) DATA THEFT : LITIGATION : ____________________________________: Misc. Action No. 06-0506 (JR) : MDL Docket No. 1796 This Document Relates To: : ALL CASES : ____________________________________: PLAINTIFFS’ JOINT OPPOSITION TO DEFENDANTS’ MOTION TO DISMISS OR, IN THE ALTERNATIVE, FOR SUMMARY JUDGMENT Pursuant to Federal Rule of Civil Procedure 7 and 56, Local Civil Rules 7 and 56.1, and the Court’s February 28, 2007, Order, Plaintiffs hereby submit their joint opposition to Defendants’ Motion to Dismiss or, in the Alternative, for Summary Judgment. The Court should deny Defendants’ motion in its entirety because: as to the dismissal motion, the Court has jurisdiction over, and can grant relief for, the statutory violations Plaintiffs alleged in their legally sufficient Complaints; and, secondly, as to the summary judgment, there are numerous genuine issue of material fact for trial as is shown in the attached Memorandum of Points and Authorities. Plaintiffs request oral argument on this motion. Respectfully submitted, /s/ Douglas J. Rosinski Donald A. Cockrill Douglas J. Rosinski Ogletree, Deakins, Nash, Smoak & Stewart, P.C. 1320 Main Street, Suite 600 Columbia, SC 29201 (803) 252-1300 (803) 254-6517 (fax) Counsel in No. 1:06-CV-01038(JR) John C. Murdock Jeffrey S. Goldenberg Murdock Goldenberg Schneider & Groh, LPA 35 E. 7th Street, Suite 600 Cincinnati, OH 45202 (513) 345-8291 (513) 345-8294 (fax) Counsel in No. 1:06-CV-01943(JR) Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 1 of 77 2 Marc D. Mezibov Christian A. Jenkins Mezibov & Jenkins, LLP 401 E. Court Street, Suite 600 Cincinnati, OH 45202 (513) 723-1600 (513) 723-1620 (fax) Counsel in No. 1:06-CV-01943(JR) Gary E. Mason The Mason Law Firm, L.L.P. 1225 19th Street, N.W., Suite 500 Washington, DC 20036 (202) 429-2290 (202) 429-2294 (fax) Counsel in No. 1:06-CV-01943(JR) Mark D. Smilow Weiss & Lurie The French Building 551 Fifth Avenue, Suite 1600 New York, NY 10176 (212) 682-3025 (212) 682-3010 (fax) Counsel in No. 1:06-CV-01944(JR) Alexander E. Barnett The Mason Law Firm, L.L.P. 1120 Avenue of the Americas Suite 4019 New York, NY 10036 (212) 362-5770 (917) 591-5227 (fax) Counsel in No. 1:06-CV-01943(JR) Dated: March 28, 2007 Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 2 of 77 UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ____________________________________ In Re: DEPARTMENT OF VETERANS : AFFAIRS (VA) DATA THEFT : LITIGATION : ____________________________________: Misc. Action No. 06-0506 (JR) : MDL Docket No. 1796 This Document Relates To: : ALL CASES : ____________________________________: STATEMENT OF GENUINE ISSUES 1. Whether anyone appropriately authorized John Doe’s “ fascination project” or had knowledge that the project included obtaining and using veterans’ social security numbers despite the veterans’ expressed withholding of permission for such use. 2. Whether Privacy Act records or other personal information was copied from the computer hard drive stolen on May 3, 2006, without leaving any detectable traces. 3. Whether John Doe was acting as a VA employee when he intentionally and willfully downloaded Privacy Act records onto his personal media and removed them from the VA workplace to his home. 4. Whether John Doe’s supervisors and managers knew of John Doe’s work at home, but willfully and intentionally failed to require appropriate safeguards in violation of applicable regulations, policies, and procedures. 5. Whether Defendants’ employee John Doe was properly authorized to access and download files from the BIRLS system of records, or was he limited to viewing only one record at a time until Susan Krumhaus and Dat Tran, two senior VA employees aided John Doe in avoiding the authorization process by showing him how to access Privacy Act records prepared for Susan Krumhaus for other purposes. Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 3 of 77 2 6. Whether Defendants’ contractor Westat, Inc. (“Westat” ) intentionally and willfully violated the Privacy Act by disclosing veterans’ Social Security numbers (“SSNs”) to John Doe and Susan Krumhaus. 7. Whether Susan Krumhaus’ direction to Westat, Inc. to produce veterans’ SSNs for John Doe’s “ fascination project” was a willful and intentional violation of the Privacy Act prohibition on the unauthorized use of personal information. 8. Whether Defendants complied with the mandatory requirements of the “Privacy Act Guidelines - July 1, 1975” published in the Federal Register on July 9, 1975. 9. Whether Defendants complied with the mandatory requirements in 38 C.F.R. § 1.576 regarding safeguarding individuals against an invasion of privacy and to collect, maintain, use, or disseminate records of personally identifiable information in a manner that assures that such information is for a necessary and lawful purpose, and to ensure that adequate safeguards are provided to prevent misuse of such information. 10. Whether Defendants complied with the mandatory requirements in federal rules, regulations, procedures and guidance documents and established minimum standards for Defendants’ actions in gathering, maintaining, disclosing, using, and safeguarding Privacy Act records including, but not limited to, Office of Management and Budget (“OMB”) Circular A-130, National Institute of Standards and Technology (“NIST”) Federal Information Processing Standards Publication 199, NIST Special Publication 800-14, NIST Special Publication 800-18, and NIST Special Publication 800-53, NIST “Federal Information Technology Security Assessment Framework,” General Accounting Office “Federal Information System Control Audit Manual,” and relevant VA policies and procedures, such as VA Directive 0710 which required background screenings for employees that required access to VA information systems and VA Handbook 6300.5, entitled “Procedures for Establishing and Managing Privacy Act Systems of Records.” Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 4 of 77 3 11. Whether Defendants only disclosed personal information maintained by VA (1) upon written authorization of the individual to whom the information pertained or (2) to persons who had been authorized to access the information pursuant to applicable regulations and procedures and then only for specified “routine” uses. 12. Whether Defendants’ nearly three week delay in publicly announcing the May 3, 2006, theft of Privacy Act records was an intentional and willful attempt to cover up Defendants’ pattern of thwarting regulations, policies, procedures, and practices intended to implement the Privacy Act. 13. Whether the Federal Register description of the BIRLS system of records effective on May 3, 2006, mislead active duty personnel as to whether they were included in the database. 14. Whether Defendants willfully and intentionally failed to reveal that active duty personnel were included in the stolen Privacy Act records, and later willfully and intentionally provided false information regarding the number of active duty personnel affected, to conceal the defective BIRLS Federal Register notice. 15. Whether Defendants intentionally and willfully failed to implement mandatory OMB and NIST requirements for data security and safeguards. 16. Whether Defendants intentionally and willfully failed to perform the employee background checks required by their own procedures. 17. Whether the admitted “gap” between Defendants’ procedures and Privacy Act requirements was the result of Defendants’ willful and intentional acts or merely professional incompetence exceeding gross negligence. 18. Whether John Doe was properly authorized to access Privacy Act records although he did not meet the procedural requirements for such authorization. Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 5 of 77 4 19. Whether Defendants performed any analyses to determine the security threats or risks to the Privacy Act records under their control. 20. Whether the scenario of an agency employee downloading Privacy Act Records from a computer system without software or hardware barriers and removing the data from the VA workplace was a reasonably foreseeable security threat. 21. Whether Defendants intentionally and willfully mislead Congress, Plaintiffs, and the public regarding the procedural requirements in effect on May 3, 2006, in order to avoid responsibility for their Privacy Act violations. Respectfully submitted, /s/ Douglas J. Rosinski Donald A. Cockrill Douglas J. Rosinski Ogletree, Deakins, Nash, Smoak & Stewart, P.C. 1320 Main Street, Suite 600 Columbia, SC 29201 (803) 252-1300 (803) 254-6517 (fax) Counsel in No. 1:06-CV-01038(JR) John C. Murdock Jeffrey S. Goldenberg Murdock Goldenberg Schneider & Groh, LPA 35 E. 7th Street, Suite 600 Cincinnati, OH 45202 (513) 345-8291 (513) 345-8294 (fax) Counsel in No. 1:06-CV-01943(JR) Marc D. Mezibov Christian A. Jenkins Mezibov & Jenkins, LLP 401 E. Court Street, Suite 600 Cincinnati, OH 45202 (513) 723-1600 (513) 723-1620 (fax) Counsel in No. 1:06-CV-01943(JR) Gary E. Mason The Mason Law Firm, L.L.P. 1225 19th Street, N.W., Suite 500 Washington, DC 20036 (202) 429-2290 (202) 429-2294 (fax) Counsel in No. 1:06-CV-01943(JR) Mark D. Smilow Weiss & Lurie The French Building 551 Fifth Avenue, Suite 1600 New York, NY 10176 (212) 682-3025 (212) 682-3010 (fax) Counsel in No. 1:06-CV-01944(JR) Alexander E. Barnett The Mason Law Firm, L.L.P. 1120 Avenue of the Americas Suite 4019 New York, NY 10036 (212) 362-5770 (917) 591-5227 (fax) Counsel in No. 1:06-CV-01943(JR) Dated: March 28, 2007 Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 6 of 77 TABLE OF CONTENTS MEMORANDUM OF POINTS AND AUTHORITIES............................................................ 1 STATEMENT OF FACTS........................................................................................................... 2 I. Conceded Facts............................................................................................................ 2 II. The Rest of the Facts................................................................................................... 3 A. How John Doe Obtained the Personal Information ................................................ 3 B. The “Fascination Project:” Neither John Doe’s File Access or Work Task Were Authorized .......................................................... 5 C. Senior VA Employee Aided John Doe’s Unauthorized Fascination Project.......... 6 D. The Post-Theft Loss of Highly Relevant Evidence ................................................ 7 E. Defendants Go Public ............................................................................................. 9 F. VA Admits to Privacy Act Violations .................................................................. 10 G. Debunking Defendants’ Factual Spin ................................................................... 11 H. Data Thieves and the Black Market of Private Information ................................. 13 I. Defendants Failed To Implement Adequate Information Safeguards .................. 14 J. Defendants Ignored Mandatory Requirements for Information Safeguards......... 18 K. The VA OIG Report: Hardly the Last Word ....................................................... 20 APPLICABLE LAW .................................................................................................................. 21 I. Standards For Motions to Dismiss and Summary Judgment ............................... 21 II. The Privacy Act......................................................................................................... 22 III. Administrative Procedure Act ................................................................................. 25 ARGUMENT............................................................................................................................... 26 I. The Motion To Dismiss Is Without Basis ............................................................... 26 A. The Complaint Fully Complies With Rule 8 ........................................................ 26 B. All Plaintiffs Have Standing ................................................................................. 30 1. Individual Plaintiffs Have Standing Under the Privacy Act ........................... 30 2. Individual and Organizational Plaintiffs Have Standing Under the APA ...... 31 C. Plaintiffs Alleged Injury In Fact and Causation ................................................... 34 D. Plaintiffs’ APA Claim Satisfies Rule 12............................................................... 35 1. Plaintiffs Challenged Final Agency Action .................................................... 35 2. Plaintiffs Alleged Specific Violations ............................................................ 36 3. Plaintiffs Alleged Injury From Defendants’ APA Violations......................... 37 Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 7 of 77 ii E. Plaintiffs’ Privacy Act Claim Satisfies Rule 12.................................................... 37 1. Plaintiffs Adequately Alleged Intentional and Willful Behavior ..................397 2. Plaintiffs’ Alleged Multiple Unauthorized Disclosures.................................. 39 a. No Disclosure Needed for Safeguards Violations .................................... 39 b. Defendants Ignored the Government’s Own Definition of “Disclosure” ........................................................................ 40 c. John Doe’s Access to and Transfer of Plaintiffs’ Records Was Unauthorized Disclosure................................................................... 40 d. Additional Disclosure(s) ........................................................................... 42 3. Defendants’ Remaining Assertions of Failure to State a Claim Must Fail..... 43 4. Non-Pecuniary Damages Are Allowable........................................................ 44 F. Plaintiffs Consent To Dismissal Of Their Bivens Claims At This Juncture Without Prejudice To Their Right To Seek Leave To Refile Such Claims If Warranted By Subsequent Discovery .......................................... 46 II. The Motion For Summary Judgment Should Be Denied...................................... 47 A. Defendants’ Purported “Facts” Are Largely Inadmissible ................................... 47 B. The Motion for Summary Judgment Is Exceedingly Premature .......................... 48 C. Defendants Illegally Disclosed Privacy Act Files To John Doe........................... 48 1. John Doe’s Authorized Access Was Extremely Limited................................ 49 2. Defendants Conflate Privacy Act Authorization With Agency Need ............ 52 3. The Facts Also Refute Defendants’ Task Authorization Claims.................... 52 4. The “Fascination Project” ............................................................................... 56 D. Defendants’ Officials Admitted to Privacy Act Violations .................................. 59 E. Defendants Admitted to APA Violations ............................................................. 60 F. Defendants Maintained An Unauthorized System of Records ............................. 61 G. Defendants Failed to Properly Publish Notice of and Account for Systems of Records........................................................................... 62 H. No Legitimate Privacy Act Safeguards Existed.................................................... 63 1. Defendants Ignored Mandatory Federal Information Security Requirements .................................................................................... 64 2. Defendants’ Failures to Base Information Safeguards on Obvious Threats Exceed the Standards of Conduct For Gross Negligence .................. 66 CONCLUSION ............................................................................................................... 69 Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 8 of 77 UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ____________________________________ In Re: DEPARTMENT OF VETERANS : AFFAIRS (VA) DATA THEFT : LITIGATION : ____________________________________: Misc. Action No. 06-0506 (JR) : MDL Docket No. 1796 This Document Relates To: : ALL CASES : ____________________________________: MEMORANDUM OF POINTS AND AUTHORITIES IN OPPOSITION TO DEFENDANTS’ MOTION TO DISMISS OR, IN THE ALTERNATIVE, FOR SUMMARY JUDGMENT This litigation seeks to hold the Department of Veteran’s Affairs (the “VA”) accountable for a massive violation of the privacy rights of approximately 26.5 million military personnel, veterans, and citizens. The cause and responsibility for this massive breach rests squarely on the shoulders of the Defendants. They ignored basic security risks, failed to enforce the few security requirements that were implemented, shrugged off repeated and long standing criticism of security vulnerabilities, and were woefully out of compliance with mandatory federal information security practices. Through Defendants’ failure to safeguard Plaintiffs’ information, they intentionally, willfully, arbitrarily, and capriciously placed the information at great risk, resulting in an unlawful disclosure of the private information. The public drama surrounding the May 3, 2006, theft of Privacy Act records and other personal information from the home of a VA employee was merely the culmination of a massive failure by Defendants which inflicted upon Plaintiffs adverse effects and damages. Defendants’ systemic failure to even ensure rudimentary Privacy Act compliance enabled a single employee, who had neither appropriate authorization to access nor to transfer the data files in bulk, to literally walk out the door with more than 26.5 million Privacy Act records containing a massive cache of personal identifying information. But rather than take responsible measures to Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 9 of 77 2 safeguard this information, Defendants instead abdicated their lawful duties, and intentionally and willfully placed the information at grave risk of disclosure. The net effect of these failures ultimately guaranteed the inevitable disclosure of the information. This should not stand, and the Court should allow Plaintiffs to proceed in this action. STATEMENT OF FACTS Defendants falsely decry the Complaints’ purported factual scarcity. In what follows, Plaintiffs comprehensively set forth the known facts and the citations to admissible evidence from which they were gleaned. I. CONCEDED FACTS Only the most basic facts, staggering in their own right, are acknowledged by Defendants. On Wednesday, May 3, 2006, a laptop computer and an external hard drive were stolen from the Maryland home of a VA employee.1 Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans (July 11, 2006) (“VA OIG Rep’t”)2 (attached as Ex. 1) at i-ii; “Defendants’ Memorandum in Support of Defendants’ Motion to Dismiss or, in the Alternative, For Summary Judgment” (Nov. 20, 2006) (“Defs.’ Mem.”) at 1. The laptop and hard drive were John Doe’s personal property. Id. at i; Defs.’ Mem. at 1-2. John Doe’s stolen hard drive contained files downloaded from VA computers with “personal information pertaining to millions of veterans” (the “Personal Information”). Id. at ii, 3; Defs.’ Mem. at 2. The stolen Personal Information included Privacy Act records containing individual identifying information including, but not limited to, names, addresses, phone numbers, social security numbers, and dates of birth. In addition, a number of records contained disability 1 To protect the privacy of this individual, Plaintiffs refer to this VA employee as “John Doe.” 2 The VA OIG Report contains multiple admissions. Plaintiffs’ use of these admissions is permitted pursuant to Fed. R. Evid. 801(d)(2) because they qualify as “Statements Which Are Not Hearsay.” Czekalski v. Peters, Secretary of Transportation, 475 F.3d 360, 366 (D.C. Cir. 2007) (Court permits the use of OIG Report against the federal government relying in part on Rule 801(d)(2)); Hurd v. United States of America,134 F. Supp. 2d 745, 749 (D.S.C. 2001) (Court admits statements of Coast Guard witnesses as admissions of party opponent pursuant to Rule 801(d)(2)); Six v. United States of America, 71 Fed. Cl. 671, 684 (Ct. Cl. 2006) (Court recognizes that a Veterans Benefit Administration Table and a VA Directive would normally be admissible pursuant to Rule 801(d)(2)). Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 10 of 77 3 information and information related to possible exposure to biological and chemical agents. Neither the laptop computer nor the hard drive was stored in a security container and none of the Personal Information was encrypted or similarly protected. Id. at 7; Defs.’ Mem. at 2. II. THE REST OF THE FACTS As troubling as the foregoing facts are, the facts just beneath the headlines, and ignored by Defendants, define the contours of this case and will establish Defendants’ liability. Secondly, as opposed to Defendants’ superficial and sole reliance on materials such as summary reports and press releases, Plaintiffs base these facts on documents verified as true and correct copies obtained from VA.3. See Affidavit of Jonathan G. Axelrod (Mar. 26, 2007) (attached as Ex. 2). A. How John Doe Obtained the Personal Information For years John Doe accessed, used, and transferred files of Personal Information onto his personal computer storage media (e.g., floppy disks, Compact Disks (“CDs”), Digital Versatile Disks (“DVDs”) and memory “sticks”) without complying with the requirements for access to VA Privacy Act systems of records. Sworn Testimony of John Doe, Information Technology Specialist, to OIG Inspectors (May 17, 2006) (“Doe May 17 Test.”) (attached as Ex. 2, Att. 5) at 19-22. Defendants admit that the Personal Information John Doe transferred from VA’s computer systems included individual identifying information from VA Privacy Act systems of records, e.g., “Veterans and Beneficiaries Identification and Records Location Subsystem - VA” (“BIRLS”), the VA “Compensation, Pension, Education and Rehabilitation Records - VA, System No. 58VA21/22” (“C&P”), the 2001 National Survey of Veterans (“NSV”), and the Veterans Health Administration (“VHA”) National Enrollment Data file. VA OIG Rep. at 7-8; see also Email from John Doe to distribution (May 18, 2006) (attaching a document describing 3 The following factual rendition is based upon the limited information available to Plaintiffs. It is strictly the product of their own investigation thus far, without any discovery being allowed by the Court. See also Plaintiffs’ Rule 56(f) Motion For Discovery filed March 2, 2007. Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 11 of 77 4 best recollection of files on the stolen hard drive) (attached as Ex. 2, Att. 6). John Doe, however, was authorized only “sensitive level ‘0’ (zero) access” to BIRLS which permitted him to view only one record at a time and with no copying or downloading of files. Email from [redacted], VBAVACO, to [redacted], OIG, “OIG Request for Information” (May 19, 2006) (“VBAVACO Email” ) (attached as Ex. 2, Att. 7); see also Sworn Testimony of [redacted], Information Technology Specialist, to OIG Investigators (May 18, 2006) (“ IT Specialist Test.” ) (attached as Ex. 2, Att. 8) at 11-12 (John Doe “had limited access” to VA databases). Thus, the first genuine issue is presented. Frustrated with his limited access, John Doe, with the aid of his VA co-workers ignored and subsequently bypassed the restriction. Sworn Testimony of John Doe, Information Technology Specialist, to OIG Inspectors (June 16, 2006) (“Doe June 16 Test.” ) (attached as Ex. 2, Att. 9) at 21-22 (access VA granted was “useless” because he had “ thousands of people to look for” and he was “not going to do them one by one.” ); see also id. at 103 (“we were extremely frustrated in trying to get this file. We were - we were really - there was a lot of foot- dragging.” ). John Doe’s bypass of the access restriction involved fellow VA employees Dat Tran and Susan Krumhaus, who devised a method for John Doe to download the massive BIRLS files that ultimately were stolen from his home without obtaining the authorization access he had repeatedly been denied. Doe May 17 Test. at 69-70; Sworn Testimony of Susan Krumhaus, Supervisory Statistician, to OIG Investigators (May 22, 2006) (“Krumhaus Test.” ) (attached as Ex. 2, Att. 10) at 20-21; see also Doe June 16 Test. at 21-22 (VA authorizing officials “were trying to put us off, and we knew it was baloney because there was this ongoing file that was prepared every quarter for Susan Krumhaus.” Dat Tran suggested that “we’ ll do it that way.” ). In this fashion, John Doe obtained the ability to, and did, download massive amounts of BIRLS Privacy Act record files and saved them to his personal hard drives, DVDs, CDs, and memory stick. Doe May 17 Test. at 21-22; Doe June 16 Test. at 39. This was not a serendipitous task, as Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 12 of 77 5 the BIRLS file alone was so massive that John Doe had to break the database into separate files, compress each file, and transfer each file onto separate DVDs for later download onto his personal computer. Doe May 17 Test. at 22. John Doe then transferred the files of the Personal Information he removed from the VA system onto a personal external hard drive, which he stored in a drawer in his home. Doe May 17 Test. at 41 (John Doe kept the hard drive “ in a dresser drawer up in my bedroom”). There were no safeguards. Id. at 40 (“physical security was something I took for granted” ). Further, no accounting or inventory of the transferred records was maintained or even attempted. Doe May 17 Test. at 8 (“ I had no inventory” and was “guessing as to what was on my hard drive that belonged to VA when it was stolen”).4 John Doe asserts that he did not receive formal permission to remove the BIRLS records from the VA information system or to transfer the information onto his personal storage device. Doe June 16 Test. at 81; see also Doe May 17 Test. at 39 (“And I never attempted to ask permission. I didn’ t ask permission to do that.” ). B. The “ Fascination Project:” Neither John Doe’s File Access or Work Task Were Author ized Although now downplayed by Defendants, it remains that there was no authorized, bona fide purpose for John Doe’s collection of Privacy Act record files at his home. Defs.’ Mem. at 66 (“Mr. Doe sought to help veterans”); 67 (“he did not commit any act” that was ‘patently egregious’ or ‘unlawful’ ” ). Right after the breach was made public, however, VA Secretary Nicholson was clear that John Doe’s access was not authorized. See Sworn Testimony of R. James Nicholson to the House Veterans’ Affairs Committee (May 25, 2006) (“Nicholson House Test.” ) (attached as Ex. 3) at 16 (John Doe “put on administrative leave pending further action”) and “VA to fire data analyst responsible for records breach,” GOVEXEC.com (May 31, 2006) (attached as Ex. 4) (VA announced “ that it has initiated the process of firing [John Doe]” ). John 4 According to VA, much of Defendants’ investigatory effort during the period between the hard drive theft and public acknowledgement of the event was expended attempting to figure out what records had been disclosed. See, e.g., VA OIG Rep’ t at 10-16. Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 13 of 77 6 Doe himself admitted that he transferred the Personal Information records to his home to perform work on a personal “fascination project” he began in 2003. Doe June 16 Test. at 138-39; see also Doe May 17 Test. at 14 (“this whole process of trying to identify these veterans fascinated me”); 30 (“the project that I keep calling the ‘fascination project,’ that wasn’t something I could really spend time on at the office.”). The project involved stripping the anonymity from veterans who had provided personal information to the 2001 NSV in order to establish the actual identity of veterans to whom VA had promised anonymity. Doe May 17 Test. at 17 (“I was trying to establish ID for the participants” in the 2001 NSV); see generally Doe June 16 Test. at 105-108, 110-128. Plainly, the purpose of John Doe’s “fascination project” was purely personal. See Doe May 17 Test. at 14 (“I had a personal interest in this project”); 31 (he was “personally interested in identifying those NSV vets.”); Sworn Testimony of Dennis Duffy, Acting Assistant Secretary, to OIG Investigators (May 18, 2006) (“Duffy May 18 Test.”) (attached as Ex. 2, Att. 11) at 10 (work at home was “self-initiated”). John Doe’s personal motive underlying his “fascination project” was his resentment towards getting “hammered” and having his work referred to as “worthless” because his NSV analyses did not meet expectations. Doe June 16 Test. at 125. So John Doe conceived his “fascination project” not to better future NSV surveys, which he admitted was “my excuse” for possessing the files, Doe May 17 Test. at 14, but to respond to what he perceived as unfair “criticism about the end results” denigrating his professional performance. Doe June 16 Test. at 144. C. Senior VA Employee Aided John Doe’s Unauthorized Fascination Project In furtherance of his “fascination project,” John Doe, aided by his then supervisor, Susan Krumhaus, coerced the NSV contractor, Westat, Inc. (“Westat”), into providing Doe and Krumhaus thousands of SSNs of veterans’ who had provided personal information to Westat in confidence. Doe June 16 Test. at 128 (to get the SSNs from Westat, “Susan asked them.”). Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 14 of 77 7 Westat at first refused to turn over the SSNs because of concerns regarding doing so. See id. at 13 (“They said, ‘No. Our internal review board has met on this. It would be unethical for us to give you the [SSNs] for those people because we didn’t ask them for permission.’”). But Westat eventually provided the information. Id. at 15 (“They finally said, ‘Well, okay.’”). There was, however, no official need, nor was John Doe or Susan Krumhaus authorized to use VA Privacy Act record information for this “fascination project.” To defend his personal reputation, John Doe, aided by Susan Krumhaus, and armed with the personal information of every living veteran, set off to prove that it was the veterans who were causing the inaccurate NSV results and not him. Doe June 16 Test. at 122-28. One of his theories was that the NSV was asking “a lot of tricky questions for older people especially to answer.” Id. at 124. Beginning in 2003, therefore, VA employee John Doe combined the NSV veterans’ SSNs coerced from Westat, the BIRLS and C&P records transferred from Defendants’ computer systems, and phone numbers and other information from products such as “AT&T’s AnyWho” and “SelectPhone” to create a new system of records of “identified” NSV veterans. Doe May 17 Test. at 14-17; Doe June 16 Test. at 136. These systems of records contained a unique collection of information that could be retrieved by the name of an individual or by some identifying number, symbol, or other identifying particular assigned to an individual. Doe June 16 Test. at 124-38. The individuals whose personally identifying information was contained in these records were not provided notice of the system or systems of records. Id. at 138 (never informed anyone of the resulting file). D. The Post-Theft Loss of Highly Relevant Evidence Amazingly, following the theft, no VA official took into custody John Doe’s original floppy disks, CDs, DVDs or memory stick, or sought to preserve these plainly relevant items of evidence until approximately two weeks later. This involved Mr. Doe’s retained physical possession of approximately seventeen CDs known or suspected to contain Privacy Act records Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 15 of 77 8 for approximately two weeks after the theft was reported to VA officials. Doe June 16 Test. at 65; see also id. at 73 (“I didn’t turn [the CDs] over to anyone.” “They went into my drawer in the same plastic bag that I brought them from home in, and there they sat until Mr. Duffy asked for them.”) As a result, one or more of the original CDs and an unknown number of other media were destroyed by John Doe. Id. at 64 (“I’d break the CD in question in part with my hands. I’d break them into four pieces.”). Even more troubling, Dennis Duffy, a senior VA official, ordered the deletion of files from Mr. Doe’s memory stick, which Mr. Duffy knew contained VA Privacy Act records removed from the VA system by John Doe. Duffy May 18 Test. at 11-12 (“So we have the memory stick, but I’m not sure it has any real probative value for you.”); Doe June 16 Test. at 74. Mr. Duffy also testified that it was his recollection that Defendant Nicholson had been informed of the May 3, 2006, Privacy Act records theft well before the date that Defendant Nicholson testified to Congress. Sworn Testimony of Dennis Duffy, Acting Assistant Secretary, to OIG Investigators (June 1, 2006) (“Duffy June 1 Test.”) (attached as Ex. 2, Att. 12) at 67. Yet Defendants failed to inform Plaintiffs, or any other affected individuals, of VA’s loss of the Personal Information until May 22, 2006, 19 days after the reported theft. The controlling motive is contrary Defendant Nicholson’s post hoc public statements that he had not been first informed until nearly two weeks after the theft. See Nicholson House Test. at 7. In reality, the delay was due to Defendants’ purely politically fear of admitting to the massive security breach before the May 10, 2006, White House announcement of Executive Order 13402, “Strengthening Federal Efforts To Protect Against Identity Theft,” in which Defendant Nicholson was to be appointed as a member of an “Identity Theft Task Force.” See Office of the Press Secretary, “Executive Order: Strengthening Federal Efforts to Protect Against Identity Theft” (May 10, 2006) (attached as Ex. 23). This was clearly not a valid reason to delay informing Congress or veterans of the records theft. Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 16 of 77 9 E. Defendants Go Public On May 22, 2006, Defendant Nicholson announced the massive breach at issue in this case to media outlets and instructed veterans to take steps “to protect themselves from misuse of personal information.” Hackett Case, E.D.Ky. Doc. No. 18, Ex. A. In a letter sent by mail to all veterans on or about June 3, 2006, the VA instructed veterans to be “extra-vigilant and to carefully monitor bank statements, credit card statements and any statements relating to financial transactions. Id. Ex. H. The letter also provided contact information for the three major credit reporting bureaus - Equifax, Transunion and Experian - each of which sell credit and/or identity monitoring services. Notably, these companies reported a 171% spike in consumer inquiries in response to the public announcement by the VA. Id. Ex. D. Defendants encouraged the purchase of these services by veterans when, on June 21, 2006, Defendant Nicholson publicly announced that credit monitoring would “help safeguard” affected veterans and “provide them with the peace of mind they deserve.” Id. Ex. I. In response to these warnings, Plaintiff Hackett, along with thousands of other individuals whose confidential information had been disclosed, purchased credit and/or identity monitoring services to protect them from the risk of identity theft. Id. Doc. No. 3, ¶ 6; Affidavit of Paul Lewis Hackett III (Mar. 27, 2007) (“Hackett Aff.”) (attached as Ex. 22) ¶ 10. Indeed, even with the limited discovery permitted before these cases were moved to the District of Columbia, Plaintiffs in the Hackett case were able to confirm that at least 4,300 individuals had purchased monitoring services from a small provider in direct response to Defendants’ announcement of the disclosures at issue in this case. Id. Doc. No. 18, Exs. J and K. Accordingly, Defendants’ disclosures have caused the named Plaintiffs as well as thousands of members of the proposed class to incur actual, pecuniary, damages. The other named Plaintiffs also suffered harm. Defendants’ revelations that Plaintiffs’ personal information had been stolen, Defendants’ conflicting statements regarding the need for credit monitoring and the government’s purchase of monitoring on behalf of veterans, Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 17 of 77 10 Defendants’ ever changing representations and misrepresentations regarding the number and types of individuals affected by the theft, and Defendants’ demonstrated inability to prevent the theft in the first place, contributed to Plaintiffs real fear of identity theft and emotional distress over their personal security, financial integrity and credit. See Affidavit of Charles L. Clark (Mar. 16, 2007) (“Clark Aff.”) (attached as Ex. 5) ¶¶ 7-9; Affidavit of David Cline (Mar. 21, 2007) (“Cline Aff.”) (attached as Ex. 6) ¶¶ 12-14; Affidavit of James E. Malone (Mar. 20, 2007) (“Malone Aff.”) (attached as Ex. 7) ¶¶ 11-13; Affidavit of John Rowan (Mar. 22, 2007) (“Rowan Aff.”) (attached as Ex. 8) ¶¶ 10-11. Defendants’ actions indisputedly adversely affected everyone whose information was mishandled. F. VA Admits to Privacy Act Violations Defendants’ unrepentant moving papers stand in stark contrast to Defendants’ earlier contrite public confessions of comprehensive failure and responsibility. Defendant Nicholson himself confessed in sworn testimony that: I am the person ultimately responsible to our veterans, and therefore responsibility for this situation rests on me. . . . Ever since 1999, the VA has gotten low marks from the IG on its information and cyber security programs. Last year, the GAO flunked the VA on its cyber security system. . . . [W]e know virtually nothing about these people that have access to these enormous amounts of data - for example, this individual having the entire veterans’ file, one person [referring to John Doe], who has not, to our knowledge, had a background check for 32 years. Nicholson House Test. at 9 (emphasis added). The VA’s top attorney admitted: Yeah. There’s a lot to it, but I think if - if the question is, is it a Privacy Act violation, there’s no question. It is. Yes. It’s a Privacy Act violation. Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 18 of 77 11 For a custodian of personally identified information to disclose that, without the permission of the person outside of the Privacy Act notification that is in federal regs - in other words, we collect private information through a Privacy Act notification that’s - like everybody else does, and there are uses that we can use this private information for, health care benefits, all sorts of things, but if it’s disclosed to someone outside the agency without permission and not in accordance with one of these uses, then it’s an unauthorized disclosure. Sworn Testimony of Tim S. McClain, VA General Counsel, to Investigators of the VA Office of Inspector General (May 18, 2006) (“McClain Test.”) (attached as Ex. 2, Att. 13) at 6 (emphasis added). In this instance, it was clear - and the individual involved [John Doe] will clearly tell you that he knew . . . [t]he violation of the Privacy Act, absolutely. Duffy May 18 Test. at 36 (emphasis added). [The VA Chief of Staff’s] response to me again was twofold. One is, ‘Oh my God. Timing couldn’t be worse.’ The president had just released or was about to release, I guess, the Executive Order on the Task Force on Personal Privacy. . . . They were about to announce the establishment of the task force, and he said, ‘You know, God, this isn’t going to sit well.’ Duffy June 1 Test. at 9 (emphasis added). Lacking all candor, nowhere in Defendants’ filing do they disclose to the Court these contemporaneous sworn admissions of liability. Indeed, the basic thrust of Defendants’ moving papers required them to ignore reality, including the sworn testimony of their highest officials. And to do this, Defendants are reduced to proffering sanitized, conclusory, and self-serving materials. G. Debunking Defendants’ Factual Spin Defendants’ bald assertion of “fact” that the “data on the hard drive was never accessed after the theft,” see Defendants’ “Statement of Material Facts As To Which There Is No Genuine Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 19 of 77 12 Dispute” (“Defs.’ Facts”) ¶ 3 (emphasis added), is untrue. Information stored on computer hard drives, such as the portable device stolen from John Doe’s home, can be accessed and copied in a variety of ways. Affidavit of Kurt Uno Rudolph Edgar Lennartsson (Mar. 23, 2007) (“Lennartsson Aff.”) (attached as Ex. 9) ¶¶ 22, 62. Some of these methods do not leave any trace that copying has occurred: indeed, many methods of copying data from a hard drive exist which leave no detectable indications of access or copying. Id. ¶¶ 23-32. Thus, it could well be the case that the person or persons who stole the hard drive, or any subsequent person who took possession of it after the theft, used readily available hardware or software to copy all the files without any trace. Id. ¶ 63. Doing so would have allowed any data thief to startup the installed SAS application and access all the VA records stored in the SAS format. Id. ¶ 64 Additionally, widely available software would have allowed data thieves to easily bypass the SAS program entirely. SAS stores information in a file that can be read by several types of ubiquitous and commonly used general file reader software, including Microsoft “Notepad,” which is included in every version of the Windows operating system. Lennartsson Aff. ¶ 65. While the original formatting of the SAS data would not be preserved, all of the personal information such as names, addresses, and SSNs would have been clear and easily exploited. Id. The thief, therefore, could have copied the stolen hard drive information, taken it home, and used Notepad to open the SAS files. Id. He or she would then have complete access to all the Privacy Act information on the stolen hard drive. Id. In fact, this is the method that Defendants’ OIG investigators used to read the supposedly secure BIRLS SAS records. See Sworn Testimony of [redacted], to OIG Investigators (June 1, 2006) at 34 (attached as Ex. 2, Att. 14) (“when [OIG technicians] went to Notepad and Notepad just showed all the text and the tables”). In short, any security implied by Defendants because of the SAS format of the records was purely illusory. Moreover, with only minimal programming skills, a data thief could even develop a small program to strip all the SAS formatting information from the files and produce clean text files of Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 20 of 77 13 the personal information. Lennartsson Aff. ¶ 65. Even where specialized software, such as SAS, formats (not including encryption) data rendering it unreadable by general programs such as Notepad, the data can be easily made readable again by using a simple program that removes the formatting and saves the information into generally formatted and readable text. Id. ¶ 66. There would be no way of detecting if the data was copied and then transformed in such a manner. Id. It is, therefore, impossible for Defendants to truthfully state that the Privacy Act records on the external hard drive recovered by VA have not been accessed by data thieves. Lennartsson Aff. ¶ 67. Secondly, Defendants misquote the FBI: the FBI itself never stated as an absolute certainty that the stolen hard drive was not accessed during the time it was missing. Id. ¶ 68. See also Defs.’ Mem., Exs. 4, 5. Rather, the FBI merely expressed it was “highly confident” that the drive was “not compromised.” See Defs.’ Mem., Ex. 5; see also Lennartsson Aff. ¶ 68. In any event, without the results of the actual forensic analysis performed by the FBI, it is not possible to evaluate the technical basis for any such conclusion regarding hard drive access. Id. Thus, even accepting the FBI conclusion at face value, it must be limited strictly to copying methods that leave some trace of file access. This is because no analysis, by the FBI or anyone else, can accurately conclude that the hard drive data was not accessed. Id. ¶¶ 68, 69. H. Data Thieves and the Black Market of Private Information The reality that we will never know whether Plaintiffs’ Privacy Act records have been stolen cannot be over-emphasized. Sophisticated identity thieves do not conduct actual burglaries or data thefts, but rely on intermediaries to bring them devices, such as computers and hard drives, that are believed to contain identity information, which the identity thieves then purchase. Lennartsson Aff. ¶ 75. The identity thieves then cull the information from the stolen devices using one or more of the tools described above. Id. Many of these thieves do not directly use the stolen identity information; but instead they act as “wholesalers” who sell the information in small increments on an active black market to others for use in fraudulent Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 21 of 77 14 transactions. Id. ¶ 76. As a practical matter, therefore, an experienced identity thief receiving more than 26 million identities would be able to process and systematically distribute and sell increments of the private information over time. Id. ¶ 77. Further, experienced data thieves would recognize that the public uproar over the loss of the veterans’ information would heighten vigilance regarding identity theft, and so the thieves will “lie low” until attention is diminished. Lennartsson Aff. ¶ 78. Finally, although the use of stolen identities to obtain credit cards and fraudulently purchase goods and services is widely known, stolen identities are increasingly being used to obtain employment and deter law enforcement in criminal investigations and civil legal matters. Id. ¶ 79. These improper non- financial uses, of course, would not show up on “credit watches” or similar services. In short, the 26.5 million affected persons remain at grave risk of identity theft. Defendants’ failure to recognize the true implications of the theft is telling, and this callousness permeates their moving papers. I. Defendants Failed To Implement Adequate Information Safeguards Years before the theft, beginning with guidelines issued in 1975, Defendants were required to comply with the “Privacy Act Guidelines - July 1, 1975” published in the Federal Register on July 9, 1975, unless the requirements therein were subsequently modified or eliminated. See generally 40 Fed. Reg. 28,949 (July 9, 1975) (attached as Ex. 10). In addition, Defendants were required to comply with the Federal Register notice of the existence and character of each VA system of records (e.g., BIRLS, C&P). See Defs.’ Mem. at 63. Further, Department regulations required Defendants to safeguard an individual against an invasion of privacy, to collect, maintain, use, or disseminate records of personally identifiable information in a manner that assures that such action is for a necessary and lawful purpose, and to ensure that adequate safeguards are provided to prevent misuse of such information. See, e.g., 38 C.F.R. § 1.576; see also 40 Fed. Reg. 33,944 (Aug. 12, 1975) (attached as Ex. 11). Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 22 of 77 15 At the same time, federal rules, regulations, procedures and guidance documents established minimum standards for Defendants’ actions in gathering, maintaining, disclosing, using, and safeguarding Privacy Act records and systems of records. The standards included, but were not limited to, Office of Management and Budget (“OMB”) Circular A-130, “Management of Federal Information Resources” (attached as Ex. 9, Att. 2), OMB Circular A-130, Appendix III, “Security of Federal Automated Information Resources” (attached as Ex. 9, Att. 3), National Institute of Standards and Technology (“NIST”) Federal Information Processing Standards Publication 199, “Standards for Security Categorization of Federal Information and Information Systems,” (“FIPS PUB 199”) (attached as Ex. 9, Att. 4), NIST Special Publication 800-14, “Generally Accepted Principles and Practices for Security Information Technology Systems” (attached as Ex. 9, Att. 5), NIST Special Publication 800-18, “Guide for Developing Security Plans for Federal Information Systems” (attached as Ex. 9, Att. 6), NIST Special Publication 800-53, “Recommended Security Controls for Federal Information Systems” (attached as Ex. 9, Att. 7), the NIST “Federal Information Technology Security Assessment Framework” (attached as Ex. 9, Att. 8), and the General Accounting Office “Federal Information System Control Audit Manual” (“FISCAM”) (attached as Ex. 9, Att. 9). Relevant VA policies and procedures included VA Directive 0710, which required background screenings for employees that required access to VA information systems, and VA Handbook 6300.5, entitled “Procedures for Establishing and Managing Privacy Act Systems of Records,” which established mandatory standards and requirements relevant to Defendants’ Privacy Act records management. There can be no doubt that Defendants were aware of inherent and obvious risks associated with the removal of data from a protected environment that could result in disclosure of Privacy Act records through loss or theft. In addition to the above controlling regulations and materials, the VA’s employee security training modules identified that the loss of personal computer equipment or storage media containing personal information, such as Privacy Act Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 23 of 77 16 records, could be used for “theft and fraud.” Defs.’ Mem. at 64-65. This training material was clear that unprotected private media may present a security risk. Id. It is self-evident that an organization must “recognize” a security threat to design and implement training to address that threat. Remarkably, the VA ignored the foregoing, mandatory federal standards and guidelines. Instead, Defendants’ VA’s Privacy Act records safeguards consisted solely of these employee training modules. See, e.g., Defs.’ Mem. at 64-65, Defs.’ Facts ¶¶ 9-14. There were no software or hardware safeguards. True enough, training of employees is a necessary component of an adequate information security program. But, it has been long and commonly known and accepted in the data protection industry that training alone is inadequate to safeguard information. Lennartsson Aff. ¶ 55. In fact, arbitrary training, meaning training that is not based on a threat or security analysis specific to the computer system or systems intended to be safeguarded, is even less effective, because the training itself may be based on flawed or incorrect assumptions regarding the actual security threats. Id. This is because a safeguards system built solely on employee training can be compromised by a single failure to comply by a single employee, which can be caused either by intentional or unintentional acts. Id. ¶ 56. Thus, well before the theft even occurred, there was not merely a “gap,” see VA OIG Rep’t at 31-32, but there was a massive gulf between Privacy Act legal requirements of the VA and the actual VA policies and processes designed to ensure compliance with the Privacy Act. As a noteworthy example, there “were no institutional processes in place” to even determine who had security clearances or background checks. Sworn Testimony of Michael H. McLendon, Deputy Assistant Secretary for Policy, to OIG Investigators (May 31, 2006) (“McLendon Test.”) (attached as Ex. 2, Att. 15) at 82. In the VA office where John Doe worked “none of these people had ever gotten background checks.” Id. (emphasis added). Knowing this, Defendants stooped to misrepresenting the actual existence of the policies Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 24 of 77 17 and procedures in place when the theft occurred. Dat Tran, Acting Director, Data Management and Analysis Service, reported to the OIG and the VA CIO that the “guidelines” document identified by Defendants as implementing the security requirements that John Doe allegedly violated on May 3, 2006, the “Security Guideline for Single-User Remote Access,” was actually created after the theft at 4:12 pm on May 22, 2006, not on March 10, 2006, as the date on the document indicated. Sworn Testimony of Dat Tran, Acting Director, to OIG Investigators (May 30, 2006) (“Tran May 30 Test.”) (attached as Ex. 2, Att. 16) at 3-8, 23-24, 45-47. See also McLendon Test. at 24-28. Jack Thompson, Deputy General Counsel, stated to OIG investigators that he personally told Defendant Nicholson that the backdated “guidelines” document was (1) relevant to the May 3, 2006, theft and (2) provided a specific basis to charge John Doe with willful violation of office policy. Sworn Testimony of Jack Thompson, Deputy General Counsel, to OIG Investigators (June 1, 2006) (“Thompson Test.”) (attached as Ex. 2, Att. 17) at 8-14. But, the OIG specifically determined both of these conclusions were erroneous. VA OIG Rep’t at 29 (the Security Guidelines document was not approved by VA at the time of the theft and, in any event would not apply to facts underlying the theft). Yet, Defendant Nicholson testified under oath to the House Veterans’ Affairs Committee on May 25, 2006, that “we have a standing regulation, standing policy, that anybody who is authorized to take sensitive information outside of their work station has to have it encrypted.” Nicholson House Test. at 16. This statement was, of course, incorrect and misleading. Similarly absent from Defendants’ moving papers was that the VA official responsible for designating the security sensitivity of employee positions verbally delegated the duties of “Position Sensitivity Designator” to a subordinate VA employee in 2004. Memorandum of Interview by [redacted] (June 20, 2006) (attached as Ex. 2, Att. 18). This subordinate had no special skills, experience, or training to perform these duties. Her only understanding of this job was to sign the delegating official’s name whenever necessary to designate position sensitivity Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 25 of 77 18 levels. Id. This untrained subordinate, however, never evaluated any security risk factors or the sensitivity level designation of any data analyst in the VA office where John Doe and Susan Krumhaus worked. Id. As a direct result of this failure, as of the date of the theft, the BIRLS system of records had not been classified as a “mission critical system.” If it had been properly classified so, access would have been much more strictly controlled. VA OIG Rep’t at 35. Although Defendants admit that John Doe had in fact, unfettered access to BIRLS, his VA Form 2280 (“Position Sensitivity Level Designation”) wrongly reflected that his position had only a “limited impact” on agency operations which meant that he was not permitted to access BIRLS pursuant to applicable federal standards. Id. at 34. The untrained “Position Sensitivity Designator” thus failed to identify and act to correct this glaring discrepancy. In fact, Defendants did not maintain any tracking of background checks of any employees accessing Privacy Act records in John Doe’s work group. McLendon Test. at 82. As a result, a number of John Doe’s co-workers with similar data access privileges had no suitability determinations or proper access authorization. Id. J. Defendants Ignored Mandatory Requirements for Information Safeguards Public Law 106-398, as codified at 44 U.S.C. § 3534, requires Defendants to implement information security for information systems that support VA operations. This includes: (1) periodic assessments of the risk and magnitude of harm that could result from the unauthorized access and use of that information; and (2) policies and procedures that are based on those risk assessments. Defendants did not comply with those requirements. Further, Defendants failed to heed years of warnings of lax security from its own Inspector General and outside agencies, such as the Government Accountability Office. See Nicholson House Test. at 9. (“Ever since 1999, the VA has gotten low marks from the [Inspector General] on its information and cyber security programs. Last year the GAO flunked the VA on its cyber Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 26 of 77 19 security system.”). In fact, Defendant Nicholson reportedly only once met with Pedro Cadenas, Associate Deputy Assistant Secretary for Cyber and Information Security, the VA official responsible for implementing VA and other federal requirements for safeguarding Privacy Act records during Cadenas’ entire three year tenure at VA. See UPI “Chief Information Security Officer At VA Resigns on Principle” (July 5, 2006) (attached as Ex. 12). Defendants ignored specific recommendations by Mr. Cadenas to address Privacy Act safeguards issues. Sworn Testimony of Pedro Cadenas, Jr., Associate Deputy Assistant Secretary for Cyber and Information Security, to OIG Investigators (May 24, 2006) (“Cadenas Test.”) (attached as Ex. 2, Att. 19) at 11-14 (he was “not allowed to do our job”). Thus no improvements in security safeguards could be implemented since Mr. Cadenas had no authority to implement them. Id. at 12 (no authority “to execute or enforce” safeguards or controls). Remarkably, Defendants’ bureaucratic infighting subverted specific procedures developed by Mr. Cadenas’ efforts. This is because the procedures were kept in draft form, in some cases for years, without any resolution of the outstanding issues obstructing implementation. One example of Defendants’ obstruction was their failure to approve VA Directive 6500, which required VA compliance with the 2002 Federal Information Security Management Act (“FISMA”). See, e.g., Memorandum re Review of VA Directive 6500, Information Security Program (Jan. 23, 2004) (rejecting key portions of proposed VA Directive 6500) (attached as Ex. 13). Even though drafts of the procedure were available since at least 2003, the Directive and the security requirements therein languished for years awaiting Defendants’ approval. Id.; See also Cadenas Test. at 11. After the theft, of course, Defendants promptly approved Directive 6500 on August 4, 2006. See VA Directive 6500 Transmittal Sheet (Aug. 4, 2006) (attached as Ex. 14) (replacing VA Directive 6210 dated January 30, 1997, “with a policy which establishes the criteria for the Department-wide information security program.” Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 27 of 77 20 (emphasis added)). Thus, prior to August 2006, there was no VA information security program criteria. This failure to implement the required safeguards directly impacted the VA’s ability to detect, mitigate, and possibly prevent the theft. According to Mr. Cadenas: “There are technologies today that would have allowed me to implement applications out there that would have raised a flag in near real time that says, hey, I got a guy who’s downloading the entire database.” Cadenas Test. at 13. In addition, controls “to ensure at least privilege and accountability . . . are periodically monitored and updated to reflect changes in the level of authorization, authorized access or termination” were also removed. Id. at 14. Sadly, years of willful neglect of the VA’s information safeguards cannot be quickly reversed. Infighting continues: Even though Defendant Nicholson’s promised to Congress that the VA would become the “gold standard” of information security, Dr. Joseph Francis, VA Acting Deputy Chief Research and Development Officer subsequently informed his staff that they did not need to do their best in complying with Congress’ request for information regarding VA storage of sensitive personal data. The Hill “‘Whistleblower’ Secretly Records VA Official Avowing Defiance of Congress” (Jan. 11, 2007) (attached as Ex. 15). As if to prove Dr. Francis correct, just a month later, Defendants again were forced to report a huge loss of veterans’ personal data, this time because a VA employee who had encryption software on his laptop did not use it. See GOVEXEC.com “VA Loses Sensitive Information On 1.3 Million Doctors” (Feb. 12, 2007) (attached as Ex. 16). K. The VA OIG Report: Hardly the Last Word On July 12, 2006, the VA OIG issued its report on the May 3, 2006, event. Defendant Nicholson expressly agreed with the report’s findings and conclusions. See VA OIG Rep. at vii (“The Secretary agreed with the findings and recommendations”). The report, however, is a whitewash in many respects. Not a single statement is cited or referenced to any of the myriad Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 28 of 77 21 of underlying documents or testimony. Further, the report conveniently omits damaging matters, such as when the OIG investigators were specifically told by VA employees of the Austin, Texas, data center that the current Federal Register notice describing the BIRLS database did not accurately describe the contents of the database and would not inform millions of individuals that VA had their personal information. Sworn Testimony of [redacted] Chief, Veterans Records Support Division, to OIG Investigators (June 6, 2006) (“Chief Test.”) (attached as Ex. 2, Att. 20) at 29-31; Sworn Testimony of [redacted], Director, VBA Development Center, to OIG Investigators (June 7, 2006) (“VBA Director Test.”) (attached as Ex. 2, Att. 21) at 21, 23-24. Moreover, the sworn testimony of knowledgeable persons to the relevant issues here, raise numerous and substantial questions of material fact left unaddressed or ignored by Defendants’ moving papers. See generally Plaintiffs’ Statement of Genuine Issues. Not only have Defendants’ failed to address these issues, they gloss over actual facts by relying on the VA OIG summarized report rather than the first-hand knowledge of relevant witnesses. Given what Plaintiffs set forth above, this tactic should fail. APPLICABLE LAW I. STANDARDS FOR MOTIONS TO DISMISS AND SUMMARY JUDGMENT A complaint should not be dismissed unless the “plaintiff can prove no set of facts in support of his claim which would entitle him to relief.” Browning v. Clinton, 292 F.3d 235, 242 (D.C. Cir. 2002) (quoting Conley v. Gibson, 355 U.S. 41, 45-46 (1957)). When deciding a motion to dismiss, a court must “accept the plaintiff’s factual allegations as true and construe the complaint liberally, ‘granting plaintiffs the benefit of all inferences that can be derived from the facts alleged.’” Id. at 235 (quoting Kowal v. MCI Communications Corp., 16 F.3d 1271, 1276 (D.C. Cir. 1994)). Defendants bear the heavy burden of showing that it is beyond doubt that no set of facts would entitle Plaintiffs to relief. See In re Swine Flu Immunization Prod. Liab. Litig., 880 F.2d 1439, 1442 (D.C. Cir. 1989); Scarborough v. Natsios, 190 F. Supp. 2d 5, 16 (D.D.C. Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 29 of 77 22 2002). As discussed in the following sections, Plaintiffs can prove an abundance of facts entitling them to relief. A motion for summary judgment shall be granted only if the pleadings, depositions, answers to interrogatories, admissions on file, and affidavits show that there is no genuine issue of material fact, and that the moving party is entitled to judgment as a matter of law. Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 247 (1986); Fed. R. Civ. P. 56(c). In considering a motion for summary judgment, the “evidence of the non-movant is to be believed, and all justifiable inferences are to be drawn in his favor.” Id. at 255; see also Wash. Post Co. v. U.S. Dep’ t of Health and Human Servs., 865 F.2d 320, 325 (D.C. Cir. 1989). The non-moving parties’ opposition must be supported by affidavits or other competent evidence setting forth facts showing that there is a genuine issue for trial. Fed. R. Civ. P. 56(e); Celotex Corp. v. Catrett, 477 U.S. 317 (1986). A “dispute over a material fact is ‘genuine’ if ‘the evidence is such that a reasonable jury could return a verdict for the nonmoving party.” Arrington v. United States, 473 F.3d 329, 333 (D.C. Cir. 2006). The Court, however, “must assume the truth of all statements proffered by the party opposing summary judgment,” except for wholly conclusory statements unsupported by any competent evidence. Greene v. Dalton, 164 F.3d 671, 674-75 (D.C. Cir. 1999); Dickerson v. SecTek, Inc., 238 F. Supp. 2d 66, 73 (D.D.C. 2002). II. THE PRIVACY ACT The Privacy Act of 1974, as amended and codified at 5 U.S.C. § 552a (“Privacy Act”), gives federal “agencies detailed instructions for managing their records.” Doe v. Chao, 540 U.S. 614, 618 (2004). The Privacy Act defines a “record” as “any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to . . . his name, or the identifying number, symbol, or other identifying particular assigned to the individual.” 5 U.S.C. § 552a(a)(4). The act further defines “a system of records” as “a group of any records under the control of any agency from which information is retrieved by the name of Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 30 of 77 23 the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.” The private personal information at the center of this litigation are “records” and are contained in a “system of records” under the Act. Congress also provided “various sorts of civil relief to individuals aggrieved by failures on the Government’s part to comply with the requirements.” Chao, 540 U.S. at 618. Civil remedies under the Privacy Act are specified in 5 U.S.C. § 552a(g)(1). In particular, this section states that “[w]henever any agency . . . fails to comply with any other provision of this section or any rule promulgated thereunder, in such a way as to have an adverse effect on an individual, the individual may bring a civil action against the agency.” Id. § 552a(g)(1)(D). In any suit brought under the provisions of [5 U.S.C. § 552a(g)(1)(D)] in which the court determines that the agency acted in a manner which was intentional or willful, the United States shall be liable to the individual in an amount equal to the sum of - (A) actual damages sustained by the individual as a result of the refusal or failure, but in no case shall a person entitled to recovery receive less than the sum of $1,000; and (B) the costs of the action together with reasonable attorney fees as determined by the court. Id. § 552a(g)(4). Specific “Agency Requirements” are described in 5 U.S.C. §§ 552a(b), (e). In particular: Conditions of disclosure. - No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the records pertains, unless disclosure of the record would be - (1) to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties; . . . Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 31 of 77 24 (3) for a routine use as defined [in the Privacy Act]; [and] . . . (5) to a recipient who has provided the agency with advance adequate written assurance that the record will be used solely as a statistical research or reporting record, and the record is to be transferred in a form that is not individually identifiable. 5 U.S.C. §§ 552a(b)(1), (3), (5) (emphasis added). The Privacy Act further states: Agency Requirements - Each agency that maintains a system of records shall - (1) maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President; . . . (4) subject to the provisions of [5 U.S.C. § 552a(e)(11)], publish in the Federal Register upon establishment or revision a notice of the existence and character of the system of records, which notice shall include: (A) the name and location of the system; (B) the categories of individuals on whom records are maintained in the system; . . . (D) each routine use of the records contained in the system, including the categories of users and the purpose of such use; (E) the policies and practices of the agency regarding storage, retrievability, access controls, retention, and disposal of the records; . . . (5) maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to the individual in the determination; (9) establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record, and instruct each such Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 32 of 77 25 person with respect to such rules and the requirements of this section, including any other rules and procedures adopted pursuant to this section and the penalties for noncompliance; (10) establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained; [and] (11) at least 30 days prior to publication of information under [5 U.S.C. § 552(e)(4)(D)], publish in the Federal Register notice of any new or intended use of the information in the system, and provide an opportunity for interested persons to submit written data, views, or arguments to the agency. Id. §§ 552a(e)(1), (4), (5), (9), (10), (11) (emphasis added). III. ADMINISTRATIVE PROCEDURE ACT Separate and apart from the Privacy Act, the Administrative Procedure Act (“APA”) provides for judicial review of federal agency actions and inactions. The APA empowers a federal court to review a “final agency action for which there is no other adequate remedy in a court.” National Assoc of Home Builders, v. U.S. Corps of Engineers, 417 F.3d 1272, 1278 (D.C. Cir. 2005) (quoting 5 U.S.C. § 704). The APA provides that a “person suffering legal wrong because of agency action within the meaning of a relevant statute, is entitled to judicial review thereof.” 5 U.S.C. § 702; see, e.g., Kaufman v. Gonzalez, 2006 U.S. Dist. LEXIS 40885 at *17. Equally important, judicial review of an agency’s failure to act is available under the APA because a reviewing court is empowered to “compel agency action unlawfully withheld or unreasonably delayed.” 5 U.S.C. § 706(1). A claim pursuant to 5 U.S.C. § 706(1) can proceed “where a plaintiff asserts that an agency failed to take a discrete agency action that it is required to take.” Norton v. SUWA, 542 U.S. 55, 64 (2004) (emphasis in original). Thus, an individual who can demonstrate that the challenged actions or inactions “have harmed him or that he personally would benefit in some tangible manner from the court’s intervention in the controversy” has sufficient “injury-in-fact” to litigate his claims under the Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 33 of 77 26 APA. Public Citizen v. Lockheed Aircraft Corp., 565 F.2d 708, 714 (D.C. Cir. 1977) (citing Schlesinger v. Reservists Committee to Stop the War, 418 U.S. 208, 220-22 (1974)). Further, “[a]n association may seek relief . . . as a representative of its members if those members would have standing if they themselves brought suit.” Id. (citing Warth v. Seldin, 422 U.S. 490, 511 (1975)). Declaratory relief against future unauthorized disclosure of a plaintiff’s personal information is an available remedy. See, e.g., Doe v. Stephens, 851 F.2d 1457, 1467 (D.C. Cir. 1988) (finding plaintiff entitled to an order prohibiting VA from disseminating medical records pursuant to a routine use exception declared invalid). ARGUMENT Defendants’ moving papers substitute unsupported rhetoric in place of actual facts and legal argument. Defendants, however, cannot avoid their admitted Privacy Act violations and must be held accountable before this Court. At the least, the material facts in genuine dispute at this early stage of litigation require denial of Defendants’ flawed summary judgment motion, as well as denial of their motion to dismiss. I. THE MOTION TO DISMISS IS WITHOUT BASIS Defendants’ dismissal arguments are canned and generic, typically employed in suits seeking governmental accountability. Plaintiffs’ allegations are hardly “conclusory” or lack “sufficient facts,” as they plainly satisfy Federal Rules of Civil Procedure 8 (“Rule 8”) and 12 (“Rule 12”), as well as the requirements for standing. In the end, as others courts have concluded before, “the government’s argument is too facile.” McCready v. Principi, 297 F. Supp. 2d 178, 194, (D.D.C. 2003). The Court should, therefore, deny Defendants’ Motion to Dismiss. A. The Complaint Fully Complies With Rule 8 Defendants’ complaint for more allegation “detail” lies not with Plaintiffs but with the Federal Rules of Civil Procedure. Rule 8 states that a complaint must include only “a short and Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 34 of 77 27 plain statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2); Swierkiewicz v. Sorema, 534 U.S. 506, 512 (2002); Sparrow v. United Air Lines, 216 F.3d 1111, 1114 (D.C. Cir. 2000). Rule 8 is explicit that “averment of a pleading shall be simple, concise and direct.” Fed. R. Civ. P. 8(e); Sparrow, 216 F.3d at 1114. The “statement must simply ‘give the defendant fair notice of what the plaintiff’s claim is and the grounds upon which it rests.’” Swierkiewicz, 534 U.S. at 512 (quoting Conley v. Gibson, 355 U.S. 41, 47 (1957)). A “requirement of greater specificity for particular claims is a result that ‘must be obtained by the process of amending the Federal Rules, and not by judicial interpretation.’” Id. at 515 (quoting Leatherman v. Tarrant County Narcotics Intelligence & Coordination Unit, 507 U.S. 163, 168-69 (1993)). Employing the same generic “lack of detail” argument as here, the government has roundly failed to obtain dismissals in other Privacy Act cases. In Krieger v. Fadely, 211 F.3d 134 (2000), the District of Columbia Circuit rejected the same Rule 12(b)(6) arguments Defendants have raised here. Id. at 136. Reversing the district court’s conclusion that “it did not have to take as true legal conclusions cast as factual allegations when deciding a Rule 12(b)(6) motion,” the Circuit Court ruled: Rule 8(a)(2) of the Federal Rules of Civil Procedure requires only a ‘short and plain statement of the claim for relief. Factual detail is unnecessary. . . . The complaint claimed that ‘records’ concerning [plaintiff] were wrongfully disclosed, which necessarily means that information in records had been revealed. True, this does not give much detail, but complaints ‘need not plead law or match facts to every element of a legal theory.’ . . . In short, [plaintiff’s] Privacy Act count alleged the essential elements of his claim and put the government on notice. Nothing more was required to survive a motion to dismiss for failure to state a claim. Kreiger, 211 F.3d at 136-37 (citing Bennett v. Schmidt, 153 F.3d 516, 518-19 (7th Cir. 1998)) (emphasis added) (internal citations omitted). Defendants fail to disclose, much less distinguish, this controlling authority. This is Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 35 of 77 28 particularly troublesome since in this context the government was previously taken to task because it did “not respond to plaintiff’s argument based on Krieger.” Tripp v. Department of Defense (“ Tripp” ), 193 F. Supp. 2d 229, 237 (D.D.C. 2002); see also Tripp, 219 F. Supp. 2d 85, 90 (D.D.C. 2002) (statements in complaint were “no less detailed than the statement approved in Kreiger” and “plaintiff does not need to allege her Privacy Act claims with any further specificity” to put Defendants “on notice.”). Defendants’ demonstrably failed arguments for dismissal here are indistinguishable from those in Kreiger. Plaintiffs’ Complaints contains two claims: “Violation of the Administrative Procedure[] Act” (“APA Claim”) and “Violation of the Privacy Act” (“Privacy Act Claim”). VVA Compl. at 13, 14; Rosato Compl. ¶ 1; Hackett Am. Compl. at 11. The VVA APA Claim includes allegations that “VA has repeatedly demonstrated an inability or unwillingness to implement, or callous disregard for, fundamental procedures to provide minimally acceptable safeguards for the personal and private information in its’ possession,” id. ¶ 56, see Rosato Compl. ¶ 45, see Hackett Am. Compl. ¶ 3, and “Defendants’ actions and inactions in failing to safeguard Plaintiffs’ private information were arbitrary, capricious, and otherwise not in accordance with law.” Id. ¶ 58; Rosato Compl. ¶ 47. Further, Plaintiffs alleged that VA “caused Plaintiffs’ adverse effects by failing to observe the procedures required by law for disclosure of private information,” id. ¶ 30; see Rosato Compl. ¶ 24, Hackett Am. Compl. ¶¶ 6, 23-26, and that Defendant Nicholson “failed to ensure” that “processes, policies, and procedures” “including, but not limited to VA Handbook 6300.5, “Procedures for Establishing and Managing Privacy Act System of Records” were “adequately implemented.” Id. ¶ 38; see Rosato Compl. ¶ 36. These allegations were incorporated into the APA claim. Id. ¶ 55; Rosato Compl. ¶ 44. Finally, Plaintiffs alleged that they “suffered, and continue to suffer, harm as a result of Defendants’ actions and from actions improperly withheld or unreasonably delayed,” id. ¶ 59, Rosato Compl. ¶ 48, see Hackett Am. Compl. Prayer for Relief, that entitles Plaintiffs “to equitable relief.” Id. ¶ Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 36 of 77 29 60; Rosato Compl. ¶ 49; see Hackett Am. Compl. Prayer for Relief. Plaintiffs’ APA Claim is not reasonably read as other than alleging the “essential elements” of such a cause of action and put Defendants on notice of a claim of legal wrong regarding agency compliance with Privacy Act safeguards implementing requirements. Plaintiffs’ Privacy Act Claim could not be more straightforward. Plaintiffs alleged that “Defendants violated the Privacy Act,” VVA Compl. ¶ 62, see Rosato Compl. ¶¶ 50, 52, Hackett Am. Compl. ¶¶ 36, 38, the violations were “intentional and willful,” id. ¶ 63, Rosato Compl. ¶ 52, Hackett Am. Compl. ¶¶ 2, 38, and “Defendants’ Privacy Act violations caused Plaintiffs adverse effects.” Id. ¶ 64; see Rosato Compl. ¶ 39; see Hackett Am. Compl. ¶¶ 23-26. Plaintiffs further alleged a number of specific Privacy Act violations. Id. ¶¶ 29-39; Rosato Compl. ¶ 16- 29. These allegations included, inter alia, “not obtaining written consent of Plaintiffs . . . before disclosing” Plaintiffs’ personal information, id. ¶ 29, see Rosato Compl. ¶ 24, “failing to observe the procedures required by law for disclosure of private information,” id. ¶ 30, see Rosato Compl. ¶ 22, 24, “disclosing, or allowed disclosure of [Plaintiffs’ personal information] to officials and employees who did not have a need for such records and information,” id. ¶ 31, Rosato Compl. ¶ 25, see Hackett Am. Compl. ¶ 36, and “failing to establish or implement appropriate administrative, technical, physical safeguards.” Id. ¶ 37; see Rosato Compl. ¶ 16; see Hackett Am. Compl. ¶ 38. These allegations, individually and certainly taken together, are more than equivalent to the “records concerning [plaintiff] were wrongfully disclosed” allegation that the Court of Appeals found sufficient in Kreiger. The plaintiffs in the Hackett case clearly allege disclosure in violation of 5 U.S.C. § 552a(b). For example: John Doe, a data analyst and long-time VA employee, had removed VA files containing private personal information of more than 28.5 million veterans and active duty personnel from the VA facility and taken it to his home. John Doe then copied the files onto his computer and/or external disks . . . Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 37 of 77 30 John Doe had been removing the data from the VA facility for a period of three years in a practice expressly or implicitly ratified by the VA. John Does access to and duplication of this information was a disclosure in violation of 5 U.S.C. § 552a(b) and the result of Defendants’ willful and intentional failure to establish appropriate safeguard to ensure the security and confidentiality of veteran and active duty personnel records and to protect against any anticipated threats or hazards to the security and integrity of these records in violation of 5 U.S.C. § 552a(e)(10). Hackett Am Compl. ¶¶ 18, 19. Moreover, by virtue of their 400+ page filing, Defendants remove all doubt as to their thorough understanding of Plaintiffs’ claims. Even presuming Defendants were unclear as to the nature of Plaintiffs’ claims, the proper remedy was a motion for a more definite statement Rule 12(e), not a motion to dismiss. Defendants had over five months to file such a motion, but clearly had no need to do so. Accordingly, Plaintiffs’ allegations fully satisfy Rule 8 and Rule 12. The Court, therefore, should deny Defendants’ Motion to Dismiss. B. All Plaintiffs Have Standing 1. Individual Plaintiffs Have Standing Under the Privacy Act It has long been established that “standing in no way depends on the merits of the plaintiff’s contention that particular conduct is illegal.” Warth v. Seldin, 422 U.S. 490, 500 (1975). “The actual or threatened injury required by Art. III may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing. Essentially, the standing question in such cases is whether the constitutional or statutory provision on which the claim rests properly can be understood as granting persons in the plaintiff’s position a right to judicial relief.” Id., 422 U.S. at 500. To uphold Defendants’ challenge to Plaintiffs’ standing, therefore, the Court must first find, as a matter of law, that the Privacy Act is not a “statute[] creating legal rights” protective of individuals whose personal information is maintained by the government. See Chao, 540 U.S. at 618 (Congress provided “various sorts of civil relief to individuals aggrieved by failures on the Government’s part to comply with the [Act’s] requirements.”). Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 38 of 77 31 Defendants do not seriously suggest this, nor should the Court countenance such a patently absurd result. Each individual Plaintiff alleged violation of legal rights protected by the Privacy Act. All of the named Plaintiffs are United States military veterans. VVA Comp. ¶¶ 14, 15, 16, 17; Rosato Compl. ¶¶ 11-13; Hackett Am. Compl. ¶¶ 2, 9-10. Plaintiffs further alleged both Defendants’ general violation of the Privacy Act, id. ¶ 62; Rosato Compl. ¶ 47; Hackett Am. Compl. ¶¶ 35-36 and specific violations. Id. ¶¶ 30-39; Rosato Compl. ¶¶ 49, 50, 52; Hackett Am. Compl. ¶¶ 25-26. Plaintiffs likewise alleged general “adverse effects” and “actual damages” as a result of Defendants’ “intentional or willful” Privacy Act violations, id. ¶¶ 63, 64, 66, Rosato Compl. ¶¶ 48, 50, 52, Hackett Am. Compl. ¶ 26, and specific harm. Id. ¶ 65 (specifying “fear of identity theft, corruption of their credit files, and plundering of bank accounts and retirement accounts”); see also Rosato Compl. ¶¶ 32, 35,38; Hackett Am. Compl. ¶¶ 23-26. In this way, Plaintiffs fairly “alleged actual or threatened injury required by Art. III” existing “by virtue of” the Privacy Act. Indeed, several of the named plaintiffs have incurred actual out-of-pocket expenses for credit monitoring at the behest of the VA. Hackett Case, E.D.Ky. Doc. No. 3 ¶ 26; Affidavit of Paul Lewis Hackett III (Mar. 27, 2007) (Attached as Ex. 22) ¶ 10. The Supreme Court specifically anticipated that such expenses should be sufficient to satisfy the Privacy Act’s requirements. See Chao, 540 U.S. at 626 n.10 (noting that expenses such as running a credit report or purchasing a valium would likely satisfy the requirement to demonstrate actual damages). Nothing more is required to sustain an action in this Court. 2. Individual and Organizational Plaintiffs Have Standing Under the APA Plaintiffs also have standing to challenge Defendants’ actions and inactions pursuant to the APA.5 The APA provides that a “person suffering legal wrong because of agency action within the meaning of a relevant statute, is entitled to judicial review thereof.” 5 U.S.C. § 702; 5 Note that the Hackett Complaint does not seek APA relief. Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 39 of 77 32 see, e.g., Kaufman v. Gonzalez, 2006 U.S. Dist. LEXIS 40885 at *17. The APA authorizes judicial review of final agency actions “for which there is no other adequate remedy in a court.” 5 U.S.C. § 704. Further, “judicial review of an agency’s failure to act is available under the APA.” Kaufman at *17; 5 U.S.C. § 706(1). Moreover, when a plaintiff “seeks declaratory and injunctive relief in addition to damages, the Privacy Act does not provide an ‘adequate remedy.’” Radack v. United States Department of Justice, 402 F. Supp. 2d 99, 104 (D.D.C. 2005) (citing Transohio Savings Bank v. Office of Thrift Supervision, 967 F.2d 598, 608 (D.C. Cir. 1992)). Each of the individual Plaintiffs seek declaratory and injunctive relief for harm allegedly arising from Defendants’ conduct in failing to comply with its own Privacy Act implementing procedures and other relevant mandatory requirements. VVA Compl., Prayer for Relief ¶¶ (a)- (e); Rosato Compl., Prayer for Relief ¶¶ a-e. As in Radack, Plaintiffs have separate and distinct claims against Defendants (i.e., an “APA Claim” and a “Privacy Act Claim”). As discussed above, Plaintiffs’ Privacy Act Claim is based on specific violations of that statute, e.g., failure to safeguard, illegal disclosure, etc., and Plaintiffs’ separate APA Claim is based on Defendants’ violations of their own policies, procedures, and guidelines. “It therefore cannot be said that [Plaintiffs’] claim ‘duplicates existing procedures for review of an agency action.’” Radack, 402 F. Supp. 2d at 104 (quoting Bowen v. Massachusetts, 487 U.S. 879, 903 (1988)). Thus, the individual named Plaintiffs have standing pursuant to the APA, as well as the Privacy Act. Defendants correctly note that organizations do not having standing to pursue Privacy Act suits. Defs.’ Mem. at 20. This is of no import, however, as the named organizations plainly have standing under the APA to represent members otherwise entitled to litigate individual claims. “It has long been settled that ‘[e]ven in the absence of injury to itself, an association may have standing solely as the representative of its members.’” Int’ l Union, United Automobile, Aerospace and Agricultural Implement Workers of America v. Brock, 477 U.S. 274, 281 (1986) (citing Warth, 422 U.S. at 511). An organization has standing to sue on behalf of its injured Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 40 of 77 33 members: “(1) one or more of the organization’s members would otherwise have standing to sue in their own right; (2) the interests the organization seeks to protect are germane to the organization’ purposes; and (3) an individual member’s participation in the lawsuit is not required.” National Wildlife Federation v. Burford, 835 F.2d 305, 311 (D.C. Cir. 1987) (citing Hunt v. Washington Apple Advertising Comm’n, 432 U.S. 333, 343 (1977)). Only a single member need have a litigable claim to confer standing on an organization. National Wildlife Federation v. Agricultural Stabilization and Conservation Service, 955 F.2d 1199, 1203 (8th Cir. 1992) (citing Bowen v. Kendrick, 487 U.S. 589, 620 n.15 (1988)) (where “one plaintiff establishes standing to sue, the standing of other plaintiffs is immaterial.”); see also Price v. Pierce, 823 F.2d 1114, 1118 (7th Cir. 1987) (“it is enough, to give us jurisdiction over the case, if one of the plaintiffs has standing”) (citing Sec’y of Interior v. California, 464 U.S. 312, 319 n.3 (1984)). Each organizational Plaintiff has members who are veterans of the United States military. Vietnam Veterans of America, Inc. (“VVA”), VVA Compl. ¶ 9, Citizen Soldier, Inc., id. ¶ 10, Radiated Veterans of America, Inc., id. ¶ 12, and Veterans For Peace, Inc., id. ¶ 13, explicitly alleged so in the Complaint. In addition, these organizations have submitted affidavits further establishing the basis for their standing in this matter. See Rowan Aff. (VVA) ¶¶ 13-14; Affidavit of Thomas ‘Tod’ Ensign (Mar. 19, 2007) (Citizen Soldier) (attached as Ex. 17) ¶¶ 5-7; Clark Aff. (Radiated Veterans of America) ¶ 11; Affidavit of Michael McPhearson (Mar. 20, 2007) (Veterans for Peace) (attached as Ex. 18) ¶¶ 5-7. Plaintiff National Gulf War Resource Center, Inc. (“NGWRC”) also has basis for representational standing in this case as a coalition of veterans’ organizations, each of which has one or more veteran members who could have brought suit individually. Affidavit of Paul Davidson (Mar. 20, 2007) (NGWRC) (attached as Ex. 19) ¶¶ 5-9. Finally, to the extent Defendants’ assertion that “the nature of [Plaintiff organizations’] Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 41 of 77 34 claims is such that they fail to meet the third prong of the Hunt test” has any relevance, Defendants failed to consider Plaintiffs’ APA Claim and the equitable relief sought therein. A plain reading of the Complaint shows that Plaintiffs (including the organizations) seek “equitable relief” for Defendants’ APA violations. VVA Compl. ¶ 60; see also VVA Compl., Prayer for Relief ¶¶ (a)-(e) (seeking various equitable relief); Rosato Compl., Prayer for Relief ¶¶ a-e (same). “Neither these claims nor the relief sought require the District Court to consider the individual circumstances of any aggrieved [organization] member.” Int’l Union v. Brock, 477 U.S. 274, 287 (1986). Plaintiffs’ APA Claim “raise[s] a pure question of law” regarding Defendants’ conduct. See id. (finding standing for organization seeking equitable relief for members); see also Hunt v. Washington State Apple Advertising Comm’n, 432 U.S. 333, 343 (1977) (granting association standing to pursue equitable relief and noting that “in all cases in which we have expressly recognized standing in associations, the relief sought has been of this kind”). Thus, there is no legal or factual basis to deny the named organizations standing in this matter. In sum, all Plaintiffs have standing in this matter and the Court should deny Defendants’ arguments to the contrary. C. Plaintiffs Alleged Injury In Fact and Causation Contrary to Defendants’ assertions, the correct legal standard at the motion to dismiss stage is whether Plaintiffs have alleged an “adverse effect” from Defendants’ conduct.6 The “adverse effect” reference in 5 U.S.C. § 552a(g)(1)(D) “acts as a term of art identifying a potential plaintiff who satisfies the injury-in-fact and causation requirements of Article III standing, and who may consequently bring a civil action without suffering dismissal for want of standing to sue.” Chao, 540 U.S. at 624. Thus, “an individual subjected to an adverse effect has 6 Although Plaintiffs have also plainly alleged harm and damages arising from Defendants’ conduct, Doe makes it clear that these allegations are not properly considered in a Rule 12 motion to dismiss, but only under consideration of a Rule 56 motion for summary judgment. Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 42 of 77 35 injury enough to open the courthouse door.” Id. at 624-25 (emphasis added). Plaintiffs comprehensively and adequately alleged “adverse effects” from Defendants’ Privacy Act violations and, therefore, satisfy this straightforward requirement. See, e.g., VVA Compl. ¶¶ 29-40; see also Rosato Compl. ¶¶ 16-39; Hackett Am. Compl. ¶¶ 6, 23-26, 28-29. These plain allegations require no “unwarranted inferences” by the Court. See Defs.’ Mem. at 19. Thus, Plaintiffs have alleged “injury enough to open the courthouse door” and there is no legal basis for “dismissal for want of standing to sue.” Chao, 540 U.S. at 624-25. D. Plaintiffs’ APA Claim Satisfies Rule 12 1. Plaintiffs’ Challenged Final Agency Action Defendants also wrongly assert that Plaintiffs did not challenge any specific agency action. The APA empowers a federal court to review a “final agency action for which there is no other adequate remedy in a court.” 5 U.S.C. § 704. The APA defines an “agency action” as “the whole or a part of an agency rule, order, license, sanction, relief, or the equivalent or denial thereof.” The Fund For Animals v. U.S. Bureau of Land Management, 460 F.3d 13, 19; 5 U.S.C. § 551(13). This list is expansive and is “meant to cover comprehensively every manner in which an agency may exercise its power.” Id. (quoting Whitman v. Am. Trucking Ass’ns, Inc., 531 U.S. 457, 4778 (2001)). To be final, an action need not be “the last administrative [action] contemplated by the statutory scheme.” Role Models America, Inc. v. White, 317 F.3d 327, 331 (D.C. Cir. 2003) (quoting Envtl. Def. Fund, Inc. v. Ruckelshaus, 439 F.2d 584, 590 n.8 (D.C. Cir. 1971)). “Rather, the question is whether the agency has “imposed an obligation, denied a right, or fixed some legal relationship.” Id. (quoting Meredith v. Fed. Mine Safety and Health Review Comm’n, 177 F.3d 1042, 1047 (D.C. Cir. 1999)). All of the categories of “agency action” involve “circumscribed, discrete agency actions, as their definitions make clear: ‘an agency statement of . . . future effect designed to implement, interpret, or prescribe law or policy’ (rule).” Norton v. Southern Utah Wilderness Alliance, 542 U.S. 55, 62 (2004) (emphasis added). Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 43 of 77 36 The Supreme Court also made clear that “failure to act” is “properly understood as a failure to take an agency action - that is a failure to take one of the [defined] agency actions.” Id. (emphasis in original). A “failure to act” is, therefore, the “omission of an action without formally rejecting a request - for example, the failure to promulgate a rule” (i.e., a failure to implement, interpret, or prescribe law or policy). Id. at 63. Further, the Norton Court made clear that the “only agency action that can be compelled under the APA is action legally required.” Id. (emphasis in original). “Thus, a claim under [5 U.S.C.] § 706(1) can proceed only where a plaintiff asserts that an agency failed to take a discrete agency action that it is required to take.” Id. at 64 (emphasis in original). Plaintiffs satisfy this two-part test. 2. Plaintiffs Alleged Specific Violations Plaintiffs do not merely “challenge, and seek to impose judicial control over, the VA’s general compliance with the Privacy Act safeguards (and other) provisions” as Defendants suggest. Defs.’ Mem. at 29. To the contrary, Plaintiffs alleged that the VA caused Plaintiffs harm by “failing to observe the procedures required by law for disclosure of private information.” VVA Compl. ¶ 30; Rosato Compl. ¶ 24; Hackett Am. Compl. ¶ 36. Further, “VA has repeatedly demonstrated an inability or unwillingness to implement, or callous disregard for, fundamental procedures to provide minimally acceptable safeguards.” Id. ¶ 56 (emphasis added); Rosato Compl. ¶ 45; Hackett Am. Compl. ¶¶ 38. Plaintiffs also alleged that Defendant Nicholson failed to ensure VA’s “processes, policies, and procedures were adequately implemented” “including, but not limited to VA Handbook 6300.5, ‘Procedures for Establishing and Managing Privacy Act Systems of Records.’” Id. ¶ 38 (emphasis added); Rosato Compl. ¶ 36. Plaintiffs, therefore, identified a discrete agency action (compliance with its own policies and procedures) that it was required to take. This is fully compliant with the APA and Norton. Thus, Defendants’ assertion fails. See Defs.’ Mem. at 29. Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 44 of 77 37 3. Plaintiffs Alleged Injury From Defendants’ APA Violations Plaintiffs alleged that Defendants’ failure to abide by these processes, policies, and procedures (i.e., the final agency actions) caused Plaintiffs adverse effects, harm and damages. VVA Compl. ¶ 37 (“VA flagrantly disregarded Plaintiffs’ privacy and caused Plaintiffs’ adverse effects by failing to establish or implement appropriate administrative, technical, and physical safeguards”); ¶ 39 (“Defendant Nicholson flagrantly disregarded Plaintiffs’ privacy and caused Plaintiffs’ adverse effects by failing to establish and ensure lawful compliance by his subordinates with appropriate administrative, technical, and physical safeguards”); ¶ 58 (“Defendants’ actions and inactions in failing to safeguard Plaintiffs’ private information were arbitrary, capricious, and otherwise not in accordance with law”); ¶ 59 (“Plaintiffs suffered and continue to suffer, harm as a result of Defendants’ actions and from actions improperly withheld or unreasonably delayed”); see Rosato Compl. ¶¶ 22, 25-27, 34-35, 37, 38; Hackett Am. Compl. ¶¶ 25-26 (“As a direct and proximate result of Defendants’ acts and omissions, Plaintiffs have been exposed to a risk of substantial harm and inconvenience, and have incurred actual damages in purchasing comprehensive credit reports and/or monitoring of their identity and credit.”). Nothing more is required by Rule 8 or Rule 12. E. Plaintiffs’ Privacy Act Claim Satisfies Rule 12 Defendants’ arguments regarding Plaintiffs’ Privacy Act allegations ignore the plain language in the Complaints. Of particular note, Defendants ignore their own definition of “disclosure” under the Privacy Act, which is directly applicable to Plaintiffs’ allegations. And this basic failure is fatal to Defendants’ arguments. 1. Plaintiffs Adequately Alleged Intentional and Willful Behavior Defendants assert that “plaintiffs make no allegations from which one could reasonably infer that any of the myriad alleged failures to act resulted from anyone’s “flagrant disregard” of “others rights under” the Privacy Act. Defs.’ Mem. at 42-43. But Plaintiffs plainly alleged that “Each of Defendants’ violations of the Privacy Act was intentional or willful.” VVA Compl. Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 45 of 77 38 ¶ 63; Hackett Am. Compl. ¶¶ 2-4, 13, 14, 19, Prayer for Relief (“ . . . Defendants’ acts and omissions constitute a willful and intentional failure . . .”). Moreover, Defendants’ admission that the Complaint(s) contain “myriad alleged failures to act,” Defs.’ Mem. at 42, defeats their own argument. This is because an agency’s failure to make any effort to safeguard the privacy interests of individuals constitutes a willful or intentional violation of the Privacy Act. Romero- Vargas v. Shalala, 907 F. Supp. 1128 (N.D. Ohio 1995). An agency’s failure to comply with its own established policy is willful and intentional conduct. White v. Office of Pers. Mgmt., 840 F.2d 85, 87 (D.C. Cir. 1988) (emphasis added). Plaintiffs made no fewer than eleven allegations alleging that Defendants “flagrantly disregarded” Plaintiffs’ privacy rights. VVA Compl. ¶¶ 3, 29-37, 39; Rosato Compl. ¶¶ 3, 24-27, 37; Hackett Am. Compl. ¶¶ 2-3. Each of these allegations were incorporated into the Privacy Act Claim and included in the violations Plaintiffs alleged were “intentional or willful.” In addition, Plaintiffs explicitly alleged that Defendants’ failure to “correct known vulnerabilities of VA’s safeguards” were “intentional or willful violations of the Privacy Act,” id. ¶ 26, Rosato Compl. ¶ 23, Hackett Am. Compl. ¶¶ 2-3, and Defendants’ failure to “establish and maintain adequate information security” was “an intentional and willful failure to observe procedures required by law.” Id. ¶ 37; Rosato Compl. ¶ 8; Hackett Am. Compl. ¶ 3. Plaintiffs are at a loss regarding how to more directly allege intentional and willful violations by Defendants. Perhaps, Defendants’ assertions arise from ignoring the appropriate standard for “intentional or willful” Privacy Act violations. “The standard does not require the official to set out purposely to violate the Act; if the standard were so viewed, damages would be a rare remedy indeed.” Tijerina v. Walters, 821 F.2d 789, 799 (D.C. Cir. 1987) (emphasis added). Rather, “the standard is viewed as only somewhat greater than gross negligence.” Id. at 799 (quoting Analysis of House and Senate Compromise Amendments to the Federal Privacy Act, reprinted in 120 Cong. Rec. 40405-06); Schmidt v. U.S. Dep’t of Veterans Affairs, 218 F.R.D. Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 46 of 77 39 619, 633-35 (E.D. WI 2003) (lack of computer security and reliance upon training alone determined to present a genuine issue of fact as to whether VA intentionally and willfully violated 5 U.S.C. § 552a(e)(10)). Thus, the Act “imposes liability where the agency ‘commit[s] the act without grounds for believing it to be lawful [or] flagrantly disregard[s] others’ rights under the Act.’” Id. (quoting U.S. v. Albright, 732 F.2d 181, 189 (D.C. Cir. 1984)). Thus, Plaintiffs do not have to allege Defendants had a specific intent to violate the Privacy Act, as Defendants argue. Moreover, Defendants confuse the standard under Rule 12 with the standard for factual proof at trial. A requirement to “prove” damages, is obviously not appropriate in resolving a motion to dismiss. All that Plaintiffs must do to avoid dismissal is identify one allegation that “permits the inference” of an “intentional or willful” violation as defined in Tijerina. Plaintiffs need not make a “showing” of proof. Compare, e.g., Browning, 292 F.3d at 242 (plaintiffs receive the benefit of all factual inferences), with Defs.’ Mem. at 42 (Plaintiffs must make “a showing” of intentional or willful acts). And as already noted, Plaintiffs’ allegations go well beyond mere inference to explicit allegations of Defendants’ intentional or willful Privacy Act violations. The Court, therefore, should deny the motion to dismiss on this ground. 2. Plaintiffs Alleged Multiple Unauthorized Disclosures In addressing the allegations of unauthorized disclosure, Defendants misapply the term “disclosure,” and instead carefully invent a definition to suit their arguments. a. No Disclosure Needed for Safeguards Violations As an initial matter, violations of the Privacy Act safeguards requirements do not require an actual “disclosure.” Each agency . . . shall . . . establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 47 of 77 40 substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained. 5 U.S.C. § 552a(e)(10). Further, whenever any agency “fails to comply with any provision of this section, or any rule promulgated thereunder, in such a way as to have an adverse effect on an individual, the individual may bring a civil action. Id. § 552a(g)(1)(D) (emphasis added). Thus, for the sake of argument, Plaintiffs’ Privacy Act Claim is unaffected whether or not a “disclosure” was properly alleged or occurred. b. Defendants Ignored the Government’s Own Definition of “ Disclosure” Defendants hope to persuade the Court that an explicit definition of the term “disclosure” does not exist. See Defs.’ Mem. at 43-47. This is simply not true. A disclosure may be either the transfer of a record or the granting of access to a record. PRIVACY ACT GUIDELINES - July 1, 1975, Implementation of Section 552a of Title 5 of the United States Code, 40 Fed. Reg. at 28,953 (emphasis added). Further, The phrase ‘by any means of communication’ [in 5 U.S.C. § 552a(b)] means any type of disclosure (e.g., oral disclosure, written disclosure, electronic or mechanical transfers between computers of the contents of a record). Id. (emphasis added). Finally, an agency is authorized to disclose a record only “when it deems that disclosure to be appropriate and consistent with the letter and intent of the [Privacy] Act and these guidelines.” Id. (emphasis added). Devoid of any explanation, the government failed to disclose its own definition or explanatory statements to the Court here. This definition of over 30 years eliminates wholesale the ad hoc and self-serving “common sense” definitions suggested by Defendants. Defs.’ Mem. at 45. Further, the 1975 definition explicitly contradicts Defendants’ “expose to view” or “to make known or public” criteria. Defs.’ Mem. at 45. c. John Doe’s Access to and Transfer of Plaintiffs’ Records Was Unauthorized Disclosure Therefore, when viewed in the proper definitional light, Defendants’ challenges to the Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 48 of 77 41 allegations fail for lack of any basis. And thus, contrary to Defendants’ contention, “[r]emoving electronic records stored on digital media from a building and carrying the media home,” Defs.’ Mem. at 45, most certainly does constitute a Privacy Act “disclosure” since it represents a “transfer of a record” and “electronic or mechanical transfers between computers.” 40 Fed. Reg. at 28,953. ”Disclosure” also properly encompasses the granting of access to a record. Id. And since an agency is authorized to disclose a record only when that disclosure is “appropriate and consistent with the letter and intent of the [Privacy] Act and these guidelines,” id., improper granting of employee access to Privacy Act records or the granting of access for a purpose not authorized by the Privacy Act constitutes an unauthorized disclosure. Thus, John Doe’s access to the Privacy Act records stolen on May 3, 2006, regardless of whether thieves subsequently accessed those records, constituted one or more disclosures in violation of the Privacy Act. John Doe “had not received a security background check for approximately 32 years,” VVA Compl. ¶ 27, yet he had access to VA “information pertaining to approximately 26.5 million persons.” Id. ¶ 20; Rosato Compl. ¶ 17. In addition, Plaintiffs specifically challenged John Doe’s and others’ access to Plaintiffs’ information. VVA Compl. ¶ 4 (Defendants failed to safeguard “the trove of the personally identifiable information from unauthorized disclosure” and Defendants “allowed millions of citizen[s’] private information to be surreptitiously disclosed to unknown individuals for unknown purposes.” (emphasis added)); Hackett Am. Compl. ¶¶ 22-26. Clearly, Plaintiffs’ allegations are sufficient to place Defendants on notice of the claims of unauthorized disclosure to John Doe and nothing more is required. Swierkiewiecz, 534 U.S. at 512. And as set out above, the “transfer of a record,” specifically including “electronic or mechanical transfers between computers,” is a disclosure under the Privacy Act. Here, John Doe’s “laptop computer and data storage device or devices contained a copy of a collection or grouping of information pertaining to approximately 26.5 million persons,” including military Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 49 of 77 42 veterans and their spouses. VVA Compl. ¶ 20 (emphasis added); Rosato Compl. ¶ 17; Hackett Am. Compl. ¶¶ 18-19. Further, John Doe “routinely took sensitive private information, including [Plaintiffs’ information], home since at least 2003.” Id. ¶ 27 (emphasis added); Hackett Am. Compl. ¶¶ 19. To collect 26.5 million VA Privacy Act records on his personal laptop and storage devices in his home, John Doe necessarily had to “transfer” those records and would have had to made a number of “electronic or mechanical transfers between computers” to do so. Thus, it is not reasonably disputed that a “transfer of a record” and “transfers between computers” were alleged and occurred. d. Additional Disclosure(s) Defendants’ argument that Defendants’ loss of control over the Privacy Act records of every living veteran was not a disclosure ignores the letter and intent of the Act. Plaintiffs plainly alleged that such an unauthorized disclosure occurred. See VVA Compl. ¶ 21 (“The [May 3, 2006] incident was the largest unauthorized disclosure of Social Security information ever.”); Rosato Compl. ¶ 6; Hackett Am. Compl. ¶¶ 2-6. The theft was plainly a “transfer” of the records. 40 Fed. Reg. at 28,953. Further, John Doe was a VA employee and the lost information was VA Privacy Act records. VVA Compl. ¶ 20; Rosato Compl. ¶ 17; Hackett Am. Compl. ¶¶ 15-18. A straightforward analysis yields a “disclosure” pursuant to the government’s own definition. Defendants, however, obfuscate matters claiming the theft cannot be “intentional and willful” conduct by Defendants and that “acts of theft by a third party are not ordinarily considered ‘disclosures.’” Defs.’ Mem. at 46-47. This situation, however, is far from “ordinary” for several reasons. Defendants ignore that “intentional and willful” includes behavior “slightly greater than gross negligence.” See, e.g., Tijerina, 821 F.2d at 799. Next, Defendants ignore their duty to safeguard Plaintiffs’ Privacy Act records from “transfer” to unauthorized persons or for unauthorized purposes. 5 U.S.C. § 552a(e)(10); 40 Fed. Reg. at 28,953. And Plaintiffs have Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 50 of 77 43 alleged that Defendants “intentionally or willfully” failed in that duty. See, e.g., VVA Compl. ¶¶ 4, 39; Rosato Compl. ¶ 8; Hackett Am. Compl. ¶¶ 3, 14, 38. Thus, though Defendants did not actually intend for the theft to occur, their “slightly greater than gross negligence” underlies and readily set the stage for the theft to occur. Thereby, the result is an unauthorized disclosure. At the very least, this is a factual issue that cannot be decided on a motion to dismiss. Moreover, the gist of Defendants’ argument is an absurd catch-22 crafted to avoid accountability under the Privacy Act. That an actual theft of Privacy Act records absolves an agency from liability where the agency’s own failures to comply with the Privacy Act set the stage for the theft to occur fails under its own weight. This argument, if adopted, would result in federal agencies being immune from liability and responsibility for the most egregious Privacy Act violations. 3. Defendants’ Remaining Assertions of Failure to State a Claim Must Fail Defendants further challenge the legal sufficiency of Plaintiffs’ allegations of violations of various Privacy Act provisions, including: accounting, 5 U.S.C. § 552a(c)(1), maintenance of information, id. § 552a(e)(1), information collection, id. § 552a(e)(2), publication of Privacy Act notices, id. § 552a(e)(4), and accuracy of information, id. § 552a(e)(6). Defs.’ Mem. at 48-53. To the extent that Defendants’ challenges to any of these allegations are based on a lack of “an antecedent disclosure,” see, e.g., id. at 48, the challenge must fail as Plaintiffs’ have properly alleged improper “disclosure,” as discussed in detail above. Further, these arguments also fail for the reasons previously discussed above.7 Plaintiffs clearly alleged that John Doe’s “laptop computer and data storage device or devices contained a copy of a collection or grouping of information pertaining to approximately 26.5 million persons (the “Personal Information”).” VVA Compl. ¶ 20 (emphasis added); Rosato Compl. ¶ 17; 7 As before, Defendants fail to recognize the irony of flailing at Plaintiffs for supposedly failing to provide sufficient factual “detail,” while at the same time withholding from Plaintiffs the information containing the “details” they seek. Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 51 of 77 44 Hackett Am. Compl. ¶ 18. Plaintiffs further alleged that “VA . . . fail[ed] to keep or maintain an accurate accounting of the disclosures of the Personal Information.” Defs.’ Mem. at 49 (quoting VVA Compl. ¶ 32; Rosato Compl. ¶ 26). Similarly, Plaintiffs alleged that the VA “assembl[ed] and maintain[ed] the Personal Information in a system of records although the information was not relevant and necessary to accomplish a purpose required by statute or by executive order.” VVA Compl. ¶ 33 (emphasis added); Rosato Compl. ¶ 27. Indeed, every allegation relevant to the Privacy Act provisions cited by Defendants explicitly identifies the “Personal Information” assembled by John Doe as the system of records or database in question. See id. ¶¶ 27-37. Indeed, the Complaint contains reference to no other information. Defendants again attempted to create confusion where none exists. 4. Non-Pecuniary Damages Are Allowable Defendants make much of the courts “split over the suitability of non-pecuniary damages as a basis for damages under the Act.” Defs.’ Mem. at 54. Because of this “split,” Defendants assert that the Court must dismiss this case. In support of this position, however, Defendants proffer yet another tired, failed argument that has been repeatedly rejected by the Courts of this Circuit. The Circuit Court of Appeals for the District of Columbia Circuit has not ruled on the issue of whether the Privacy Act recognizes only pecuniary (i.e., out-of-pocket expenses) damages, so the split in other jurisdictions has limited, if any, relevance to this case. Further, this Court has already stated that “exactly what qualifies as ‘actual damages’ is a matter that [Chao, 540 U.S. at 626 n.10] expressly left open for development at the circuit level.” Memorandum Order, Rice v. United States (June 15, 2004) (Robertson, J.). Thus, notwithstanding Defendants’ arguments, there is no legal bar in this Circuit to Plaintiffs pursuing a claim based on non- pecuniary damages. The Court, therefore, need not consider the issue further on a motion to Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 52 of 77 45 dismiss.8 In any event, it is not necessary for the Court to resolve this issue in order to deny Defendants’ motion. The pleadings allege, and there is support in the record, that many thousands of veterans, including several of the named plaintiffs, incurred actual, pecuniary, out- of-pocket expenses as a direct result of the disclosures at issue in this case. See Hackett Case, E.D.Ky. Doc. No. 3 ¶ 26 and Doc. No. 18, Exs. J and K. Accordingly, regardless of whether or how the Court resolves Defendants’ argument, their motion must be denied. Further, Defendants admit that their opposition to the availability of non-pecuniary damages has been repeatedly rejected by this Court and other coordinate courts. “[I]t is clear that the recent trend at District Court level has been to allow Privacy Act suits seeking general compensatory damages, such as pain and suffering and non-pecuniary losses, to proceed.” Montemayor v. Federal Bureau of Prisons, 2005 U.S. Dist. LEXIS 18093 (citing Boyd v. Snow, 335 F. Supp. 2d 28, 39 (D.D.C. 2004))9; Rice v. United States, 211 F.R.D. 10, 13-14 (D.D.C. 2002) (Robertson, J.); Alexander v. FBI, 971 F. Supp. 603, 607 (D.D.C. 1997); Dong v. Smithsonian Inst., 943 F. Supp. 69, 74 (D.D.C. 1996), rev’d on other grounds, 326 125 F.3d 877 (D.C. Cir. 1997)). Indeed, the only cases in this circuit limiting damages to actual out-of-pocket expenses were decided more than 20 years ago. See Pope v. Bond, 641 F. Supp. 489, 501 (D.D.C. 1986); Albright v. United States, 558 F. Supp. 260, 264 (D.D.C. 1982); Houston v. U.S. Dept. of Transportation, 494 F. Supp. 24, 30 (D.D.C. 1979). Similarly, the Fifth Circuit case relied upon by Defendants, Johnson v. DOT, 700 F.2d 971 (5th Cir. 1983), is more than two decades old. Finally, although this Circuit has not explicitly ruled on the issue, it “agree[d] with 8 Individual Plaintiffs have, in any event, submitted affidavits alleging substantive emotional harm. See Clark Aff. ¶¶ 7-9; Cline Aff. ¶¶ 12-14, Malone Aff. ¶¶ 11-13; Rowan Aff. ¶¶ 10-11. 9 By way of illustration of the consistent recognition of non-pecuniary damages in the courts of this circuit, the Boyd court allowed the plaintiff to attempt to prove actual damages at trial based on “alleged emotional trauma” even though the disclosure at issue was a rebuttal to an employment performance evaluation. Boyd, 335 F. Supp. 2d at 26. At the very least, it is safe to say that the potential emotional trauma arising from threatened identity theft is at least as palpable and reasonable a response as that in Boyd. Plaintiffs here deserve an equal opportunity to prove their actual damages. Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 53 of 77 46 the appellants’ argument that emotional trauma alone is sufficient to qualify as an “adverse effect” under Section 552a(g)(1)(D) of the Act” and has not ruled out the possibility that “non- economic injuries or damages other than out-of-pocket expenses” could constitute actual damages. Albright, 732 F.2d at 186. Thus, to the degree there is a “split” in the courts on this issue, no such split exists in this circuit, and non-pecuniary injuries suffice for Privacy Act suits. Defendants’ only response to the overwhelming case law is that the Privacy Act should be read “narrowly” to limit damages to actual pecuniary expenses. Defs.’ Mem. at 55. Defendants have not, however, provided any reason for this Court to reverse twenty years of case law rejecting this argument by every district court in this Circuit. The Court should “not find that rationale persuasive and [should] follow the lead of the most recent cases in this jurisdiction.” Montemayor, 2005 WL 3274508 at *5; see also Rice, 211 F.R.D. at 13-14 (finding emotional trauma sufficient for trial on the merits). The Court should make clear that the best way for Defendants to limit their damages is to comply with the Privacy Act. In summary, Defendants have identified no legal basis upon which the Court could find a dismissal warranted pursuant to Rule 12. The Court, therefore, should deny Defendants’ Motion to Dismiss in its entirety. F. Plaintiffs Consent To Dismissal Of Their Bivens Claims At This Juncture Without Prejudice To Their Right To Seek Leave To Refile Such Claims If Warranted By Subsequent Discovery In the Rosato and Hackett Complaints, Plaintiffs pled Bivens claims premised on the clearly established constitutional right to privacy as alternative theories to their Privacy Act claims. Defendants argue that, to the extent the conduct complained of is remediable under a comprehensive statutory scheme such as the Privacy Act, the courts have held that this Court should not create a “new” Bivens claim. See, e.g., Chung v. U.S. Dept. of Justice, 333 F.3d 273, 274 (D.C. Cir. 2003). At this juncture, Plaintiffs’ claims are based solely upon publicly available information. Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 54 of 77 47 They have not been permitted to conduct discovery or otherwise attempt to challenge the official line on precisely what led to the disclosure of millions of confidential records. As noted elsewhere, Defendants’ motion for summary judgment is largely premised on press releases and investigative summaries rather than admissible evidence. Accordingly, as to these Bivens claims, Plaintiffs are prepared to accept, solely for purposes of pleading at this juncture, Defendants’ acknowledgment that the failures and other conduct that caused the disclosures at issue in this case are within the ambit of the Privacy Act such that they do not warrant the creation of a new Bivens claim. See Doc. 9 at 53. By implication, however, Defendants have thus conceded that Plaintiffs state a cognizable claim under the Privacy Act. Otherwise, it would be wholly illogical and inconsistent to claim, as Defendants do, that the conduct complained of is governed by a comprehensive remedial scheme sufficient to supplant Plaintiffs’ recourse to constitutional tort claims. Accordingly, subject to their right to seek leave to reassert such claims if warranted following discovery, Plaintiffs consent to the dismissal, without prejudice, of their Bivens claims. Plaintiffs’ position in this regard is consistent with both the right to dismiss without prejudice prior to ruling on a motion to dismiss and the axiom that any such dismissal should be with leave to amend or refile. See e.g. U.S. ex rel. Totten v. Bombardier Corp., 286 F.3d 542, 552-53 (D.C. Cir. 2002). I I I . THE MOTION FOR SUMMARY JUDGMENT SHOULD BE DENIED With or without the hearsay upon which it is based, Defendants’ summary judgment motion fails. In what follows, Plaintiffs raise genuine issues of fact regarding virtually every matter presented by Defendants. Moreover, on many issues Plaintiffs make a showing suggesting Defendants’ clear liability. A. Defendants’ Purpor ted “ Facts” Are Largely Inadmissible Contrary to Rule 56(c), Defendants did not identify any admissible evidence underlying Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 55 of 77 48 the majority of the purported facts relied upon in support of their motion. Instead of admissible evidence, Defendants ask this Court to accept press releases, hearsay, double hearsay, and unsupported legal conclusions by Defendants’ Inspector General as the basis for terminating this action before any inquiry into the merits. As fully discussed in “Plaintiffs’ Motion to Strike Exhibits 1, 4, 5 and 6 To Defendants’ Motion To Dismiss Or, In The Alternative, For Summary Judgment” (Mar. 13, 2007), the Court exclude the improper information from consideration. B. The Motion for Summary Judgment Is Exceedingly Premature Although they rely on hearsay and self-serving pronouncements to support their summary judgment motion, Defendants possess a plethora of underlying factual information regarding the material issues raised in this litigation to which Plaintiffs do not have access. As described in the VA OIG Report and more fully in “Plaintiffs’ Rule 56(f) Motion For Discovery” (Mar. 2, 2007), Defendants possess most, if not all, of the material factual information in this case. Whatever the basis for Defendants’ avoidance of this material in their moving papers, Plaintiffs are entitled to a fair opportunity to review it before responding to Defendants’ summary judgment motion. Federal Rule 56(f) and fundamental fairness requires that the Court not force Plaintiffs to oppose a summary judgment motion based on hearsay and unsupported innuendo when relevant, admissible and potentially dispositive evidence not only exists, but is possessed only by Defendants. C. Defendants Illegally Disclosed Privacy Act Files To John Doe At the outset, Defendants cannot credibly contest a key issue: John Doe was not approved pursuant to VA processes and procedures to access the agency’s Privacy Act records in the manner and to the extent he has already admitted under oath. John Doe testified that he routinely and openly physically accessed and transferred massive files of Privacy Act records, even though his approved security “level” authorized him only to access a single record at a time and only to screen print a single record at a time. See e.g., VBAVACO Email. Defendants’ own Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 56 of 77 49 official confirmed John Doe’s limited access authorization at least as early as May 19, 2006. Id. Defendants’ assertions of “authorization” to this Court ignore the actual facts of John Doe’s access to Privacy Act records. 1. John Doe’s Authorized Access Was Extremely Limited Based on facts presently known to Plaintiffs (as contrasted with the untraceable hearsay offered by Defendants), John Doe routinely accessed Privacy Act files and records for which he was not authorized by the VA. In response to a specific VA OIG question of whether John Doe had “access to all files and information contained in the BIRLS database,” which contained over 26.5 million Privacy Act records, the responding VA official stated: [John Doe] has access to BINQ, which is the BIRLS inquiry command. He can only inquiry/read BIRLS records and not modify or manipulate records. He only has sensitive [sic] level ‘0’ (zero) access. As such, he can only view veterans records but none in the sensitive file . . . He cannot copy or download BIRLS records to other files or his PC except by screen snapshots, i.e., screen prints, one record at a time. VBAVACO Email at 1 (emphasis added). This statement was bolstered by OIG interviews. Q. What types of accesses did [John Doe] have? A. Actually he had limited access. He had access to the survey through my ACRS form, the - I believe that’s the survey of veterans, and the other cost accounting code - not cost code, but other code was for VHA patient data. . . . Q. Did he ever request access to the BIRLS? A. Not through me. IT Specialist Test. at 11-13 (emphasis added). Thus, on May 19, 2006, Defendants own records establish that John Doe was authorized only to view or save one BIRLS record at a time. Moreover, John Doe’s sworn testimony establishes that not only was he aware of his restrictions, but he was frustrated with his limited, one record at a time, authorized access. Doe June 16 Test. at 21-22 (access VA granted was “useless” because he had “thousands of people to Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 57 of 77 50 look for” and he was “not going to do them one by one.”); see also id. at 103 (“we were extremely frustrated in trying to get this file. We were - we were really - there was a lot of foot- dragging.”). With the complicity of the VA’s Susan Krumhaus and Dat Tran, John Doe simply ignored the restriction and found an unauthorized way to get the BIRLS files he wanted. Doe May 17 Test. at 69-70; Doe June 16 Test. at 21-22 (VA authorizing officials “were trying to put us off, and we knew it was baloney because there was this ongoing file that was prepared every quarter for Susan Krumhaus.” Dat Tran suggested that “we’ll do it that way.”). Q. Well, how about [John Doe] when [John Doe] got involved with the [NSV] project? Did you have to sign off for him to get access to BIRLS? A. No. I just - I gave him this information, and I said would he check and see if that was still out there, and he told me it was, and I just asked him to look at it and see if there was useful information for the sample surveys. . . . Q. But you didn’t give him specific permission - you didn’t have to give him specific permission to go to that BIRLS file? A. No. I just handed him the information I had . . . Krumhaus Test. at 21 (emphasis added). Acting without authorization and, indeed in spite of a denial of authorization, John Doe obtained the ability to, and did, download massive amounts of Privacy Act records files and saved them to his personal hard drives, DVDs, CDs, and memory stick. Doe May 17 Test. at 21- 22; Doe June 16 Test. at 39. John Doe later transferred the files of the Personal Information he removed from the VA workspace on the various media onto an external hard drive. Id. In addition, on April 20, 2006, John Doe reported to Dat Tran that he had copied “the April BIRLS extract file,” which “contains 26,503,436 records,” from his “C:\ drive” to a VA shared drive. Email from John Doe to Dat Tran re “April 2006 BIRLS extract file” (April 20, 2006) (attached as Ex. 2, Att. 22) (“It took about forty minutes to copy the file from my C:\ drive Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 58 of 77 51 to the V:\drive.” (emphasis added)).10 Eliminating any doubt about the source of the files, John Doe stated that “I had downloaded the [BIRLS] data from the mainframe at Austin.” Doe May 17 Test. at 9 (emphasis added). In addition, John Doe admitted that the BIRLS files he accessed was “a quarterly extract prepared under an agreement between Susan Krumhaus and” the Austin office. Id. (emphasis added). Further, John Doe reported copying the file to the “Sensitive Data” directory on the VA Policy & Planning system. Id. (“The April 2006 BIRLS extract file is at V:\Policy & Planning\Sensitive Data\BIRLS APR 2006 (RAW)\birls_combo.”). According to Defendants’ own records, however, John Doe was explicitly not authorized to do any of these functions with or to BIRLS Privacy Act records. Thus, Defendants’ conclusory assertion that John Doe was authorized to perform the types and volumes of file transfers that resulted in Plaintiffs’ records being stolen from his home is untrue, as it ignores sworn testimony and their own records. The same is true of Defendants’ assertion that John Doe “properly had access to the information at issue.” Defs.’ Mem. at 59. In addition to the above, none of Defendants’ affiants even claim that John Doe was “authorized” to transfer these massive BIRLS records. Nor do Defendants explain how John Doe, with only a Level “0” clearance, was able to (1) copy the BIRLS files from his computer and (2) copy the records to a “Sensitive Data” folder, neither of which is allowed at his clearance level. Nevertheless, Defendants would have this Court rely on a single conclusory statement in the VA OIG Report. Defendants also failed to submit a single document, form, or even an application establishing John Doe had been approved by anyone for any access to “large VA databases.” Surely, if John Doe’s access was “authorized” there must be some record of it, or, at a minimum, some VA could so testify. But Defendants submitted nothing. Thus, at this juncture, if anything, 10 John Doe also admitted to transferring a similar BIRLS file to his personal external hard drive and a host of DVDs and CDs. See, e.g., Doe May 17 Test. at 19-22. Further Doe stated that “I don’t think I took the entire C&P mini home, but I could have. I could have.” Id. at 27. Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 59 of 77 52 it is indisputable that John Doe was not authorized to access and transfer Plaintiffs’ BIRLS records en masse to any computer or media, much less his personal media. Such transfers of records to or by John Doe were, therefore, “disclosures” for purposes of the Privacy Act and the Court is compelled to so find. As a minimum, access authorization is plainly an issue of fact for trial. Tellingly, the foregoing illustrates - as opposed to what Defendants submit here - why Rule 56 requires admissible evidence. Here, with no discovery yet allowed, Plaintiffs have presented evidence that Defendants’ statement was actually false. But, this was possible only because Plaintiffs happened to possess the particular rebutting evidence. Accordingly, the Court should carefully consider any weight given to Defendants’ remaining assertions. 2. Defendants Conflate Privacy Act Authorization With Agency Need The foregoing also highlights Defendants’ penchant for conflating “authorization” to access Privacy Act records with a professed “need” to perform a work task. The former is governed by Defendants’ duty to safeguard individuals’ privacy according to the requirements of the Privacy Act; while the latter is established by the VA, in its discretion to address the needs of the agency. A determination that an agency task - no matter how valid or urgent - requires use of (i.e., access to) Privacy Act records is a necessary, but not a sufficient, predicate for records access. Indeed, the very purpose of the Privacy Act is to protect the privacy of individuals. Public Law 93-579 § 2(a)(5). Defendants, fail to recognize, or intentionally confuse, this fundamental distinction. 3. The Facts Also Refute Defendants’ Task Authorization Claims Even if John Doe had been “authorized” (i.e., had a need for Privacy Act records) to perform some agency tasks, Defendants fail to identify any agency need for John Doe’s self- described “fascination project,” which is central to this case. Defendants vaguely attempted to justify two “things” (i.e., tasks) that John Doe was purportedly authorized by his supervisors to Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 60 of 77 53 do with “large VA databases.” Defs.’ Mem. at 59. But nowhere in Defendants’ declarations, see Tran Decl.; Moore Decl., did the individuals even suggest that this project was authorized. In fact, those declarations repeatedly and explicitly disclaim any: (1) any supervisory authority over John Doe at all; (2) specific authorization of any John Doe work tasks; or (3) knowledge of John Doe’s “fascination project.” For his part, John Doe stated that he “reported mainly to Susan Krumhaus” and that Mr. Moore was only his “supervisor of record for things like approving leave and whatnot.” Doe May 17 Test. at 3. Yet again, Defendants’ torture a few words in the VA OIG Report far beyond any underlying supporting evidence. The first “thing” (i.e., task) Defendants assert John Doe was authorized to perform was to “identify the veterans who had been exposed to mustard gas.” Defs.’ Mem. at 59. The “evidence” the Defendants rely upon for this “authorization” was that the task was purportedly assigned by “one of his managers.” Id. (citing VA OIG Rep’t at 6; Tran Decl. ¶¶ 3-4.). The second and only other “thing” John Doe was purportedly authorized to do was to “try to determine the reliability of the NSV for 2001.” Id. Defendants offer nothing to support this assertion other than a post hoc statement attributed to a “second-tier supervisor” characterizing the task as “a legitimate work effort.” Id. (citing VA OIG Rep’t at 6). Amazingly, neither of the individuals alleged to be John Doe’s supervisors state in their declarations that they authorized either of these “things.” Indeed, neither of the declarations contains the term “authorize.” See generally, Tran Decl., Moore Decl. Perhaps this is because of Mr. Moore’s sworn testimony to OIG investigators: Q. So what projects was [John Doe] working on? A. Well, I do not know. Dat [Tran] handled that. Sworn Testimony of Michael Moore, Acting Director, Policy Analysis Services, to OIG Investigators (May 18, 2006) (“Moore Test.”) (attached as Ex. 2, Att. 23) at 4 (emphasis added). Or perhaps it is because John Doe stated that his “basis for pulling data from the BIRLS file” Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 61 of 77 54 was that his “office mate, Joe Salvatore” asked him to help on the mustard gas task, not because any VA supervisor assigned him the work. Doe May 17 Test. at 10-11. Further, sworn testimony also contradicts Defendants’ contention that any supervisor or VA official “would have” authorized tasks involving John Doe removing Privacy Act records to his home if they had known about it. Contrary to Defendants’ attribution to Mr. McClendon of a statement that John Doe was performing a “legitimate work effort,” Defs.’ Mem. at 59, Mr. McLendon told the OIG Investigators (under oath) that I just - it just would be inconceivable to me that anybody would take something like that home . . . it is just unbelievable that he would do something like that. There’s just no reason why anybody would do that. . . . I mean, it just makes absolutely no sense, no sense. I can’t - you know, other than a national emergency, you know, I cannot conceive of any circumstances where anybody in our staff needs to take that kind of stuff home. McLendon Test. at 63-64. Mr. Moore stated “I’m not aware of people taking files home. So it was very surprising to me, people were doing that. . . . So it’s extremely surprising, if not shocking, that’s what happened.” Moore Test. at 19-20. Mr. Tran agreed, stating that it “was poor judgment” to “take the data home.” Sworn Testimony of Dat Tran, Acting Director, to OIG Investigators (May 22, 2006) (“Tran May 22 Test.”) (attached as Ex. 2, Att. 24) at 109. As to the Tran and Moore Declarations, they do not even support an inference that they “authorized” any John Doe work task. Mr. Tran states only that he “utilized the services” of John Doe and “recommended” that another VA employee do the same. Tran Decl. ¶¶ 2, 3. Mr. Moore appears to have even less familiarity with John Doe, stating only that he “became aware of the general nature of the work” of Mr. Doe. Moore Decl. ¶ 2. In addition, Mr. Moore clearly ducked any responsibility for any of John Doe’s work stating, “It was expected that Mr. Doe would plan and execute his assignments independently” and that “[n]ew assignments” “were Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 62 of 77 55 self-initiated” by Mr. Doe.” Id. ¶ 5. Even the VA OIG Report states that “Mr. Tran wrote a short statement for VA management noting that [John Doe’s] action was self-initiated, and not at the direction of [VA] management.” VA OIG Rep’t at 7 (emphasis added). None of these statements or any combination thereof, provide the slightest support for Defendants’ “fact” that any VA supervisor or official had even the remotest idea of what John Doe was doing with the agency’s Privacy Act records. As to any purported assignment “by one of his project managers,” Defendants also relied on the OIG Report and the Tran Declaration. The OIG Report states that Mr. Tran “assigned the [mustard gas] project to [John Doe],” VA OIG Rep’t at 6, but there is of course, no citation to support this assertion. However, the report further states: Part of the issue of who knew what concerning the work of [John Doe] was that it was not clear who actually supervised him. For example, in a recent memorandum from Mr. Tran, he makes the point that even though [John Doe] stated that he was his supervisor, he was not. Mr. Tran said that they were colleagues and that Mr. Michael Moore performs the supervisory functions of [John Doe]. While Mr. Moore is the employee’s first-line supervisor, he admitted that he had no idea what projects [John Doe] was assigned, nor did he have any understanding of the size or contents of the databases with which [John Doe] routinely worked. VA OIG Rep’t at 6 (emphasis added). Regardless, Mr. Tran testified that he never gave any such assignment: “I have not given [John Doe] any assignments yet to use the BIRLS.” Tran May 22 Test. at 91 (emphasis added). In addition, John Doe testified that the last time he worked on the mustard gas file at home was “in 2005,” Doe June 16 Test. at 166, so the mustard gas task is totally irrelevant to the May 3, 2006, event. Therefore, at most, the VA OIG Report is inconsistent in its characterization of Mr. Tran as John Doe’s supervisor and, even if he was, Mr. Tran is clear that he did not authorize John Doe for access to BIRLS. The Court, however, need not struggle with deciphering the OIG’s interpretation of the facts because Mr. Tran prepared and submitted a memorandum resolving the Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 63 of 77 56 issue. Various questions have arisen regarding my professional relationship with [John Doe] and whether or not I was [John Doe’s] supervisor. [John] and I have been professional colleagues within the Office of Policy and Planning for the past few years; however, I was not nor have I ever been his supervisor. . . . Some of the questions that have been raised are set forth below, as are specific responses to those. Were you the supervisor of [John Doe]? No. I was, however, a consumer of the analytic product that he produced. Memorandum from Dat Tran to Tom Bowman, George Opher, Tim McClain, Paul Huttler (Jun. 23, 2006) (attached as Ex. 2, Att. 25) at 1 (emphasis added) (bolding in original). The email from Mr. Tran containing this memorandum was, in turn, forwarded by Mr. Opher of OIG to no less than eight additional OIG personnel. A host of issues, therefore remain. First, Mr. Tran could not possibly have “assigned” any task to John Doe since he was not his supervisor. Second, for reasons presently unknown, Mr. Tran felt compelled to issue a formal memorandum to, inter alia, the VA Chief of Staff, the VA Inspector General, and the VA General Counsel to memorialize that he was not John Doe’s supervisor. Yet, the OIG report still contains the demonstrably incorrect and explicitly renounced “fact” that Mr. Tran “assigned” John Doe any work tasks. Once again, Defendants’ reliance on the VA OIG Report is misplaced. 4. The “Fascination Project” Moreover, Defendants completely ignored the single most relevant so-called “task” in this litigation. John Doe admitted that he was using the BIRLS, NSV, and C&P systems of records for a task of his own design that he referred to as his “fascination project.” Doe May 17 Test. at 19, 22-25, 30-31; see also Krumhaus Test. at 16 (no management approval, “just sort of Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 64 of 77 57 brain-stormed” with John Doe). The “fascination project” involved stripping the anonymity from veterans who had provided personal information in confidence to VA for the 2001 NSV. Krumhaus Test. at 12 (“So we were just seeing if we could figure out who they were”). The purpose of the “fascination project” was purely personal and was in response to criticism John Doe had received from co-workers for supposedly inaccurately analyzing NSV data. John Doe intended to use the system of records created in support of his “fascination project” to “prove” that it was the veterans’ responses, and not John Doe’s analyses, that were inaccurate. John Doe himself dispelled any rumors that his work on this project was authorized on in any way relevant to his work. Q. What were you trying to do with this data? A. Well, my goal was if we could figure out for the [anonymous NSV respondents] who they actually were, then we could tell from admin files, or at least let me - - let me be candid. That was my excuse. . . . Doe May 17 Test. at 14 (emphasis added). Instead, John Doe was “personally interested in identifying those NSV vets.” Id. at 31. Further, “most of my supervisors would not have been aware of” the fascination project. Id. John Doe only “talked with Susan [Krumhaus]” “about the business with Westat” because “that’s how we got the 14,000 SSNs out of them.” Id. at 30. To facilitate the “fascination project,” John Doe, was aided by his NSV project supervisor, Susan Krumhaus. After access was initially rejected, Krumhaus coerced the NSV contractor, Westat, Inc. (“Westat”), into providing Doe and Krumhaus thousands of SSNs of veterans’ who had provided personal information to Westat in confidence. Doe May 17 Test. at 12-13, 24-25, 30-31. Armed with the SSNs from Westat, John Doe identified individual veterans by comparing the SSNs and the NSV responses against the BIRLS and C&P records John Doe had transferred from Defendants’ computer systems. Defendants’ omission of any reference to the “fascination project” is particularly egregious, since it was described in detail to OIG investigators not only by John Doe, but also by Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 65 of 77 58 Susan Krumhaus. In addition, the “fascination project” has been covered in the media. In any event, no VA employee or supervisor, including Ms. Krumhaus, Mr. Tran, Mr. Moore, or even Mr. McLendon, admitted authorizing such a project, although Ms. Krumhaus was involved in obtaining Privacy Act records in support of it. Likewise, Mr. Tran stated that he did not even hear of the project until the OIG asked him about it. Tran May 30 Test. at 32. Further, Mr. Tran’s reaction was “just trying to understand . . . why would we do that?” Id. I don’t know enough about that project to tell you if that’s ethical or unethical because I don’t know what they - they reverse or what they match. So I cannot comment on that because - yes, if the veterans did not give us their SSN, we have no right, in my opinion, to go back and try to find the SSN . . . Tran May 30 Test. at 33-34. Thus, it is clear not only did Mr. Tran not authorize the “fascination project,” he clearly would not have done so if asked. Defendants utterly failed to identify, much less submit, any documents or testimony even tangentially supporting a conclusion that John Doe’s “fascination project” was authorized by any VA official, statute, or executive order. Similarly, Defendants failed to provide any explanation of, or authorization for, Westat’s disclosure of Privacy Act documents in support of the “fascination project.” Any one of these issues raises numerous material issues of fact regarding improper access, improper disclosure(s), and improper use of Privacy Act records.11 Further, the “fascination project” reveals numerous improper Privacy Act record disclosures. The Privacy Act requires that personal information maintained by government 11 Even an implication that John Doe’s actions were not within the scope of his employment will not save Defendants. When determining whether an employee is acting within the scope of his or her employment in the District of Columbia, Courts apply § 229 of the Restatement (Second) of Agency. CAIR v. United States of America, 444 F.3d 659, 663 (D.C. Cir. 2006). “To qualify as conduct of the kind he was employed to perform, the [defendant’s] actions must have either been ‘of the same general nature as that authorized’ or ‘incidental to the conduct authorized.’” Haddon v. United States, 68 F.3d 1420, 1422-23 (D.C. Cir. 1995) (quoting Restatement § 229). Courts in the District of Columbia have broadly applied this test. See, e.g., Johnson v. Weinberg, 434 A.2d 404, 409 (D.C. Cir. 1981) (a reasonable juror could find that a laundromat employee acted within the scope of employment when he shot a customer during a dispute over missing shirts); Lyon v. Carey, 533 F.2d 649, 652 (D.C. Cir. 1976) (jury reasonably found that a mattress deliveryman acted within scope of employment when he assaulted and raped a customer following a delivery related dispute); Brown v. Argenbright Security, Inc., 782 A.2d 752, 758 (D.C. Cir. 2001) (court rejects a general rule that all sexual assaults are categorically outside the scope of employment). Consequently, to the extent relevant, John Doe’s actions were within the scope of his employment. Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 66 of 77 59 agencies, including Defendant VA, only be disclosed (1) upon written authorization of the individual to whom the information pertains or (2) to persons who have been authorized to access the information pursuant to applicable regulations and procedures and then only for specified “routine” uses. 5 U.S.C. § 552a(b)(3). There is no evidence that John Doe had written permission from the individuals whose records he had transferred from the VA workspace, nor that was he authorized to access the BIRLS or C&P systems of records for routine uses pursuant to applicable regulations or procedures in effect on May 3, 2006, much less to copy that information wholesale for his own purposes. Thus, each of the transfers to or from John Doe or Susan Krumhaus associated with the “fascination project” were illegal. See Pilon v. U.S. Dep’t of Justice, 73 F.3d 1111, 1121 (D.C. Cir. 1996) (“no support at all for Department’s interpretation of ‘disclose’” that would not “bar the unauthorized release of documents to persons already familiar with their contents.”). D. Defendants’ Officials Admitted to Privacy Act Violations Defendants’ public confessions for events of May 3, 2006, should, as a matter of law, dispose of Defendants’ summary judgment request. “There’s a lot to it, but I think if - if the question is, is it a Privacy Act violation, there’s no question. It is. Yes. It’s a Privacy Act violation.” McClain Test. at 6. “In this instance, it was clear - and the individual involved will clearly tell you that he knew . . . [t]he violation of the Privacy Act, absolutely.” Duffy May 18 Test. at 36 (emphasis added). “[W]e know virtually nothing about these people that have access to these enormous amounts of data - for example, this individual having the entire veterans’ file, one person [John Doe], who has not, to our knowledge, had a background check for 32 years.” Nicholson House Test. at 9 (emphasis added).12 If high level VA officials, including Defendant Nicholson, could form beliefs that the 12 The VA’s estimate of 40 hours to locate the access authorization documents for just three individuals in John Doe’s office in response to Plaintiffs’ FOIA Request indicates that whether or not Defendants “know” anything, they certainly do not use the information to verify access authorization. See Exs. 20, 21 (Plaintiffs’ Freedom of Information Act (“FOIA”) Request and VA Response thereto.). Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 67 of 77 60 Privacy Act had been violated based upon the facts in this case, a “reasonable jury” could do so as well. Arrington, 473 F.3d at 333; Schmidt, 218 F.R.D. at 634-35. Thus, based on these admissions, the Court has no basis upon which to find summary judgment appropriate. E. Defendants Admitted to APA Violations The VA OIG concluded that “VA policies did not sufficiently address safeguards for protecting information from loss or theft when the information does not reside in a VA automated system.” VA OIG Rep’t at 32 (emphasis added). VA did not have sufficient policies and procedures in place to prevent [the May 3, 2006] data loss incident, or any other such incident, that would have involved the disclosure of protected information. We did not identify any VA policy that prohibited employees or contractors from removing protected information from the VA worksite, required employees or contract employees to obtain authorization before removing the information, prohibited the use of non-VA computers to process or store protected information, or that required safeguards such as password protection or encryption when protected information was stored on portable storage media or non-VA computers. Id. at 29 (emphasis added). Defendant Nicholson expressly agreed with the OIG report’s findings and conclusions and did not contest any finding of fact or conclusion. Id. at vii. Thus, Defendant Nicholson in essence admitted that Defendants “failed to act” to implement the Privacy Act. The VA OIG Report also identified five documents that Defendants provided in response to a request for “relevant policies and procedures,” including “Security Guideline for Single- User Remote Access” (March 10, 2006); a February 10, 2006, memorandum; an April 20, 2006 memorandum; VA Directive 6502, Privacy Program, (June 20, 2003); and VA Handbook 5011/5 (Sept. 22, 2005). Defendants’ determination that these documents were the VA “policies and procedures in place to safeguard against the disclosure of information” on May 3, 2006, raises clear issues of material fact, including: (1) whether Defendants had implemented the safeguards contained in these documents; (2) whether the safeguards in the documents were complied with; (3) whether there was any technical or risk basis for the safeguards purportedly contained in the Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 68 of 77 61 documents; and (4) how Plaintiffs’ Privacy Act records came to be stolen from John Doe’s home if Defendants implemented and complied with the safeguards specified in the documents. Defendants failed to address any of these genuine issues of material fact. While Defendants neglected to discuss these issues, the VA OIG report on which they rely, did. The report concluded that there was “a gap between information law and information law requirements, [which] raises issues concerning VA policies and process designed to ensure compliance with” the [Privacy Act and APA], id. at 31-32 (emphasis added). Thus, the Court should deny Defendants’ Motion. F. Defendants Maintained An Unauthorized System of Records Next neither John Doe nor Defendants complied with Privacy Act requirements for maintaining and accounting for the new system of records created by and for the “fascination project.” The Privacy Act requires, inter alia, that an agency maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President; 5 U.S.C. §§ 552a(e)(1) (emphasis added). In his testimony to the VA OIG, John Doe described how he used information from the BIRLS, C&P, and 2001 NSV systems of records to identify “anonymous” veterans. See, e.g., Doe May 17 Test. at 14, 31, 40, 41; Doe June 16 Test. at 13- 17, 122-38, 144. The resulting system of records contained a unique combination of personally identifying information that was accessible by name of an individual and identifying number, symbol, or other identifying particular assigned to an individual. See generally, id. Thus, John Doe’s fascination project created a new Privacy Act system of records. Nowhere do Defendants identify any statute or executive order to which John Doe’s fascination project is both relevant and necessary under 5 U.S.C. § 552a(e)(1). Even if some thread of relevance between John Doe’s personal reputation and an attempt to “enhance” the NSV could be spun, it was certainly not necessary to download and transfer over 26.5 million Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 69 of 77 62 BIRLS records, the C&P file and the entire NSV database to his home to do so. In addition, Defendants’ recitation of the basis for the BIRLS, C&P, and PERD systems of records, Defs.’ Mem. at 61-62, is irrelevant. But Plaintiffs have not challenged the legal basis for maintaining any of these particular systems of records. Defendants’ failure to assert a legal basis for creating and maintaining a new system of records that creates a material and genuine issue of fact for trial. G. Defendants Failed to Properly Publish Notice of and Account for Systems of Records Likewise, Defendants had a duty to provide notice and account for this new system of records created by John Doe. [S]ubject to the provisions of [5 U.S.C. § 552a(e)(11)], publish in the Federal Register upon establishment or revision a notice of the existence and character of the system of records, which notice shall include: 5 U.S.C. § 552a(e)(4) (emphasis added). Defendants failed to comply with this requirement on two relevant occasions. As described above, John Doe created a new system of records containing the personal information of NSV veterans. Consequently, the VA failed to publish the required Federal Register notice or account for this new system of records under 5 U.S.C. § 552a(e)(4). This is yet another Privacy Act violation. Further, John Doe admitted that he “had no inventory” and was only “guessing as to what was on my hard drive that belonged to VA when it was stolen.” Doe May 17 Test. at 8 (emphasis added). Thus, Defendants had no way to account for Plaintiffs’ Privacy Records when they were stolen, as plainly evidenced by the delayed and incremental announcements following the theft. Second, Defendants failed to update the Federal Register notice for the BIRLS system of records when VA began adding active duty personnel’s information to the database. The Federal Register notice for the BIRLS system of records that was in effect on May 3, 2006, lists five Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 70 of 77 63 categories of individuals covered by the system of records: (1) veterans who applied for VA benefits; (2) veterans discharged since March 1973; (3) veterans whose benefits have been sought by others; (4) Medal of Honor recipients; and (5) service members who have established accounts for future educational benefits. See Defs.’ Mem., Ex. 14. On or about 1993, however, VA began creating records in BIRLS containing personal information submitted to DoD by individuals joining active military service. VBA Director Test. at 21. The individuals were not informed of the creation of the BIRLS records containing their personal information and Defendants did not update the BIRLS description in the Federal Register to include such a notification. Id. at 24. On May 3, 2006, active duty military personnel, therefore, were not listed as individuals whose personal information was contained in BIRLS. It was not, however, reasonably possible for active duty military personnel to determine from the then effective BIRLS Federal Register notice that their individually identifying information was contained in that system of records or maintained by VA. Id. at 23-24; see also Chief Test. at 29-31 (Federal Register disclosure statement on BIRLS does not indicate that active-duty personnel records are being collected into BIRLS). This too, was a Privacy Act violation. In any event, whether the failures to publish or update these notices violated the Privacy Act are clearly matters of fact for trial. H. No Legitimate Privacy Act Safeguards Existed Defendants conclude their submittal as they began it: avoiding reality and providing excuses. If the Privacy Act requires anything from federal agencies, it is the security of personal information from improper, unauthorized, or unintentional disclosure. Even if “Section 552a(e)(10) was never intended to place an onerous burden on agencies,” Defs.’ Mem. at 63, Defendants had, and have, a duty to safeguard Privacy Act records entrusted to them that simply cannot be ignored. It was simply not for Defendants to decide that it was “too hard” to protect Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 71 of 77 64 citizen’s information. Indeed, Defendants statements in this vein are tantamount to admissions of an intentional and willful decision not to comply with the Privacy Act. As an example of Defendants’ gross failures to comply with basic safeguards, the testimony regarding background checks for access to “large VA databases,” is revealing: So, as this thing unfolded, I started looking around at several things. One was how do I even find out who has had background checks, what systems are in place that push this information to me on some kind of basis that says, okay, you are supposed to revalidate or do something. . . . And what I found was that there were no institutional processes in place in VA that do that. . . . See, right now there’s nothing in the system that gives me anything that says on a yearly basis you need to identify anybody that you think who hasn’t had a background check in say 10 years should be considered for another background check or here, you know, we have reviewed all of the sensitive - sensitivity-level forms for positions X, Y, and Z, and these are the ones that haven’t been re- reviewed or recertified in the last 5 years. There is no system in place that does that whatsoever. McLendon Test. at 82, 84 (emphasis added). Thus, an individual such as John Doe could and did access and remove huge amounts of “safeguarded” information without ever having been determined suitable for such access or questioned regarding his use of the information. 1. Defendants Ignored Mandatory Federal Information Security Requirements Defendants were required, as a matter of law, to take discrete, mandatory actions to implement Privacy Act safeguards. The Director of OMB is charged with “developing and overseeing the implementation of policies, principles, standards, and guidelines on information security.” 44 U.S.C. § 3543(a). Each federal agency must “develop, document, and implement an agency-wide information security program” approved by the Director of OMB. Id. § 3544(b). Each agency is also required to report annually to the Director of the OMB and to Congress on Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 72 of 77 65 “the adequacy and effectiveness” of its security program, including reporting any “significant deficiencies.” Id. § 3544(c)(1), (3). Agency heads “must also ensure compliance with information security standards promulgated by the Department of Commerce.” Id. §§ 3543(a)(1)-(2), 3544(a)(1)(B)(i) (incorporating the requirements of 40 U.S.C. § 11331). Significantly, the Secretary of Commerce can make those standards “compulsory and binding to the extent determined necessary by the Secretary to improve the efficiency of operation or security of the Federal information systems.” 40 U.S.C. § 11331(b)(1) (emphasis added). Thus, Defendants were required by law and regulation to comply with mandatory standards. And there were and remain numerous rules, regulations, procedures and mandatory guidelines, which Defendants were subject to on May 3, 2006, including: • 38 C.F.R. § 1.576, which states, inter alia, that (a) The [VA] will safeguard an individual against an invasion of personal privacy. Except as otherwise provided by law or regulation its officials and employees will: . . . (4) Collect, maintain, use, or disseminate any record of personally identifiable information in a manner that assures that such information is for a necessary and lawful purpose, that the information is correct and accurate for its intended purpose, and that adequate safeguards are provided to prevent misuse of such information. • OMB Circular A-130, “Management of Federal Information Resources” • OMB Circular A-130, Appendix III, “Security of Federal Automated Information Resources” • NIST Federal Information Processing Standards Publication 199, “Standards for Security Categorization of Federal Information and Information Systems” • NIST Special Publication 800-14, “Generally Accepted Principles and Practices for Security Information Technology Systems” • NIST Special Publication 800-18, “Guide for Developing Security Plans for Information Technology Systems” • NIST Special Publication 800-53, “Recommended Security Controls for Federal Information Systems” • NIST “Federal Information Technology Security Assessment Framework” Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 73 of 77 66 • General Accounting Office (“GAO”) “Federal Information System Control Audit Manual” 38 C.F.R. § 1.576; Lennartsson Aff. ¶¶ 36-44, Exs. 2-9. Yet Defendants provided no evidence that when John Doe’s computer hard drive was stolen that they complied with these standards or had any adequate and appropriate policies and procedures in place. And Defendants made no showing that, on May 3, 2006, there was any VA policy that: (a) prohibited employees from physically removing Privacy Act records from the VA worksite on their personal media; (b) required employees to obtain authorization before removing records from VA spaces on any media; (c) prohibited the use of non-VA computers to process or store protected information or (d) that required safeguards such as password protection or encryption when Privacy Act records were stored on portable storage media or non- VA computers. There remain, therefore, a bevy of genuine issues of fact for trial. Thus, Plaintiffs do not seek to “challenge [or] impose judicial control over the VA’s general compliance with the Privacy Act’s safeguards” provisions. See Defs.’ Mem. at 29. To the contrary, discrete and legally required “controls” already existed, although Defendants’ actions indicated intentional disregard of them. And thus, the Court, after trial on the merits, can ensure compliance with the VA’s existing regulations. 2. Defendants’ Failures to Base Information Safeguards on Obvious Threats Exceed the Standards of Conduct For Gross Negligence Unlike Defendants, Plaintiffs base their Privacy Act arguments on the testimony of an expert in the field of information security. See Lennartsson Aff. ¶¶ 1-9, Att. 1. In addition to determining that numerous existing standards, guides, and technical requirements are directly relevant to safeguarding Defendants’ Privacy Act records, it is now evident that Defendants’ meager attempt to justify the purported “safeguards” in place on May 3, 2006, fails miserably. Below are just a few of the myriad errors and glaring deficiencies in Defendants’ Privacy Act records’ safeguards. Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 74 of 77 67 First, Defendants’ sole reliance on employee training, without any software or hardware safeguards is, contrary to federal and comparable industry information security standards. While training of employees is a necessary component of an adequate information security program, it has long been known and accepted in the industry that training alone is not adequate, by itself, to safeguard information. Lennartsson Aff. ¶¶ 54, 55; Schmidt, 218 F.R.D. at 634. Training, no matter how rigorous or repeatedly provided, suffers from the flaw that a single failure to comply with the training places the protected information at risk. Id. ¶¶ 55-58. Arbitrary training, meaning training that is not based on a threat or security analysis specific to the computer system or systems intended to be safeguarded, is even less effective because the training itself may be based on flawed or incorrect assumptions regarding the actual security threats. In such a case, even complete compliance by all individuals may not be sufficient to ensure that the information is protected. Id. ¶ 56. The effectiveness, if any, of Defendants’ ‘training only’ safeguards program was further reduced by Defendants’ obvious failure to perform any compliance monitoring to determine if employees were actually acting as assumed. Id. ¶ 58. Thus, Defendants’ had no factual basis for asserting their employee training was an effective safeguard. Id. Thus, the entire basis for and effectiveness of Defendants’ safeguards are issues of material fact for trial. Moreover, any competent security professional or organization charged with safeguarding sensitive information, such as Privacy Act records, would categorize transferring files from a computer system without any hardware or software security barriers onto personal media such as a floppy disk, CD, DVD or memory stick, as a fundamental security threat. Lennartsson Aff. ¶¶ 45-51. It is, therefore, not credible for Defendants to assert that they could not “possibly conceive of” the scenario of an employee, intentionally or inadvertently, removing Privacy Act records from a system that allowed unrestricted and unmonitored file downloading. See Defs.’ Mem. at 66. When considered in light of VA officials or managers who are tasked Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 75 of 77 68 with developing an information security plan for an agency with more than 250,000 persons, for the VA to posit it is inconceivable that an employee might improperly download a file and remove it from VA premises, lacks any semblance of credibility. The fundamental nature of the security threat posed by such downloads suggest that a failure to consider at least the possibility of it occurring was either intentional or the result of gross professional incompetence that recklessly endangered the information that was to be protected. See Lennartsson Aff. ¶¶ 52, 53; see also Schmidt, 218 F.R.D. at 634 (plaintiffs argued that the VA “willfully and intentionally failed to . . . protect against any anticipated threats or hazards to the security of their records. . . . Such a practice in the court’s view shows a complete disregard for the security and confidentiality of those” records). This absence of any safeguards for a basic security threat such as this begs the question of whether or how Defendants assessed the threats and risks to the Privacy Act information in their charge. It cannot be disputed that such an assessment was required of Defendants. [T]he need to determine adequate security will require that a risk- based approach be used. This Risk assessment approach should include a consideration of the major factors in risk management: the value of the system or application, threats, vulnerabilities, and the effectiveness of current or proposed safeguards. OMB Circular A-130, App. III, § B (emphasis added). Yet, Defendants failed to provide the results of any risk or threat assessment or even assert that any assessment had been performed to support their position that, as a matter of fact, no VA official actually did raise the scenario in assessing appropriate safeguards. See Lennartsson Aff. ¶¶ 47-49. To the contrary, the information presently known to Plaintiffs to be available regarding Defendants’ safeguards suggests no assessments were performed and that Defendants relied upon arbitrarily and capriciously implemented measures without technical bases. Id. ¶ 49. All of these open items, raise significant issues of fact regarding Defendants’ alleged intentional and willful failure to implement required safeguards. As no competent conclusion can be reached regarding the Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 76 of 77 69 adequacy of any safeguards without an assessment of the threats and risks, id. ¶ 50. Defendants thus provided the Court no factual basis upon which to grant this motion. CONCLUSION Wherefore, for the foregoing reasons, Plaintiffs respectfully request that the Court deny Defendants’ motions. Respectfully submitted, /s/ Douglas J. Rosinski Donald A. Cockrill Douglas J. Rosinski Ogletree, Deakins, Nash, Smoak & Stewart, P.C. 1320 Main Street, Suite 600 Columbia, SC 29201 (803) 252-1300 (803) 254-6517 (fax) Counsel in No. 1:06-CV-01038(JR) John C. Murdock Jeffrey S. Goldenberg Murdock Goldenberg Schneider & Groh, LPA 35 E. 7th Street, Suite 600 Cincinnati, OH 45202 (513) 345-8291 (513) 345-8294 (fax) Counsel in No. 1:06-CV-01943(JR) Marc D. Mezibov Christian A. Jenkins Mezibov & Jenkins, LLP 401 E. Court Street, Suite 600 Cincinnati, OH 45202 (513) 723-1600 (513) 723-1620 (fax) Counsel in No. 1:06-CV-01943(JR) Gary E. Mason The Mason Law Firm, L.L.P. 1225 19th Street, N.W., Suite 500 Washington, DC 20036 (202) 429-2290 (202) 429-2294 (fax) Counsel in No. 1:06-CV-01943(JR) Mark D. Smilow Weiss & Lurie The French Building 551 Fifth Avenue, Suite 1600 New York, NY 10176 (212) 682-3025 (212) 682-3010 (fax) Counsel in No. 1:06-CV-01944(JR) Alexander E. Barnett The Mason Law Firm, L.L.P. 1120 Avenue of the Americas Suite 4019 New York, NY 10036 (212) 362-5770 (917) 591-5227 (fax) Counsel in No. 1:06-CV-01943(JR) Dated: March 28, 2007 Case 1:06-mc-00506-JR Document 20 Filed 03/28/2007 Page 77 of 77