IN RE: DEPARTMENT OF VETERANS AFFAIRS (VA) DATA THEFT LITIGATION - MDL 1796MOTION to Dismiss or, in the Alternative, MOTION for Summary JudgmentD.D.C.February 22, 2007 VA employee John Doe is represented in his official capacity only.1 UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ____________________________________ In Re: DEPARTMENT OF VETERANS ) AFFAIRS (VA) DATA THEFT ) LITIGATION ) ____________________________________) Misc. Action No. 06-0506 (JR) ) MDL Docket No. 1796 This Document Relates To: ) ALL CASES ) ____________________________________) DEFENDANTS’ MOTION TO DISMISS OR, IN THE ALTERNATIVE, FOR SUMMARY JUDGMENT Pursuant to the Court’s January 23, 2007 Order, defendants hereby refile their Motion to Dismiss or, in the Alternative, for Summary Judgment, in the master docket of these consolidated actions. By order dated November 3, 2006, the Judicial Panel on Multidistrict Litigation consolidated these three actions before this court for pre-trial proceedings pursuant to 28 U.S.C. § 1407. Defendants United States Department of Veterans Affairs, Secretary R. James Nicholson, Deputy Secretary Gordon G. Mansfield, and VA employee John Doe (referred to1 herein as either “defendants” or collectively as the “VA”) hereby move to dismiss these actions pursuant to Fed. R. Civ. P. 12(b)(1), (5), and (6), for lack of jurisdiction over the subject matter, insufficiency of service of process, and failure to state a claim upon which relief can be granted. In the alternative, the VA moves for summary judgment on many of the claims pursuant to Fed. R. Civ. P. 56. The grounds for the VA’s motion are set forth in the memorandum submitted herewith. Pursuant to Local Rule 7(h), defendants also submit herewith a statement of material facts as to which there is no genuine issue. Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 1 of 86 2 Dated: February 22, 2007. Respectfully submitted, PETER D. KEISLER Assistant Attorney General JEFFREY A. TAYLOR United States Attorney ______/s/______________________________ ELIZABETH J. SHAPIRO, DC Bar 418925 ORI LEV, DC Bar 452565 HEATHER R. PHILLIPS, CA Bar 191620 DAVID M. GLASS, DC Bar 544549 Attorneys, Department of Justice P.O. Box 883 Washington, D.C. 20044 Tel: (202) 514-4469/Fax: (202) 616-8470 E-mail: david.glass@usdoj.gov Attorneys for All Defendants Except John Doe in His Individual Capacity Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 2 of 86 UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ____________________________________ In Re: DEPARTMENT OF VETERANS ) AFFAIRS (VA) DATA THEFT ) LITIGATION ) ____________________________________) Misc. Action No. 06-0506 (JR) ) MDL Docket No. 1796 This Document Relates To: ) ALL CASES ) ____________________________________) DEFENDANTS’ STATEMENT OF MATERIAL FACTS AS TO WHICH THERE IS NO GENUINE ISSUE Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 3 of 86 2 STATEMENT OF MATERIAL FACTS AS TO WHICH THERE IS NO GENUINE ISSUE Theft and Recovery of the Hard Drive 1. On Wednesday, May 3, 2006, one or more burglars stole a laptop computer and an external hard drive from the Maryland home of VA employee “John Doe.” Department of Veterans Affairs, Office of Inspector General, Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans (July 11, 2006) (“OIG Rep’t”) (attached hereto as Exhibit 1) at i-ii. Both the laptop and the external hard drive were the personal property of Mr. Doe. Id. at i. The stolen external hard drive contained “personal information pertaining to millions of veterans” that Mr. Doe had downloaded from VA files so that he could work “at home during his own time” on projects “related to VA.” Id. at ii, 3. The stolen laptop did not contain VA data. Id. at ii. When stolen, the laptop and the hard drive were stored in separate parts of Mr. Doe’s home. Id. at 7. 2. On May 22, 2006, the VA announced that the burglary had resulted in the theft of the “names, social security numbers, and dates of birth for up to 26.5 million veterans and some spouses, as well as some disability ratings.” Department of Veterans Affairs May 22, 2006 Statement Announcing the Loss of Veterans' Personal Information (attached hereto as Exhibit 2) at 1. Shortly thereafter, the VA “ask[ed] all veterans to be extra vigilant and to carefully monitor bank statements, credit card statements and any statements relating to recent financial transactions.” VA FAQ (May 30, 2006) (attached hereto as Exhibit 3) at 1. 3. The data on the hard drive was never accessed after the theft. FBI June 29, 2006 Press Release (attached hereto as Exhibit 4); OIG Rep’t at ii. See also FBI July 13, 2006 Press Release Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 4 of 86 The VA’s Organizational Briefing Book is also available online at2 . 3 (attached hereto as Exhibit 5) (same); ID Analytics November 15, 2006 Letter (attached hereto as Exhibit 6) (notifying Secretary Nicholson that no misuse of the VA files at issue had occurred). Service 4. To date, neither Secretary Nicholson nor Deputy Secretary Mansfield has been served in his individual capacity. See Returns of Service for Secretary Nicholson and Deputy Secretary Mansfield in Hackett, (attached hereto as Exhibits 9 and 10); Return of Service in Rosato for Secretary Nicholson (attached hereto as Exhibit 11); Saunders Declaration (“Decl.) ¶ 4, attached hereto as Exhibit 27. The VA 5. The VA provides “medical care, benefits, social support, and lasting memorials” to “America’s veterans and their families.” VA Org. Briefing Book (May 2005) (attached hereto as Exhibit 12) at 1. The Veterans Benefits Administration (“VBA”), a component of the VA,2 “administer[s] the Department’s programs that provide financial and other forms of assistance to veterans, their dependents, and survivors.” Id. at 9. At the time of the theft, the Office of Policy, Planning, and Preparedness (“OPP&P”), a separate component of the VA, oversaw “certain management activities and processes that require coordination across the Department or which call for the application of a broad perspective.” Id. at 37. 6. The Office of Policy, a component of OPP&P, “provides independent analyses to the Secretary and other VA policy and decision makers concerning future and current veteran policies and programs.” Id. In this regard, the Office of Policy “[p]rovid[es] a spectrum of economic, Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 5 of 86 4 cost benefit, life cycle cost, veteran population forecasts, financial and liability projections, and other analyses of current veteran policies, benefits, services and programs.” See id. at 38. The Office of Policy also administers “the National Survey of Veterans Programs and national statistical center functions to support continual enhancement of policies, programs, benefits and services to veterans.” See id. Conducted pursuant to 38 U.S.C. § 527, the National Survey of Veterans (“NSV”) is “a series of comprehensive nationwide surveys designed to help [the VA] plan its future programs and services for veterans.” 2001 NSV Final Report (preamble to 2001 NSV Final Report attached hereto as Exhibit 13) at xiii. 7. The VA system of records entitled the “Compensation, Pension, Education and Rehabilitation Records-VA, System No. 58VA21/22" (“C&P File”) contains “records of veterans and beneficiaries receiving VA benefits, and includes database fields such as name, social security number, disability diagnostic codes and ratings, and addresses.” OIG Rep’t at 3. See also GPO Notice for System 58VA21/22 (attached hereto as Exhibit 14) at 2 (describing types of records maintained). 8. The VA system of records known as the “Veterans and Beneficiaries Identification and Records Location Subsystem-VA” (“BIRLS”), “is a computer file of information concerning veterans and their benefits” that is used, among other things, “to determine the location of a veteran’s file or to record a veteran’s death.” OIG Rep’t at 3. “Some of the BIRLS database fields include name, social security number, military service number, claim number, date of birth, date of death, and dates of military service.” Id. See also GPO Notice for BIRLS (attached hereto as Exhibit 15) at 1. Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 6 of 86 5 Privacy and Security Training 9. The VA requires “all VA employees, contractors, and volunteers to complete both Cyber Security and Privacy Training, annually.” June 28, 2006 Testimony of Robert T. Howard Before the House Committee on Veterans’ Affairs (attached hereto as Exhibit 17) at 3; see generally Wallace Decl. (attached hereto as Exhibit 18); Williams Decl. (attached hereto as Exhibit 19). For 2006, the Privacy Training that VA employees were required to complete consisted of a computerized course called the General Employee Privacy Awareness 2006 Course (“Privacy Course”). Wallace Decl. ¶¶ 3-7, and Exhibit A attached thereto. The Privacy Course contained information about the Privacy Act and VA systems of records and stated: “This course will help you understand privacy and make you aware of your responsibilities for protecting personal information.” Wallace Decl., Exhibit A at 1. Noting that the “VA holds a vast repository of private information,” the course notes: “It is your responsibility as a VA employee” to “[r]ecognize personal information in whatever form it appears,” “[u]nderstand what causes a breach of privacy,” “[u]nderstand what can be done to protect privacy,” and “[p]revent use by, or disclosure to, unauthorized persons.” Id. at 8. The course also notes penalties for improper disclosure of private data. Id. at 22. 10. For 2006, the Cyber Security Training that VA employees were required to complete consisted of a computerized course called Cyber Security Awareness (“Security Course”). Williams Decl. ¶ 3 (attached hereto as Exhibit 19); See also Security Course (attached to Williams Decl. as Exhibit A) at 1. The Security Course begins with a reference to “the personal responsibility each of us assumes for ensuring . . . the confidentiality, integrity, and appropriate availability of veterans’ private data . . . [and the] timely and uninterrupted flow of information Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 7 of 86 6 throughout the VA enterprise.” Williams Decl., Exhibit A at 7. The course continues with 11 lessons, interspersed by quizzes. Id. at 8. The lessons are prefaced by the comment that, “while the information you review in this course is specific to [the VA], many of the principles which are discussed are also relevant to you, as an individual computer user.” Id. at 7. 11. One of the lessons in the Security course deals with passwords. Id. at 10-12. Stating that “[u]sing the correct username and password combination is the primary method in the VA of identifying and managing access to systems and computer programs,” the lesson prescribes the content of passwords and states: “Using these rules will provide you with a ‘strong’ password. VA requires strong passwords on all information systems.” Id. at 10, 12. 12. Another Security Course lesson deals with backups. Id. at 20-21. Instructing those taking the course to “make sure your work is backed up,” the lesson states: “Backups are done to a second storage medium such as a diskette, zip disk, CD, tape or the preferred method to your network drive. You should be sure to lock away the information in a secure area if it contains sensitive data.” Id. at 20. The lesson further notes “[p]rivate and uncontrolled media from back ups may present a security risk if left unprotected or in places where access to them is unrestricted. Great care is taken to manage and protect data while it is on the VA network but all this can be for nothing if the back up media is unprotected.” Id. at 21. Employees are warned to “store your back ups in a safe and secure place.” Id. 13. A third Security Course lesson deals with incidents. Id. at 32-33. Noting that “almost everything we do depends on our computers,” the lesson states that “the same computers that help us serve veterans” can be “stolen and vandalized” and thus can be used for “theft and fraud.” Id. at 32. Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 8 of 86 7 14. At the time his home was burglarized, John Doe was an Information Technology Specialist in the Office of Policy within OPP&P. OIG Rep’t at 1, 4. On March 31, 2006, he completed both the Privacy and Security Courses. Wallace Decl. ¶ 12, and Exhibit B attached thereto; Williams Decl. ¶ 14, and Exhibit B attached thereto (certificates demonstrating John Doe completed training). John Doe’s Duties 15. The duties of Mr. Doe within the Office of Policy included “designing and programming information systems and databases ‘comprised of millions of records’ to facilitate analyses used by senior VA officials for policy consideration”; “planning and designing analytical projects and studies to improve the management of databases and for supporting ongoing VA surveys”; and “providing computer specialist expertise to support the administration of the NSV to support a program of research to continually enhance the veteran survey program.” OIG Rep’t at 3-4; Moore Decl. ¶¶ 3-5 (attached hereto as Exhibit 21), and attachment thereto (describing John Doe’s position and skills). Mr. Doe was expected to “plan and execute his assignments independently and to initiate projects and methods of analyzing large databases.” OIG Rep’t at 3, 7; Moore Decl. ¶¶ 3-5. 16. Because Mr. Doe was “responsible for planning and designing analytical projects and supporting surveys involving all aspects of VA policies and programs, he was authorized access to, and use of, [copies of extracts of data from the C&P File, BIRLS,] and other large VA databases.” OIG Rep’t at 3. See also id. at 4-6 (describing nature of employee’s work and data to which he was given access). After investigating the theft of the hard drive, and specifically considering the question of whether Mr. Doe had an official need to access the data that was on Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 9 of 86 8 the stolen hard drive, the OIG concluded that Mr. Doe had such an “official need to use [such] databases.” Id. (capitalization deleted). 17. Mr. Doe received expanded access to excerpts of the BIRLS database after Dat Tran, a supervisor in OPP&P, facilitated such access. Tran Decl. ¶ 4 (attached hereto as Exhibit 20). 18. One of the projects for which Mr. Doe used the information that he transferred to the hard drive involved “[a]n estimated 4,000 servicemen” who had been exposed during World War II to “significant concentrations of mustard gas” while participating in “secret testing.” Mustard Gas Fact Sheet (attached hereto as Exhibit 22) at 1; OIG Rep’t at 6. The Department of Defense possessed a “mustard gas file” containing the names of most of the participants in the testing, but not their Social Security numbers. OIG Rep’t at 6. By using BIRLS, the VA hoped to determine the Social Security numbers of the participants, thereby permitting the Compensation and Pension Service to begin outreach efforts with them to learn whether they and their dependents may be (or have been) eligible for title 38 benefits. Id. Dat Tran, the Acting Director of the Data Management and Analysis Service within the Office of Policy, and one of Mr. Doe’s project managers, suggested that Mr. Doe assist in trying to identify the veterans. Id; Tran Decl. ¶ 3. Mr. Tran also asked that Mr. Doe be provided with access to an appropriate extract from BIRLS so that he could attempt to do so. OIG Rep’t at 4; Tran Decl. ¶ 4. 19. Another project for which Mr. Doe used the information that he transferred to the hard drive involved the NSV for 2001. Id. at 5. OPP&P had “received much criticism regarding the reliability of the survey.” Id. Responding to this criticism, Mr. Doe developed a project on his own initiative to compare information that certain of the respondents had provided during the survey with information on those respondents that the “VA already had on file.” Id. Before Mr. Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 10 of 86 9 Doe could make any such comparisons, he needed to determine which of a universe of 14,000 individuals had served as respondents. Id. To do so, he used an extract from the C&P File and an online reverse telephone directory. See id.; 2001 NSV Final Report at xiv. Mr. Doe “worked on the project at home because it was very time-consuming and he could not devote sufficient time to it at the office.” OIG Rep’t at 5. 20. After the hard drive was stolen, Michael McLendon, Deputy Assistant Secretary for Policy and Mr. Doe’s second-line supervisor, was asked to discuss the project. OIG Rep’t at 6. He said that he had not known about the project, but that the “VA did not have good integrated data to profile different cohorts of veterans.” Id. Accordingly, he said that “any attempt to give the agency better insight into the veteran population by matching the survey data with information already in VA databases was a legitimate work effort.” Id. 21. The VA information downloaded to the stolen hard drive consisted of extracts from the C&P File and from BIRLS. OIG Rep’t at 6. Because Mr. Doe was “responsible for planning and designing analytical projects and supporting surveys involving all aspects of VA policies and programs, he was authorized access to, and use of, these and other large VA databases.” Id.; Tran Decl. ¶ 4. 22. The material that Mr. Doe downloaded to the hard drive was material for which he had a need in the performance of his duties. See Tran Decl. ¶¶ 3-4; Moore Decl. ¶¶ 3-5. Dated: February 22, 2007. Respectfully submitted, PETER D. KEISLER Assistant Attorney General JEFFREY A. TAYLOR United States Attorney Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 11 of 86 10 _________/s/___________________________ ELIZABETH J. SHAPIRO, DC Bar 418925 ORI LEV, DC Bar 452565 HEATHER R. PHILLIPS, CA Bar 191620 DAVID M. GLASS, DC Bar 544549 Attorneys, Department of Justice 20 Mass. Ave., N.W., Room 7140 Washington, D.C. 20044 Tel: (202) 514-4469/Fax: (202) 616-8470 E-mail: david.glass@usdoj.gov Attorneys for All Defendants Except John Doe in His Individual Capacity Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 12 of 86 UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ____________________________________ In Re: DEPARTMENT OF VETERANS ) AFFAIRS (VA) DATA THEFT ) LITIGATION ) ____________________________________) Misc. Action No. 06-0506 (JR) ) MDL Docket No. 1796 This Document Relates To: ) ALL CASES ) ____________________________________) MEMORANDUM OF LAW IN SUPPORT OF DEFENDANTS’ MOTION TO DISMISS OR, IN THE ALTERNATIVE, FOR SUMMARY JUDGMENT Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 13 of 86 TABLE OF CONTENTS PRELIMINARY STATEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 I. CIRCUMSTANCES SURROUNDING THE THEFT AND SUBSEQUENT RECOVERY OF THE LAPTOP AND EXTERNAL HARD DRIVE . . . . . . . . . . . . . . 1 II. THE THREE LAWSUITS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 STATEMENT OF FACTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 I. THE VA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 II. THE VA SYSTEMS OF RECORDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 III. VA CYBER SECURITY AND PRIVACY TRAINING . . . . . . . . . . . . . . . . . . . . . . . . 9 IV. JOHN DOE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 V. THE STOLEN HARD DRIVE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 THE STATUTORY SCHEME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 ARGUMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 I. PLAINTIFFS’ CLAIMS SHOULD BE DISMISSED FOR LACK OF STANDING . . 18 A. Legal Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 B. The Organizational Named Plaintiffs in VVA Lack Standing . . . . . . . . . . . . . . . 20 C. The Individual Named Plaintiffs Lack Standing . . . . . . . . . . . . . . . . . . . . . . . . . 22 II. PLAINTIFFS’ APA CLAIMS SHOULD BE DISMISSED FOR FAILURE TO STATE A CLAIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 A. Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 B. The APA Claims Based on the Alleged Failure to Timely Report the Theft Should Be Dismissed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 C. The APA Claim Based on Defendants’ Alleged Failure to Properly Safeguard Information Should Be Dismissed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 III. PLAINTIFFS’ BIVENS CLAIMS SHOULD BE DISMISSED . . . . . . . . . . . . . . . . . . 35 A. Plaintiffs’ Bivens Claims Should Be Dismissed Because Secretary Nicholson and Deputy Secretary Mansfield Have Not Been Properly Named or Served . . . . . . 35 Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 14 of 86 ii B. Plaintiffs’ Bivens Claims Are Precluded by the Privacy Act . . . . . . . . . . . . . . . . 36 C. Injunctive Relief Is Unavailable Under Bivens . . . . . . . . . . . . . . . . . . . . . . . . . . 37 D. Qualified Immunity Bars Plaintiffs’ Bivens Claims Against Secretary Nicholson and Deputy Secretary Mansfield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 IV. PLAINTIFFS’ PRIVACY ACT CLAIMS SHOULD BE DISMISSED FOR FAILURE TO STATE A CLAIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 A. Plaintiffs’ Privacy Act Claims Should Be Dismissed for Failure To Plead Intentional or Willful Violations of the Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 B. Plaintiffs Fail to State a Claim for an Improper Disclosure Under the Privacy Act (§ 552a(b)) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 1. Plaintiffs Fail to State a Claim with Respect to John Doe’s Access to the Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 2. Plaintiffs Fail to State a Claim with Respect to John Doe’s Removal of the Information from the VA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 3. Plaintiffs Fail to State a Claim with Respect to John Doe’s Transfer of the Records to His Personal Hard Drive . . . . . . . . . . . . . . . . . . . . . . 46 4. Plaintiffs Fail to State a Claim with Respect to the Theft of the Hard Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 C. Plaintiffs Fail to State a Claim Based on the Accounting Provisions of the Privacy Act (§ 552(c)(1)) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 D. Plaintiffs Fail to State a Claim Based on the Agency’s Maintenance of the Information (§ 552a(e)(1)) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 E. The VVA Plaintiffs Fail to State a Claim Based on the How the Agency Collected the Information at Issue (§ 552a(e)(2)) . . . . . . . . . . . . . . . . . . . . . . . 51 F. The VVA Plaintiffs Fail to State a Claim Based on the Publication of Privacy Act Notices (§ 552a(e)(4)) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 G. The VVA Plaintiffs Fail to State a Claim Based on the Accuracy of the Information (§ 552a(e)(6)) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 H. Plaintiffs’ Privacy Act Claims Should Be Dismissed to the Extent they Are Based on Non-Pecuniary Damages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 V. DEFENDANTS ARE ENTITLED TO SUMMARY JUDGMENT ON ANY PRIVACY ACT CLAIMS NOT DISMISSED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 A. Defendants Are Entitled to Summary Judgment on Plaintiffs’ Disclosure Claims (§ 552a(b)) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 1. John Doe Properly Had Access to the Information at Issue . . . . . . . . . . 58 2. The Theft of the Hard Drive Did Not Result in the Disclosure of the Information at Issue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 B. Defendants Are Entitled to Summary Judgment on Plaintiffs’ Accounting Claims (§ 552a(c)(1)) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 C. Defendants Are Entitled to Summary Judgment on Plaintiffs’ Maintenance Claims (§ 552a(e)(1)) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 15 of 86 iii D. Defendants Are Entitled to Summary Judgment on the VVA Plaintiffs’ Publication Claim (§ 552a(e)(4)) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 E. Defendants Are Entitled to Summary Judgment on Plaintiffs’ Safeguards Claims (§ 552a(e)(10)) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 16 of 86 VA employee John Doe is represented in his official capacity only.1 PRELIMINARY STATEMENT Plaintiffs bring these three putative nationwide class actions on behalf of individuals whose personal VA data had been downloaded onto an external hard drive stolen from the home of John Doe (a pseudonym), an employee of the Department of Veterans Affairs (“VA”). They assert claims under the Privacy Act (“Act”), the Administrative Procedure Act (“APA”), and the Constitution, and seek damages, declaratory and injunctive relief, and attorneys’ fees. On November 3, 2006, all three cases were consolidated in this Court for pre-trial proceedings pursuant to an order of the Judicial Panel on Multidistrict Litigation. Defendants United States Department of Veterans Affairs, Secretary R. James Nicholson, Deputy Secretary Gordon G. Mansfield, and VA employee John Doe (referred to herein as either “defendants” or1 collectively as the “VA”), hereby move to dismiss plaintiffs’ claims for lack of jurisdiction, failure to effectuate service, and failure to state a claim. In addition, the Court should enter summary judgment in favor of defendants on many of the claims. BACKGROUND I. CIRCUMSTANCES SURROUNDING THE THEFT AND SUBSEQUENT RECOVERY OF THE LAPTOP AND EXTERNAL HARD DRIVE On Wednesday, May 3, 2006, one or more burglars stole a laptop computer and an external hard drive from the Maryland home of VA employee John Doe. Department of Veterans Affairs, Office of Inspector General, Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans (July 11, 2006) (“OIG Rep’t”) (attached hereto as Exhibit 1) at i-ii. Both the laptop and the external hard drive were the personal property of Mr. Doe. Id. at i. The stolen external hard drive contained “personal information pertaining to Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 17 of 86 2 millions of veterans” that Mr. Doe had downloaded from VA files so that he could work “at home during his own time” on projects “related to VA.” Id. at ii, 3. The stolen laptop did not contain VA data. Id. at ii. When stolen, the laptop and the hard drive were stored in separate parts of Mr. Doe’s home. Id. at 7. Though the hard drive was “hidden from view,” it was not password protected. Id. On May 22, 2006, the VA announced that the burglary had resulted in the theft of the “names, social security numbers, and dates of birth for up to 26.5 million veterans and some spouses, as well as some disability ratings.” Department of Veterans Affairs May 22, 2006 Statement Announcing the Loss of Veterans' Personal Information (attached hereto as Exhibit 2) at 1. Shortly thereafter, the VA “ask[ed] all veterans to be extra vigilant and to carefully monitor bank statements, credit card statements and any statements relating to recent financial transactions.” VA FAQ (May 30, 2006) (attached hereto as Exhibit 3) at 1. On June 29, 2006, the Federal Bureau of Investigation (“FBI”) announced that the laptop and hard drive had been recovered and that “[a] preliminary review of the equipment by computer forensic teams determined that the data base remains intact and has not been accessed since it was stolen.” FBI June 29, 2006 Press Release (attached hereto as Exhibit 4). On July 11, 2006, the Office of Inspector General (“OIG”) of the VA issued its report on the matter, in which it said: “Based on all the facts gathered thus far during the investigation, as well as the results of computer forensics examinations, the FBI and OIG are highly confident that the files on the external hard drive were not compromised after the burglary.” OIG Rep’t at ii. See also FBI July 13, 2006 Press Release (attached hereto as Exhibit 5) (same); ID Analytics November 15, 2006 Letter (attached hereto as Exhibit 6) (notifying Secretary Nicholson that no misuse of the VA files Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 18 of 86 For the Court’s convenience, the Hackett and Rosato complaints are attached as2 Exhibits 7 and 8. The returns of service for Secretary Nicholson and Deputy Secretary Mansfield filed by3 the Hackett plaintiffs demonstrate that they were served via certified mail. Although such service is appropriate for the official capacity claims, it does not constitute proper service for the individual capacity claims. Fed. R. Civ. P. 4(i)(2) & (4)(e). 3 at issue had occurred). II. THE THREE LAWSUITS2 These actions arise from the theft of the hard drive. The first action, Hackett v. VA, No. 2:06-cv-00114-WOB (in this Court No. 1:06-cv-01943-JR), was commenced on May 30, 2006, in the Eastern District of Kentucky. Plaintiffs in Hackett are two veterans. Hackett Am. Compl. ¶¶ 9-10. Hackett is brought as a purported nationwide class action on behalf of all individuals whose personal information was included on the stolen hard drive. Id. ¶ 27. Defendants are the VA, Secretary of Veterans Affairs R. James Nicholson; Deputy Secretary of Veterans Affairs Gordon G. Mansfield, and VA employee John Doe. Id. ¶¶ 11-14. Secretary Nicholson and Deputy Secretary Mansfield are sued in Hackett in both their official and individual capacities. Id. ¶¶ 12-13. To date, neither has been served in his individual capacity. See Returns of Service for Secretary Nicholson and Deputy Secretary Mansfield (attached hereto as Exhibits 9 and 10); Saunders Declaration (“Decl.”) ¶ 4 (attached hereto as Exhibit 27). John Doe is likewise sued in3 both his official and individual capacities. Hackett Am. Compl. ¶ 14. The second action, Vietnam Veterans of America (VVA) v. Nicholson, No. 1:06-cv- 01038-JR, was commenced in this Court on June 6, 2006. Plaintiffs in VVA are four veterans and five advocacy groups; defendants are the VA and Secretary Nicholson in his official capacity. VVA Compl. caption & ¶¶ 9-17. VVA is likewise brought as a purported nationwide class action Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 19 of 86 The Rosato complaint appears to be an amalgam of the amended complaint in Hackett4 and the complaint in VVA, consisting almost entirely of paragraphs that nearly verbatim track paragraphs contained in those earlier-filed pleadings. In addition, the Rosato complaint cites to Bivens v. Six Unknown Names Agents of the Federal Bureau of Narcotics, 403 U.S. 388 (1971), but fails to either name or specify any claims against Secretary Nicholson in his individual capacity. Nor has Secretary Nicholson been served in the Rosato case in his individual capacity. See Return of Service in Rosato for Secretary Nicholson (attached hereto as Exhibit 11); Saunders Decl. ¶ 4. 4 on behalf of the same putative class on whose behalf the case was brought in Hackett. Id. ¶¶ 43- 44. The third action, Rosato v. Nicholson, No. 1:06-cv-03086-ENV-JMA (in this Court No. 1:06-cv-01944-JR), was commenced on June 21, 2006, in the Eastern District of New York. Plaintiffs in Rosato are three veterans; defendants are the VA and Secretary Nicholson in his official capacity. Rosato Compl. caption & ¶¶ 11-15. Rosato is similarly brought as a purported nationwide class action on behalf of the same putative class as Hackett and VVA. Id. ¶ 41.4 Plaintiffs in all three actions allege that defendants have violated the Privacy Act, 5 U.S.C. § 552a, by improperly disclosing information covered by the Act (the “disclosure claims”) and failing to establish certain safeguards required by the Act (the “safeguards claims”). Hackett Am. Compl. ¶¶ 2-3, 36, 38; VVA Compl. ¶¶ 29-31, 37, 62-67; Rosato Compl. ¶¶ 5, 8, 24-25, 28, 50, 52. Although the Complaints in VVA and Rosato are not models of clarity, a generous reading of those Complaints suggests that plaintiffs in those cases bring additional claims that defendants have violated the Privacy Act by “failing to keep or maintain an accurate accounting of the [alleged] disclosures” (the “accounting claims”) and maintaining information that was “not relevant and necessary to accomplish a purpose required by statute or by executive order” (the “maintenance claims”). VVA Compl. ¶¶ 32-33; Rosato Compl. ¶¶ 26-27. In addition, the VVA Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 20 of 86 These additional alleged violations of the Privacy Act are not specifically set forth as5 separate claims in the VVA and Rosato complaints. Compare Hackett Am. Compl. ¶¶ 36, 38 (asserting express claims for improper disclosure and lack of adequate safeguards). Rather, the catalogue of alleged violations are asserted in conclusory fashion in the body of the complaints. VVA Compl. ¶ 32-36; Rosato Compl. ¶¶ 26-27. The Complaint in VVA then asserts an omnibus claim for an undifferentiated “Violation of the Privacy Act.” VVA Compl. ¶¶ 61-67 (Second Claim for Relief). The Complaint in Rosato does not even go so far, as the “claims for relief” set forth therein include - insofar as the Privacy Act is concerned - only a reference to allegedly inappropriate disclosures and the failure to establish appropriate safeguards. Rosato Compl. ¶¶ 50, 52. Nevertheless, for purposes of the instant motion, defendants assume that the VVA and Rosato plaintiffs intended to assert claims for these additional alleged violations of the Privacy Act as well. 5 plaintiffs further allege that defendants violated the Act by failing to collect the information on the hard drive “directly from the subject individuals to the greatest extent practicable” (the “collection claim”); failing to publish a notice in the Federal Register for a certain “system of records” (the “publication claim”); and failing to make “reasonable efforts” to assure that the information allegedly disclosed was “accurate, complete, timely and relevant” (the “accuracy claim”). VVA Compl. ¶¶ 34-36.5 In addition to the Privacy Act allegations set forth above, the VVA and Rosato plaintiffs allege that defendants have violated the APA, 5 U.S.C. § 701 et seq., by failing to properly report the alleged disclosure and failing to appropriately safeguard the information. VVA Compl. ¶¶ 25, 37, 58; Rosato Compl. ¶¶ 22, 47. In Hackett and Rosato, plaintiffs make the further allegation that defendants’ “acts and omissions” have violated plaintiffs’ rights under the Fourth and Fifth Amendments. Hackett Am. Compl. ¶¶ 40, 42, 44, 46; Rosato Compl. ¶ 54. For relief, plaintiffs seek damages, declaratory and injunctive relief, and attorneys’ fees. Hackett Am. Compl. prayer ¶¶ a-e; VVA Compl. prayer ¶¶ a-g; Rosato Compl. prayer ¶¶ a-g. The injunctive relief sought is sweeping in nature and includes, for example, an injunction forbidding Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 21 of 86 The VA’s Organizational Briefing Book is also available online at6 . 6 any VA employee from accessing or viewing any record covered by the Privacy Act until an “independent panel of experts finds” that the agency has implemented “adequate information security.” VVA Compl. prayer ¶ d; Rosato Comp. prayer ¶ b. See also Hackett Am. Compl. prayer ¶ b (seeking injunction “preventing Defendants from continuing to operate without appropriate safeguards”); Rosato Compl. prayer ¶ b (same). In addition to the general claims for relief, the Hackett and Rosato plaintiffs expressly seek “reparative injunctive relief under Bivens [v. Six Unknown Named Agents of the Federal Bureau of Narcotics, 403 U.S. 388 (1971)].” Hackett Am. Compl. prayer ¶ c; Rosato Compl. prayer ¶ c. The Rosato complaint also asserts an entitlement to monetary relief pursuant to the APA. Rosato Compl. ¶ 49. STATEMENT OF FACTS I. THE VA The VA provides “medical care, benefits, social support, and lasting memorials” to “America’s veterans and their families.” VA Org. Briefing Book (May 2005) (attached hereto as Exhibit 12) at 1. The Veterans Benefits Administration (“VBA”), a component of the VA,6 “administer[s] the Department’s programs that provide financial and other forms of assistance to veterans, their dependents, and survivors.” Id. at 9. At the time of the theft, the Office of Policy, Planning, and Preparedness (“OPP&P”), a separate component of the VA, oversaw “certain management activities and processes that require coordination across the Department or which call for the application of a broad perspective.” Id. at 37. The Office of Policy, a component of OPP&P, “provides independent analyses to the Secretary and other VA policy and decision Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 22 of 86 The VA system of records 58VA21/22 includes many “files” or databases, one of which7 is identified as the “C&P File” in the OIG Report. For consistency, this system of records will also be referred to herein as the C&P File. Pursuant to the Privacy Act, the Office of the Federal Register is biennially to compile8 and publish agencies’ systems of records notices published by agencies under subsection (e)(4) of the Act. See 5 U.S.C. § 552a(f). Since 1995, the Privacy Act Compilations have been published online via GPO Access. See Privacy Act Issuances: About, available at . The Compilations can be searched and retrieved online at . 7 makers concerning future and current veteran policies and programs.” Id. In this regard, the Office of Policy “[p]rovid[es] a spectrum of economic, cost benefit, life cycle cost, veteran population forecasts, financial and liability projections, and other analyses of current veteran policies, benefits, services and programs.” See id. at 38. The Office of Policy also administers “the National Survey of Veterans Programs and national statistical center functions to support continual enhancement of policies, programs, benefits and services to veterans.” See id. Conducted pursuant to 38 U.S.C. § 527, the National Survey of Veterans (“NSV”) is “a series of comprehensive nationwide surveys designed to help [the VA] plan its future programs and services for veterans.” 2001 NSV Final Report (preamble to 2001 NSV Final Report attached hereto as Exhibit 13) at xiii. II. THE VA SYSTEMS OF RECORDS Two components of the VBA, the Compensation and Pension Service and the Vocational Rehabilitation and Counseling Service, manage a VA system of records entitled the “Compensation, Pension, Education and Rehabilitation Records-VA, System No. 58VA21/22" (“C&P File”). GPO Notice for System 58VA21/22 (attached hereto as Exhibit 14) at 13. This7 8 system of records contains “records of veterans and beneficiaries receiving VA benefits, and Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 23 of 86 Because the Notice as originally published in the Federal Register has been, in9 compliance with 5 U.S.C. § 552a(e)(4), repeatedly amended over the years, the most readily available current version of the Notice is the one available on the GPO Website and attached hereto as Exhibit 14. 8 includes database fields such as name, social security number, disability diagnostic codes and ratings, and addresses.” OIG Rep’t at 3. See also GPO Notice for System 58VA21/22 at 2 (describing types of records maintained). A notice for this system of records was first published in the Federal Register pursuant to 5 U.S.C. § 552a(e)(4) on March 3, 1976, see 41 Fed. Reg. 9294, and was most recently amended on June 13, 2005, see 70 Fed. Reg. 34186.9 In addition to co-managing the above system of records, the Compensation and Pension Service manages a VA system of records known as the “Veterans and Beneficiaries Identification and Records Location Subsystem-VA”, System No. 38VA21 (“BIRLS”). GPO Notice for BIRLS (attached hereto as Exhibit 15) at 5. BIRLS “is a computer file of information concerning veterans and their benefits” that is used, among other things, “to determine the location of a veteran’s file or to record a veteran’s death.” OIG Rep’t at 3. “Some of the BIRLS database fields include name, social security number, military service number, claim number, date of birth, date of death, and dates of military service.” Id. See also GPO Notice for BIRLS at 1. A notice for BIRLS was published in the Federal Register pursuant to § 552a(e)(4) on August 26, 1975, see 40 Fed. Reg. 38112, completely revised on January 1, 1982, see 47 Fed. Reg. 367, and most recently amended on June 4, 2001, see 66 Fed. Reg. 30049. The current version of the BIRLS Notice is attached hereto as Exhibit 15. OPP&P manages a VA system of records known as the “Program Evaluation Research Data Records-VA”, System No. 107VA008B (“PERD Records”). 66 Fed. Reg. 29633 (May 31, Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 24 of 86 9 2001). The PERD Records consist of records collected and maintained by OPP&P to “evaluate on a continuing basis” the effectiveness of the programs that the VA administers. Id. at 29634. Included in the PERD Records are extracts of other VA systems of records. Id. at 29634-35 (“Information in this system of records is provided by . . . VA program operation files from the Veterans Health Administration (VHA), Veterans Benefits Administration (VBA), National Cemetery Administration (NCA), and other organizations within VA.”). A notice for the PERD Records was published in the Federal Register pursuant to § 552(a)(4)(e) on May 31, 2001, see id., and has not been amended. See also GPO Notice for PERDS (attached hereto as Exhibit 16). III. VA CYBER SECURITY AND PRIVACY TRAINING The VA requires “all VA employees, contractors, and volunteers to complete both Cyber Security and Privacy Training, annually.” June 28, 2006 Testimony of Robert T. Howard Before the House Committee on Veterans’ Affairs (attached hereto as Exhibit 17) at 3. For 2006, the Privacy Training that VA employees were required to complete consisted of a computerized course called the General Employee Privacy Awareness 2006 Course (“Privacy Course”). Wallace Decl. ¶¶ 3-3-7 (attached hereto as Exhibit 18). The Privacy Course contained information about the Privacy Act and VA systems of records and stated: “This course will help you understand privacy and make you aware of your responsibilities for protecting personal information.” Wallace Decl., attached Exhibit A at 1. Noting that the “VA holds a vast repository of private information,” the course notes: “It is your responsibility as a VA employee” to “[r]ecognize personal information in whatever form it appears,” “[u]nderstand what causes a breach of privacy,” “[u]nderstand what can be done to protect privacy,” and “[p]revent use by, or disclosure to, unauthorized persons.” Id. at 8. The course also notes penalties for improper Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 25 of 86 10 disclosure of private data. Id. at 22. For 2006, the Cyber Security Training that VA employees were required to complete consisted of a computerized course called VA Cyber Security Awareness - FY06 (“Security Course”). Williams Decl. ¶ (attached hereto as Exhibit 19); See also Security Course (attached to Williams Decl. as Exhibit A) at 1. The Security Course begins with a reference to “the personal responsibility each of us assumes for ensuring . . . the confidentiality, integrity, and appropriate availability of veterans’ private data . . . [and the] timely and uninterrupted flow of information throughout the VA enterprise.” Williams Decl., attached Exhibit A at 7. The course continues with 11 lessons, interspersed by quizzes. Id. at 8. The lessons are prefaced by the comment that, “while the information you review in this course is specific to [the VA], many of the principles which are discussed are also relevant to you, as an individual computer user.” Id. at 7. One of the lessons in the course deals with passwords. Id. at 10-12. Stating that “[u]sing the correct username and password combination is the primary method in the VA of identifying and managing access to systems and computer programs,” the lesson prescribes the content of passwords and states: “Using these rules will provide you with a ‘strong’ password. VA requires strong passwords on all information systems.” Id. at 10, 12. Another lesson deals with backups. Id. at 20-21. Instructing those taking the course to “make sure your work is backed up,” the lesson states: “Backups are done to a second storage medium such as a diskette, zip disk, CD, tape or the preferred method to your network drive. You should be sure to lock away the information in a secure area if it contains sensitive data.” Id. at 20 (emphasis added). The lesson further notes “[p]rivate and uncontrolled media from back ups may present a security risk if left unprotected or in places where access to them is Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 26 of 86 11 unrestricted. Great care is taken to manage and protect data while it is on the VA network but all this can be for nothing if the back up media is unprotected.” Id. at 21. Employees are warned to “store your back ups in a safe and secure place.” Id. A third lesson deals with incidents. Id. at 32-33. Noting that “almost everything we do depends on our computers,” the lesson states that “the same computers that help us serve veterans” can be “stolen and vandalized” and thus can be used for “theft and fraud.” Id. at 32. IV. JOHN DOE At the time his home was burglarized, John Doe was an Information Technology Specialist in the Office of Policy within OPP&P. OIG Rep’t at 1, 4. On March 31, 2006, he completed both the Privacy and Security Courses. Williams Decl., Exhibit B; Wallace Decl., Exhibit B (certificates demonstrating John Doe completed training). The duties of Mr. Doe within the Office of Policy included “designing and programming information systems and databases ‘comprised of millions of records’ to facilitate analyses used by senior VA officials for policy consideration”; “planning and designing analytical projects and studies to improve the management of databases and for supporting ongoing VA surveys”; and “providing computer specialist expertise to support the administration of the NSV to support a program of research to continually enhance the veteran survey program.” OIG Rep’t at 3-4. Expected to “plan and execute his assignments independently and to initiate projects and methods of analyzing large databases,” Mr. Doe was viewed by management as “a very motivated, hard- working, and dedicated individual who worked long hours and produced meticulous work.” Id. at 3, 7. Because Mr. Doe was “responsible for planning and designing analytical projects and Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 27 of 86 12 supporting surveys involving all aspects of VA policies and programs, he was authorized access to, and use of, [copies of extracts of data from the C&P File, BIRLS,] and other large VA databases.” OIG Rep’t at 3. See also id. at 4-6 (describing nature of employee’s work and data to which he was given access). After investigating the theft of the hard drive, and specifically considering the question of whether Mr. Doe had an official need to access the data that was on the stolen hard drive, the OIG concluded that Mr. Doe had such an “official need to use [such] databases.” Id. (capitalization deleted). Moreover, Mr. Doe only received expanded access to excerpts of the BIRLS databases after Dat Tran, a supervisor in OPP&P, assisted him in obtaining such access. Tran Decl. ¶ 4 (attached hereto as Exhibit 20). V. THE STOLEN HARD DRIVE Mr. Doe was willing to work on his own time on work-related activities. See OIG Rep’t at 5. Accordingly, he took work home regularly. See id. at 7. At one time, he used a VA laptop to do so but, in January 2006, he began using “a personal laptop and external hard drive” that he had purchased “in mid-2005.” Id. Employing CDs, DVDs, floppy disks, and a flash drive, he would “transport VA data home,” then transfer the data to the external hard drive. Id. The data that he transferred included “large record extracts” from the C&P File and from BIRLS. Id. at 3. One of the projects for which Mr. Doe used the information that he transferred to the hard drive involved “[a]n estimated 4,000 servicemen” who had been exposed during World War II to “significant concentrations of mustard gas” while participating in “secret testing.” Mustard Gas Fact Sheet (attached hereto as Exhibit 22) at 1; OIG Rep’t at 6. The Department of Defense possessed a “mustard gas file” containing the names of most of the participants in the testing, but not their Social Security numbers. OIG Rep’t at 6. By using BIRLS, the VA hoped to determine Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 28 of 86 13 the Social Security numbers of the participants, thereby permitting the Compensation and Pension Service to begin outreach efforts with them to learn whether they and their dependents may be (or have been) eligible for title 38 benefits. Id. Dat Tran, the Acting Director of the Data Management and Analysis Service within the Office of Policy, requested that Mr. Doe assist in trying to identify the veterans. Id.; Tran Decl. ¶ 3. Mr. Tran also asked that Mr. Doe be provided with expanded access to an appropriate extract from BIRLS so that he could attempt to do so. Id. at 4; Tran Decl. ¶ 4. Another project for which Mr. Doe used the information that he transferred to the hard drive involved the NSV for 2001. Id. at 5. OPP&P had “received much criticism regarding the reliability of the survey.” Id. Responding to this criticism, Mr. Doe developed a project on his own initiative to compare information that certain of the respondents had provided during the survey with information on those respondents that the “VA already had on file.” Id. Before Mr. Doe could make any such comparisons, he needed to determine which of a universe of 14,000 individuals had served as respondents. Id. To do so, he used an extract from the C&P File and an online reverse telephone directory. See id.; 2001 NSV Final Report at xiv. Mr. Doe “worked on the project at home because it was very time-consuming and he could not devote sufficient time to it at the office.” OIG Rep’t at 5. After the hard drive was stolen, Michael McLendon, Deputy Assistant Secretary for Policy and Mr. Doe’s second-line supervisor, was asked to discuss the project. OIG Rep’t at 6. He said that he had not known about the project, but that the “VA did not have good integrated data to profile different cohorts of veterans.” Id. Accordingly, he said that “any attempt to give the agency better insight into the veteran population by matching the survey data with information Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 29 of 86 14 already in VA databases was a legitimate work effort.” Id. THE STATUTORY SCHEME The Privacy Act, 5 U.S.C. § 552a, “gives agencies detailed instructions for managing their records and provides for various sorts of civil relief to individuals aggrieved by failures on the Government’s part to comply with the requirements.” Doe v. Chao, 540 U.S. 614, 618 (2004). Two concepts lie at the heart of the Act: “records” and “systems of records.” See Maydak v. United States, 363 F.3d 512, 515 (D.C. Cir. 2004). A “record” for purposes of the act is an “item, collection, or grouping of information about an individual that is maintained by an agency.” 5 U.S.C. § 552a(a)(4). A “system of records” is a group of records under the control of an agency “from which information is retrieved by the name of the individual” or by his or her personal identifier. Id. § 552a(a)(5). The Act establishes a set of requirements that apply to agencies’ handling of records in their systems of records. “Under subsection (b) of the Act, 5 U.S.C. § 552a(b), agencies may not ‘disclose any record which is contained in a system of records’ unless certain exceptions apply.” McCready v. Nicholson, 465 F.3d 1, 8 (D.C. Cir. 2006). One of the exceptions permits the disclosure of a record in a system of records “to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties.” Id. (citing 5 U.S.C. § 552a(b)(1)). An agency must also keep an “accurate accounting” of disclosures from its systems of records, but this accounting requirement does not apply to disclosures under subsection (b)(1) of the Act to officers or employees of the agency having a need for the record in the performance of their duties. Id. § 552a(c)(1). Each agency that maintains a system of records must “maintain in Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 30 of 86 15 its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President.” Id. § 552a(e)(1). In addition, each agency that maintains a system of records must “collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about [the] individual’s rights, benefits, and privileges under Federal programs.” Id. § 552a(e)(2). Upon establishing or revising a system of records, the agency must publish a notice in the Federal Register “of the existence and character of the system of records.” Id. § 552a(e)(4). In addition, before “disseminating” a record to “any person other than an agency,” an agency must make “reasonable efforts to assure” that the record is “accurate, complete, timely, and relevant for agency purposes.” Id. § 552a(e)(6). The agency must also establish “appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.” Id. § 552a(e)(10). The Privacy Act also provides individuals who are the subjects of records covered by the Act with limited civil relief for agency violations of the Act. The Act authorizes these individuals to seek injunctive relief against an agency in two narrow circumstances: (1) where an agency fails to amend a record concerning an individual at the individual’s request; and (2) where an agency refuses to comply with an individual’s request for access to records about him or herself. Id. §§ 552a(g)(1)(A)-(B), 552a(g)(2)-(3). See also Doe, 540 U.S. at 635 (Ginsburg, J., dissenting) (“Injunctive relief . . . [is] available under the Act in two categories of cases . . . .”). The Act also authorizes suits for money damages for agency violations of the Act, but only in cases where the Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 31 of 86 16 agency has acted “in such a way as to have an adverse effect on an individual.” 5 U.S.C. § 552a(g)(1)(D). See also id. § 552a(g)(1)(C). Moreover, although an adverse effect is necessary to establish the “injury-in-fact and causation requirements of Article III standing,” and an “individual subjected to an adverse effect has injury enough to open the courthouse door, . . . without more [he] has no cause of action for damages under the Privacy Act.” Doe, 540 U.S. at 624-25. Thus, an individual plaintiff seeking damages under the Act must also plead and prove “intent or willfulness [on the agency’s part] in addition to adverse effect,” id. at 624; see 5 U.S.C. § 552a(g)(4), as well as “actual damages,” Doe, 540 U.S. at 627; see 5 U.S.C. § 552a(g)(4)(A). See also Doe, 540 U.S. at 621 n.2 (“‘actual damages’ is a further touchstone of the entitlement” to recover). ARGUMENT Plaintiffs’ claims should be dismissed for numerous reasons. First, the named individual plaintiffs all lack standing to sue under the Privacy Act because they have failed to allege the requisite injury-in-fact and causation necessary to establish Article III jurisdiction. The organizational plaintiffs lack standing to sue on behalf of their members because the Privacy Act applies only to individuals. Importantly, the facts as alleged do not state a claim for an intentional or willful violation of the Act, a prerequisite to maintaining a Privacy Act cause of action. Moreover, with the exception of plaintiffs’ claim with respect to the alleged failure to establish appropriate safeguards for the information on the hard drive, the facts alleged in the Complaints simply do not state a claim for relief for an alleged violation of any other provision of the Privacy Act. Finally, even if plaintiffs were deemed to have stated a claim under the Act for one or more of the violations they allege, the only plaintiffs who would be entitled to damages under the Act Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 32 of 86 17 would be those individuals who suffered pecuniary injury. All plaintiffs’ Privacy Act claims should therefore be dismissed for these reasons. Second, plaintiffs’ APA and Bivens claims should be dismissed for failure to state a claim and improper service. With respect to the APA claims, plaintiffs have failed to identify any “final agency action” that they want the Court to review, and have not alleged any cognizable “legal wrong” necessary to maintain an APA claim. Further, the damages that the Rosato plaintiffs seek under the APA are unavailable as a matter of law. Plaintiffs’ Bivens claims should be dismissed because Secretary Nicholson and Deputy Secretary Mansfield have not been properly served in their individual capacity; Bivens claims are in any event precluded by the Privacy Act; injunctive relief is not available under Bivens; and respondeat superior is not a basis for liability under Bivens. Finally, to the extent that plaintiffs’ Privacy Act claims are not dismissed, summary judgment should be entered in favor of defendants, as the undisputed facts demonstrate that defendants did not willfully or intentionally violate the Act in any of the ways alleged by plaintiffs. Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 33 of 86 18 I. PLAINTIFFS’ CLAIMS SHOULD BE DISMISSED FOR LACK OF STANDING A. Legal Standard “In reviewing a motion to dismiss for lack of subject-matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1), the court must accept the complaint’s well-pled factual allegations as true and draw all reasonable inferences in the plaintiff’s favor.” Thompson v. Capitol Police Board, 120 F. Supp. 2d 78, 81 (D.D.C. 2000) (citations omitted); see also Vanover v. Hantman, 77 F. Supp. 2d 91, 98 (D.D.C. 1999). “The court is not required, however, to accept inferences unsupported by the facts alleged or legal conclusions that are cast as factual allegations.” Rann v. Chao, 154 F. Supp. 2d 61, 64 (D.D.C. 2001). In addition, “[on] a motion to dismiss pursuant to Rule 12(b)(1), the plaintiff bears the burden of persuasion to establish subject-matter jurisdiction by a preponderance of the evidence.” Thompson, 120 F. Supp. 2d at 81; Vanover, 77 F. Supp. 2d at 98. To determine the existence of jurisdiction, the Court may look beyond the allegations of the complaint, and consider affidavits and other extrinsic information, and ultimately weigh the conflicting evidence. See id. See also Land v. Dollar, 330 U.S. 731, 735 n.4 (1947) (“the court may inquire by declarations or otherwise, into the facts as they exist”); Thompson, 120 F. Supp. at 81 (“In determining whether the plaintiff has met this burden [of establishing subject-matter jurisdiction], the court is sometimes required to look to matters outside of the pleadings.”). “If a dispute is not a proper case or controversy, the courts have no business deciding it, or expounding the law in the course of doing so.” DaimlerChrysler Corp. v. Cuno, 126 S. Ct. 1854, 1860-61 (2006). Accordingly, “a plaintiff must demonstrate standing for each claim he seeks to press.” Id. at 1867. To demonstrate standing, “‘[the] plaintiff must allege personal Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 34 of 86 19 injury fairly traceable to the defendant’s allegedly unlawful conduct and likely to be redressed by the requested relief.’” Id. at 1861 (quoting Allen v. Wright, 468 U.S. 737, 751 (1984)). The injury that the plaintiff alleges must be “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” Friends of the Earth v. Laidlaw Envtl. Serv. (TOC), Inc., 528 U.S. 167, 180 (2000); see DaimlerChrysler, 126 S. Ct. at 1862 (similarly). Insofar as the Privacy Act is concerned, the Supreme Court has explained that the Privacy Act’s reference to “‘adverse effect’ acts as a term of art identifying a potential plaintiff who satisfies the injury-in-fact and causation requirements of Article III standing, and who may consequently bring a civil action without suffering dismissal for want of standing to sue.” Doe, 540 U.S. at 624. In this regard, the focus is, of course, on any alleged injury suffered by the named plaintiffs, for the named plaintiffs “must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.” Warth v. Seldin, 422 U.S. 490, 502 (1975) (emphasis added). In addition, “[w]hile the standard for reviewing standing at the pleading stage is lenient, a plaintiff cannot rely solely on conclusory allegations of injury or ask the court to draw unwarranted inferences in order to find standing.” Baur v. Veneman, 352 F.3d 625, 636-37 (2d Cir. 2003). Finally, an organization “has standing to bring suit on behalf of its members when: (a) its members would otherwise have standing to sue in their own right; (b) the interests it seeks to protect are germane to the organization’s purpose; and (c) neither the claim asserted nor the relief requested requires the participation of individual members in the lawsuit.” Hunt v. Washington State Apple Advertising Com'n, 432 U.S. 333, 343 (1977); see also Solidarity v. Sessions, 738 F. Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 35 of 86 20 Supp. 544, 547 (D.D.C. 1990), aff’d on other grounds, 929 F.2d 742 (D.C. Cir. 1991). Applying these principles to the three complaints before the Court, none of the named plaintiffs has pled sufficient facts to establish standing to bring suit. B. The Organizational Named Plaintiffs in VVA Lack Standing As noted above, the named plaintiffs in VVA consist of five organizations and four individuals. Presumably, the organizations seek to bring claims on behalf of their members because they could not have suffered any organizational injury as a result of the claims alleged. See VVA Compl. ¶¶ 9-13. However, “the Privacy Act does not confer standing upon organizations on their own or purporting to sue on behalf of their members.” Committee In Solidarity With the People of El Salvador v. Sessions, 738 F. Supp. 544, 547 (D.D.C. 1990); see also 5 U.S.C. § 552a(g)(1) (noting that an “individual may bring a civil action against the agency”) (emphasis added); id. at (a)(2) (defining an “individual” as “a citizen of the United States or an alien lawfully admitted for permanent residence”). Furthermore, none of the organizations can meet the standard for organizational standing set forth in Hunt. In the first instance, it is clear that plaintiff National Gulf War Resource Center (“NGWRC”) lacks standing because it does not allege that it has any members who are veterans and whose information may have been included on the stolen hard drive. See VVA Compl. ¶ 11 (NGWRC is a “coalition of more than twenty . . . advocacy groups”). Absent such individual members, NGWRC cannot meet the requirement that “its members would otherwise have standing to sue in their own right.” Hunt, 432 U.S. at 343. Accordingly, all of NGWRC’s claims should be dismissed. While the other organizational plaintiffs at least allege that they have individual members Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 36 of 86 Nor could these organizational plaintiffs represent a class consisting of individuals10 whose personal information was included on the hard drive. See National Ass'n of Concerned Veterans v. Secretary of Defense, 487 F. Supp. 192, 198 (D.D.C. 1979) (“The National Association of Concerned Veterans (“NACV”) is equally unfit to represent this proposed class. Because this organization cannot be a member of the proposed class, a fortiori, it cannot represent the class. . . . Here, the NACV is simply not ‘a person . . . adversely affected by a matter required to be published in the Federal Register and not so published.’ 5 U.S.C. § 552(a)(1). . . .”). 21 who are veterans (though not necessarily veterans whose data was included on the stolen hard drive, compare VVA Compl. ¶ 9 with id. ¶¶ 10, 12-13), the nature of their claims is such that they fail to meet the third prong of the Hunt test - i.e., that “neither the claim asserted nor the relief requested require the participation of individual members in the lawsuit.” Hunt, 432 U.S. at 343. Here, both the claims and the relief require the participation of the individual members (at least insofar as the Privacy Act claims are concerned). As discussed in greater detail below, the Supreme Court has held that “the entitle[ment] to recovery” provided for in the Privacy Act applies “only to plaintiffs who have suffered some actual damages.” Doe, 540 U.S. at 627. That is, absent a showing of “actual damages,” an individual “has no cause of action for damages under the Privacy Act.” Id. at 625. Thus, while the Act guarantees a $1,000 minimum damages award to those individuals “entitled to recover[],” such “entitlement” is predicated on a showing of actual damages. Id. at 620-21. And establishing such “actual damages” on behalf of individual members of an organization necessarily “requires the participation of individual members in the lawsuit.” Hunt, 432 U.S. at 343. Accordingly, because a showing of actual damages is necessary for a cause of action under the Privacy Act, and because such a showing is necessarily an individualized showing requiring the participation of the individual alleging such damages, the organizational plaintiffs in VVA lack standing.10 Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 37 of 86 22 C. The Individual Named Plaintiffs Lack Standing In addition, the individual named plaintiffs’ claims should also be dismissed because they fail to allege facts demonstrating the injury and causation necessary to establish standing. Plaintiffs make numerous efforts to allege some harm caused by the theft of the hard drive, but they fail to sufficiently plead any actual harm to any individually named plaintiff. For instance, plaintiffs allege that the theft of the hard drive has injured them by putting them at “risk” or under “threat” of identity theft, but do not allege that their identities were stolen or point to particular harms suffered as a result of such alleged theft. Hackett Am. Compl. ¶¶ 6, 26; VVA Compl. ¶¶ 41, 65; Rosato Compl. ¶¶ 35, 38. Such increased “risk” or “threat” of harm, however, is not sufficient to constitute an “actual or imminent,” as opposed to “conjectural or hypothetical” harm. See Friends of the Earth, 528 U.S. at 180. Moreover, the hard drive has been recovered since these actions were commenced, and both the FBI and OIG are “highly confident” that the files on the hard drive “were not compromised after the burglary.” OIG Rep’t at ii. Accordingly, plaintiffs would be mistaken to claim that their identities were stolen as a result of the theft of the hard drive. Id.; ID Analytical Letter of November 15, 2006. These allegations, therefore, are insufficient to establish plaintiffs’ standing to pursue these actions. Nor are plaintiffs’ conclusory allegations that the theft of the hard drive injured them by causing them to make expenditures for “credit reports and/or monitoring” sufficient to establish standing. See Hackett Am. Compl. ¶ 6, 26; see also VVA Compl. ¶¶ 40-41; Rosato Compl. ¶¶ 35, 38-39. The Hackett amended complaint alleges only that unspecified “Plaintiffs” “have incurred and will incur” unspecified “actual damages” and have “incurred actual damages in purchasing comprehensive credit reports and/or monitoring of their identity and credit.” Hackett Am. Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 38 of 86 Nor could incurring expenses for the purchase a credit report be deemed reasonable11 under the circumstances. See Doe, 540 U.S. at 626 n. 10 (discussing need for incurred expenses to be “reasonable”). Each of the major credit bureaus is required by law to provide consumers with one free credit report each year, 15 U.S.C. § 1681j(a), and such free reports can easily be requested online, see . 23 Compl. ¶¶ 6, 26 (emphasis added). The VVA complaint alleges simply that “Plaintiffs” have incurred unspecified “pecuniary damages” and that the theft “requires affirmative action by Plaintiffs . . . including obtaining credit watch services.” VVA Compl. ¶¶ 40-41 (emphasis added). The Rosato complaint adopts all of these same allegations verbatim, except that it makes the allegations on behalf of “the Class.” Rosato Compl. ¶ 35, 38-39. None of the Complaints, therefore, alleges that any specific named plaintiff actually incurred any particular expense as a result of the theft. Indeed, the odd formulation in Hackett and Rosato that the plaintiffs in those cases purchased “credit reports and/or credit monitoring” strongly suggests that the allegations are made on behalf of the purported class, and not the named plaintiffs, since the named plaintiffs would presumably know what, if anything, they paid for. And it certainly would not have been difficult to set forth in the complaints the nature of expenses allegedly incurred by each of the five individual named plaintiffs (e.g., “On [date], plaintiff [name] paid $X to [company] for credit monitoring services.”). Similarly, the equally11 odd formulation in VVA asserting that the theft “requires” plaintiffs to take certain “affirmative actions,” including credit monitoring, is a far cry from an allegation that any one of the four individually named plaintiffs actually took such steps and incurred any expenses as a result of the theft. At most, these allegations are precisely the kind of speculative and “conclusory allegations of injury” that are insufficient to establish standing. Baur, 352 F.3d at 636-37. See also Warth, 422 U.S. at 504 (plaintiffs “must allege facts from which it reasonably could be inferred” that Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 39 of 86 As discussed below, these allegations of non-pecuniary injury also do not suffice to meet12 the “actual damages” requirement to state a claim for a Privacy Act violation. See infra § IV.H. Nor do plaintiffs have standing to bring any claims they might be asserting as a result of13 the alleged improper delay in publicizing the theft, see, e.g., Hackett Am. Compl. ¶¶ 20-21; VVA Compl. ¶¶ 22-25; Rosato Compl. ¶ 20, as they have alleged no injury whatsoever as a result of this alleged delay. 24 conduct complained of caused injury). The allegations in VVA and Rosato that the theft of the hard drive has caused plaintiffs “embarrassment, inconvenience, unfairness, mental distress, [and] emotional trauma,” VVA Compl. ¶ 40; Rosato Compl. ¶ 38, suffer from the same fatal defect. These allegations do not identify any individually named plaintiff alleged to have so suffered, and do not provide any non- conclusory allegations of the alleged injury (by, for example, describing the nature of the alleged “embarrassment” or “unfairness”).12 The need for plaintiffs to make specific allegations of injury is particularly important in these cases because little reason existed in these cases for anyone to be injured. At most, the VA recommended that “all veterans” be “extra vigilant” and “carefully monitor bank statements, credit card statements, and any statements relating to recent financial transactions.” VA FAQ (May 30, 2006) at 1. See Hackett Am. Compl. ¶ 21. In addition, the window of opportunity for injury was narrow. A scant five weeks elapsed between May 22, 2006, when the VA announced the burglary of Mr. Doe’s home, and June 29, 2006, when the FBI announced that the laptop and hard drive had been recovered intact, without apparent, unauthorized third-party access to the VA data stored on the hard drive. In view of these facts, the conclusory allegations of injury that plaintiffs make are insufficient for purposes of standing. These cases should therefore be dismissed.13 Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 40 of 86 25 II. PLAINTIFFS’ APA CLAIMS SHOULD BE DISMISSED FOR FAILURE TO STATE A CLAIM As noted above, the plaintiffs in both VVA and Rosato assert claims under the APA. Those claims should be dismissed because plaintiffs have failed to identify any “final agency action” that they challenge and have not alleged any cognizable “legal wrong” necessary to maintain an APA claim. Nor is the relief they seek under the APA available to them. The injunctive relief they seek is overbroad and would not, in any event, remedy the alleged injury to plaintiffs, and the damages that the Rosato plaintiffs seek under the APA are unavailable as a matter of law. A. Background The APA provides that “[a] person suffering legal wrong because of agency action, or adversely affected or aggrieved by agency action within the meaning of a relevant statute, is entitled to judicial review thereof.” 5 U.S.C. § 702. However, only “[a]gency action made reviewable by statute and final agency action for which there is no other adequate remedy in a court are subject to judicial review.” Id. § 704 (emphasis added). Moreover, a “reviewing court” is only authorized to either (1) “compel agency action unlawfully withheld or unreasonably delayed” or (2) “hold unlawful and set aside agency action, findings, and conclusions” found to be “arbitrary, capricious, an abuse of discretion or otherwise not in accordance with law” or “without observance of procedure required by law.” Id. § 706(1), (2)(A), (D). The VVA and Rosato plaintiffs make several allegations that appear to be grounded in the APA. In the bodies of the complaints, they allege that “[d]efendants’ actions and inactions in failing to report the [alleged] unauthorized disclosure of [the information contained on the hard Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 41 of 86 26 drive] were arbitrary, capricious and without observance of procedures required by law.” VVA Compl. ¶ 25 (emphasis added); Rosato Compl. ¶ 22 (same). In the sections of the complaints asserting a claim under the APA, they separately allege that “[d]efendants’ actions and inactions in failing to safeguard Plaintiffs’ private information were arbitrary, capricious and otherwise not in accordance with law.” VVA Compl. ¶ 58 (emphasis added); Rosato Compl. ¶ 47 (same); see also VVA Compl. ¶ 37 (alleging that the VA’s alleged inability to “establish and maintain adequate information security” constitutes an “abuse of discretion” and a “failure to observe procedures required by law.”). Plaintiffs also allege that Secretary Nicholson “is ultimately responsible in his official capacity for safeguarding citizen’s private information under VA control pursuant to applicable laws, including the Privacy Act . . . and the [APA],” VVA Compl. ¶ 57 (emphasis added); Rosato Compl. ¶ 46 (same). Finally, plaintiffs allege that they have suffered harm as a result of unspecified actions of defendants that have allegedly been “improperly withheld or unreasonably delayed.” VVA Compl. ¶ 59 (emphasis added); Rosato Compl. ¶ 48 (same). Plaintiffs in both cases seek equitable relief under the APA, and the Rosato plaintiffs also seek monetary relief. VVA Compl. ¶ 60; Rosato Compl. ¶ 49. The scope of the equitable relief sought by the plaintiffs is breathtaking. The VVA plaintiffs seek an order requiring the VA to identify every VA system of records in the Federal Register and make available such records to the individuals to whom they pertain; an order requiring the VA to identify in the Federal Register every use of every system of records; an injunction prohibiting any VA employee from “accessing, viewing, handling, disclosing, or in any way transferring any record” until “an independent panel of experts finds that adequate information security has been established by the VA,” absent express authorization by the Court; and an injunction against any VA employee removing any Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 42 of 86 27 device capable of storing any record from VA facilities until the VA has demonstrated that “adequate” information security has been established. VVA Compl. prayer ¶¶ (b)-(e). The Rosato plaintiffs seek much of the same relief, and in addition an injunction “preventing Defendants from continuing to operate without appropriate safeguards to ensure the security and privacy of veteran records.” Rosato Compl. prayer ¶¶ (b)-(e). With respect to each aspect of plaintiffs’ APA claims, we explain below why those claims should be dismissed. B. The APA Claims Based on the Alleged Failure to Timely Report the Theft Should Be Dismissed As noted above, plaintiffs make allegations in the body of their complaints that defendants’ alleged failures to report properly the theft of the laptop and hard drive “were arbitrary, capricious and without observance of procedures required by law.” VVA Compl. ¶ 25; Rosato Compl. ¶ 22. Presumably, plaintiffs’ complaints are based on the three-week delay between the date of the theft and the date it was publicly announced by the VA. See, e.g., VVA Compl. ¶¶ 22-24; Rosato Compl. ¶¶ 19-21 Plaintiffs do not reference this alleged failure in their APA claims for relief, see VVA Compl. ¶¶ 61-67; Rosato Compl. ¶¶ 44-50, so it is uncertain whether they intend to assert an APA claim based on this alleged failure. Any such claim, however, cannot succeed and should be dismissed. As noted above, the APA provides a cause of action to a person who has “suffer[ed] [a] legal wrong because of agency action.” 5 U.S.C. § 702. Plaintiffs fail to allege any facts demonstrating, or otherwise explaining, how they “suffer[ed] legal wrong” within the meaning of Section 702 because of defendants’ alleged arbitrary, capricious or procedurally improper Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 43 of 86 28 reporting of the theft. Nor would any such explanation be persuasive. Plaintiffs have not alleged any harm that they suffered in the three-week period before the theft was publicly disclosed that would have been prevented, or even preventable, had defendants “reported” the theft sooner. Accordingly, the allegation that defendants violated the APA by failing to report the theft of the hard drive sooner than they did fails to state a claim upon which relief can be granted. Plaintiffs also do not identify or reference the alleged “procedures required by law” to which they refer, and defendants are unaware of any such procedures. Cf. OIG Rep’t at 39 (“The Privacy Act and other information laws do not require reporting incidents.”). This provides an additional basis upon which to dismiss this claim. Finally, plaintiffs lack standing to bring this claim for the additional reason that none of the relief they seek would redress any injury the delayed publication of the theft might have caused. See Florida Audobon Society v. Bentsen, 94 F.3d 658, 663-64 (D.C. Cir. 1996) (en banc) (“Redressability examines whether the relief sought, assuming that the court chooses to grant it, will likely alleviate the particularized injury alleged by the plaintiff.”). C. The APA Claim Based on Defendants’ Alleged Failure to Properly Safeguard Information Should Be Dismissed The remainder of the APA allegations in the complaint all relate (or appear to relate) to defendants’ alleged failure to safeguard appropriately either the information contained on the hard drive or VA information more generally. See VVA Compl. ¶¶ 37, 57- 59; Rosato Compl. ¶¶ 46- 48. In this regard, the complaints speak broadly about the VA’s alleged failure to “establish and maintain adequate information security,” VVA Compl. ¶ 37, its alleged inability to “safeguard[] . . . citizen’s [sic] private information under VA control pursuant to applicable laws,” id. ¶ 57; Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 44 of 86 29 Rosato Compl. ¶ 46, its alleged failure to “safeguard Plaintiffs’ private information,” VVA Compl. ¶ 58; Rosato Compl. ¶ 47, and alleged but unspecified actions and inactions that have been “improperly withheld or unreasonably delayed.” VVA Compl. ¶ 59; Rosato Compl. ¶ 48. These allegations fail to state a claim under the APA because they do not identify any specific “agency action” (or inaction) being challenged. Rather, they challenge, and seek to impose judicial control over, the VA’s general compliance with the Privacy Act’s safeguards (and other) provisions. It is black-letter law, however, that such claims are not cognizable under the APA. It is firmly established that the APA only authorizes judicial review of “agency action,” 5 U.S.C. § 702, as that term is defined in the Act, id. § 551(13) (defining “agency action” as “the whole or a part of an agency rule, order, license, sanction, relief, or the equivalent. . .”), and cannot be used to “seek wholesale improvement of [a government] program by court decree.” Lujan v. National Wildlife Fed’n, 497 U.S. 871, 883 (1990). Rather, “the person claiming a right to sue [under the APA] must identify some ‘agency action’ that affects him in the specified fashion.” Id. at 882 (emphasis added). Put another way, “[u]nder the terms of the APA, [a plaintiff] must direct its attack against some particular ‘agency action’ that causes it harm.” Id. (emphasis added). Thus, in Lujan the Supreme Court held that a challenge to the Bureau of Land Management’s “land withdrawal review program” did not state a claim under the APA because that “program” did not constitute a specific agency action. The term ‘land withdrawal review program’ . . . does not refer to a single BLM order or regulation, or even to a completed universe of particular BLM orders and regulations. . . . It is no more an identifiable ‘agency action’ - much less a ‘final agency action’ - than a ‘weapons procurement program’ of the Department of Defense or a ‘drug interdiction program’ of the Drug Enforcement Administration. Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 45 of 86 30 Id. at 890. A unanimous Supreme Court recently reaffirmed this view in Norton v. Southern Utah Wilderness Alliance, 542 U.S. 55 (2004), in which the plaintiffs sought to compel the Secretary of Interior to take additional actions with respect to off-road vehicle use, arguing that the failure to take such action amounted to “agency action unlawfully withheld or unreasonably delayed” under Section 706 of the APA. In rejecting APA review in that case, the Court analyzed the definition of “agency action” in the APA and stressed that the five specific actions listed (“rule, order, license, sanction [and] relief”) all “involve circumscribed, discrete agency actions,” id. at 62, and consequently, “agency action” does not include a broad challenge to the manner in which an agency implements its programs, id. at 64. Moreover, citing the Attorney General's Manual on the Administrative Procedure Act, the Court noted that the APA “empowers a court only to compel an agency ‘to perform a ministerial or non-discretionary act,’ or ‘to take action upon a matter, without directing how it shall act.’” Id. at 64. Consequently, the Court concluded that challenges to “[g]eneral deficiencies in [agency] compliance . . . lack the specificity for agency action.” Id. at 66. See also Independent Petroleum Ass’n v. Babbitt, 235 F. 3d 588, 595 (D.C. Cir. 2001); Foundation on Economic Trends v. Lyng, 943 F. 2d 79, 85-87 (D.C. Cir. 1991); Sierra Club v. Peterson, 228 F. 3d 559, 565-69 (5 Cir. 2000) (“Absent a specific and finalth agency action, we lack jurisdiction to consider a challenge to agency conduct.”). Other than the specific incident of theft that is described in the complaints, plaintiffs have failed to identify an event that has caused them harm. Importantly, the theft in this case was not an agency action, consequently, plaintiffs have failed to identify any “particular agency action that causes them harm,” Lujan, 497 U.S. at 882, and the Court therefore lacks jurisdiction to hear Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 46 of 86 The APA provides a waiver of sovereign immunity in those cases in which it applies. 514 U.S.C. § 702. Absent such an applicable waiver, this Court lacks jurisdiction over defendants. United States v. Mitchell, 445 U.S. 535, 538 (1980); Petroleum Ass’n, 235 F. 3d at 594 (requirement of final agency action under APA is “considered jurisdictional”). 31 their APA claims. Like the claims at issue in Lujan and Southern Utah, plaintiffs here are not14 challenging a particular agency decision “or even a completed universe of particular” decisions, Lujan, 497 U.S. at 890 - there is none - but instead are seeking to achieve wholesale judicial review of the VA’s compliance with the safeguards provision of the Privacy Act (see 5 U.S.C. § 552a(e)(10)). An “unwillingness or inability to establish and maintain adequate information security,” VVA Compl. ¶ 37, and an “[i]nab[i]l[ity] or unwilling[ness] to require compliance” with the Privacy Act and other unspecified laws, id., ¶ 57; Rosato Compl. ¶ 46, is no more a “final agency action” subject to review under the APA than the “land withdrawal review program” at issue in Lujan and the alleged failure to act with respect to off-road vehicles at issue in Southern Utah. That plaintiffs are seeking wholesale review of the VA’s compliance with the Privacy Act’s safeguards (and possibly other) provisions is evident both from the manner in which they frame their APA claims and an examination of the relief they seek. With respect to the former, as discussed above, the Privacy Act requires agencies to establish “appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.” Id. § 552a(e)(10). The Act, therefore, does not require a ministerial act, but rather the exercise of discretion by agencies in determining what safeguards are Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 47 of 86 Notably, this allegation refers to “personal information” generally, rather than the15 specific “Personal Information” that was on the stolen external hard drive, as defined in paragraph 20 of the VVA complaint, further demonstrating that what plaintiffs seek is wholesale review of the agency’s compliance with the law, rather than review of any specific agency action. 32 “appropriate” under the circumstances. Yet, plaintiffs’ APA claim is based on nothing more than the generalized allegation that the VA has failed to adopt such “appropriate” safeguards with respect to all Privacy Act protected information in its possession. Thus, for example, plaintiffs assert broadly that the “VA has repeatedly demonstrated an inability or unwillingness to implement . . . fundamental procedures to provide minimally acceptable safeguards for the personal information in its possession.” VVA Compl. ¶ 56 (emphasis added); Rosato Compl. ¶ 45 (same). Such a claim15 places in question the entirety of the agency’s compliance with the safeguards provision of the Privacy Act. See also VVA Compl. ¶ 37 (describing failure to establish “adequate information security” as “an abuse of discretion and an intentional and willful failure to observe procedures required by law”). Even more telling is the allegation that although Secretary Nicholson “is ultimately responsible . . . for safeguarding citizen’s [sic] private information under VA control pursuant to applicable laws, including the Privacy Act,” he “has been unable or unwilling to require compliance with those laws.” Id. ¶ 57 (emphasis added); Rosato Compl. ¶ 46. The nature of plaintiffs’ claim, therefore, is perfectly straightforward - it is based on the VA’s alleged failure to generally “compl[y] with [applicable] laws” regarding information security - to wit, the Privacy Act. It is precisely such a claim, however - predicated on allegations that an agency has generically failed to comply with applicable law - that is not maintainable under the APA. The breadth of the relief sought by plaintiffs pursuant to their APA claim also Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 48 of 86 33 demonstrates its impropriety. Plaintiffs ask for a Court order (a) requiring the agency to identify in the Federal Register the existence and character of every system of records maintained by the VA and to make available to any individual every record pertaining to that individual and (b) requiring the agency to identify each use of every system of records. VVA Compl. prayer ¶¶ (b)- (c). With minor differences, these requests for relief essentially ask the Court to order the VA to comply with the Privacy Act. Compare 5 U.S.C. § 552a(e)(4) (requiring listing of systems of records in the Federal Register), (d)(1) (requiring agencies to provide access to records). The fact that the relief sought by plaintiffs is essentially a broad order to comply with the law further demonstrates that their claims are not focused on any specific agency action, but rather constitute a broad attack on the agency’s compliance with the Privacy Act. Accordingly, plaintiffs’ APA claims must be dismissed, as they do not seek judicial review of any final “agency action” as that term is used in the statute. In addition, the relief sought by plaintiffs relevant to the safeguarding of information is a court order enjoining the VA from accessing, viewing, handling, disclosing or in any way transferring records subject to the Privacy Act until the agency establishes “adequate information security” and prohibiting agency employees from removing any device capable of storing such information until “adequate information security” is established. VVA Compl. Prayer ¶¶ (d)-(e); Rosato Compl. Prayer ¶¶ (d)-(e). Such an order, however, is not authorized by the APA, which, as discussed above, “empowers a court only to compel an agency ‘to perform a ministerial or non-discretionary act,’ or ‘to take action upon a matter, without directing how it shall act.’” Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 49 of 86 This limitation on the Court’s powers relates to claims - such as plaintiffs’ - based on an16 agency’s alleged failure to act. The other provisions of the APA - applicable to claims for review of final agency action - likewise do not provide for the nature of relief sought by plaintiffs. See 5 U.S.C. § 706(2) (authorizing court to “hold unlawful and set aside agency action, findings, and conclusions”). 34 Southern Utah, 542 U.S. at 64. This provides yet another reason why these APA claims must16 be dismissed. Defendants also note that plaintiffs’ allegation with respect to Secretary Nicholson’s alleged failure to safeguard information as required by law, lists the allegedly “applicable laws” as including the APA itself. VVA Compl. ¶ 57; Rosato Compl. ¶ 46. The APA, however, “prescribes the scope of review and remedies available to courts in dealing with administrative agency conduct and does not bestow any substantive rights upon parties to administrative action.” Buckeye Cablevision, Inc. v. United States, 438 F.2d 948, 953 n.2 (6th Cir. 1971). By itself, therefore, the APA imposes no obligation on any federal officer or employee to “safeguard citizen’s [sic] private information” and to the extent that plaintiffs’ APA claims are based on such an alleged obligation they must be dismissed for this additional reason as well. Finally, plaintiffs allege in Rosato that the they are entitled to damages “for Defendants’ violation of plaintiffs’ rights pursuant to the [APA].” Rosato Compl. ¶ 49. However, “[t]he APA does not confer a substantive right that is enforceable against the United States for money damages.” Norby Lumber Co. v. United States, 46 Fed. Cl. 47, 50 (2000). See also 5 U.S.C. § 702 (authorizing actions “seeking relief other than money damages”). Accordingly, plaintiffs are not entitled to damages under the APA. Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 50 of 86 35 III. PLAINTIFFS’ BIVENS CLAIMS SHOULD BE DISMISSED Plaintiffs in both Hackett and Rosato seek damages and/or injunctive relief under Bivens. Hackett Am. Compl. ¶ 1, prayer ¶ c; Rosato Compl. ¶ 1, prayer ¶ c. These constitutional claims are based on the same facts that form the basis of their other claims: defendants’ alleged failure to properly safeguard, and the alleged improper disclosure of, the personal information on the hard drive. See Hackett Am. Comp., ¶¶ 39-46; Rosato Compl. ¶¶ 53-54. Plaintiffs’ Bivens claims should be dismissed. As an initial matter, plaintiffs have failed to name and/or properly serve the individual defendants. Moreover, even if plaintiffs had properly effected service, plaintiffs’ Bivens claims are precluded by the Privacy Act, Bivens does not provide for injunctive relief, and defendants are entitled to qualified immunity. A. Plaintiffs’ Bivens Claims Should Be Dismissed Because Secretary Nicholson and Deputy Secretary Mansfield Have Not Been Properly Named or Served “Bivens suits are suits against government officials in their individual, rather than their official, capacities.” Robertson, 895 F. Supp. at 3. Accordingly, “personal jurisdiction over the individual defendants is necessary to maintain a Bivens claim.” Id. Because of this fact, “defendants in Bivens actions must be served as individuals.” Simpkins, 108 F.3d at 369. “Failure, therefore, to perfect service of process is fatal to a Bivens action.” Robertson, 895 F. Supp. at 3. In Hackett, plaintiffs sue Secretary Nicholson and Deputy Secretary Mansfield in both their individual and official capacities. Hackett Am. Compl. ¶¶ 12-13. Plaintiffs have not, however, properly served either defendant in his individual capacity. Instead, plaintiffs had issued for each individual a single summons issued in the individual’s name “officially and individually,” Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 51 of 86 Pursuant to Fed. R. Civ. P. 4(m), plaintiffs had 120 days after the filing of their17 complaints to effect personal service on Secretary Nicholson and Deputy Secretary Mansfield. The Rosato complaint was filed on June 21, 2006, and the Hackett complaint was filed on May 30, 2006. Plaintiffs therefore failed to effect personal service within 120 days, and their Bivens claims should also be dismissed for this reason. 36 and served that summons via certified mail. See Returns of Service on Secretary Nicholson; Return of Service on Deputy Secretary Mansfield; Saunders Decl. ¶ 4. While such service via certified mail is sufficient to effect service on an individual sued in his official capacity, Fed. R. Civ. P. 4(i)(2)(A), it is not proper service on an individual sued in his individual capacity, Fed. R. Civ. P. 4(i)(2)(B) & 4(e). Because “failure to perfect service” is “fatal to a Bivens action,” the Bivens claims against Secretary Nicholson and Deputy Secretary Mansfield that plaintiffs make in Hackett should be dismissed. See Robertson, 895 F. Supp. at 3. In Rosato, plaintiffs sue Secretary Nicholson, but do so exclusively in his official capacity. See Rosato Compl. caption. Because “Bivens suits are suits against government officials in their individual, rather than their official, capacities,” the claim against Secretary Nicholson that plaintiffs make in Rosato should be dismissed for this reason alone. See Robertson, 895 F. Supp. at 3. In any event, plaintiffs in Rosato have also failed to properly serve Secretary Nicholson in his individual capacity, providing yet another basis for dismissal. See Return on Service on Secretary Nicholson in Rosato. 17 B. Plaintiffs’ Bivens Claims Are Precluded by the Privacy Act Even if plaintiffs had effected proper service against Secretary Nicholson and Deputy Secretary Mansfield, plaintiffs’ Bivens claims are precluded by the Privacy Act. Bivens “recognized for the first time an implied private action for damages against federal officers alleged to have violated a citizen’s constitutional rights.” Corr. Serv. Corp. v. Malesko, 534 U.S. 61, 66 Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 52 of 86 37 (2001); see Bivens, 403 U.S. at 397. However, relief is not available under Bivens in cases where “Congress has put in place a comprehensive system to administer public rights, has ‘not inadvertently’ omitted damages remedies for certain claimants, and has not plainly expressed an intention that the courts preserve Bivens remedies.” Spagnola v. Mathis, 859 F.2d 223, 228 (D.C. Cir. 1988) (en banc). The Privacy Act has been held to be a “comprehensive system to administer public rights” within the contemplation of Spagnola. See, e.g., Chung v. U.S. Dep’t of Justice, 333 F.3d 273, 274 (D.C. Cir. 2003). Accordingly, the Privacy Act precludes relief under Bivens for claims within its purview. Id.; Downie v. City of Middleburg Hgts., 301 F.3d 688, 698-99 (6th Cir. 2002); Clark v. Bureau of Prisons, 407 F. Supp. 2d 127, 131 (D.D.C. 2005); Hatfill v. Ashcroft, 404 F. Supp. 2d 104, 116-17 (D.D.C. 2005). Plaintiffs’ basic complaint in both Hackett and Rosato is that defendants failed to adequately safeguard their personal information and disclosed that information unlawfully. See, e.g., Hackett Am. Compl. ¶¶ 2-3, 5; Rosato Compl. ¶¶ 1-5. Because the Privacy Act is a comprehensive remedial scheme that provides a remedy for the inadequate safeguarding and unlawful disclosure of information, relief under Bivens is unavailable to plaintiffs. See Chung, 333 F.3d at 274; Downie, 301 F.3d at 696; Clark, 407 F. Supp. 2d at 131; Hatfill, 404 F. Supp. 2d at 116; 5 U.S.C. §§ 552a(g)(1)(D) & (g)(4). C. Injunctive Relief Is Unavailable Under Bivens In both Hackett and Rosato, plaintiffs seek “reparative injunctive relief under Bivens.” Hackett Am. Compl. prayer ¶ c; Rosato Compl. prayer ¶ c. The Supreme Court, however, has “never considered” the “Bivens remedy” a “proper vehicle for altering an entity’s policy.” Corr. Serv. Corp., 534 U.S. at 74. Rather, “Bivens actions are for damages.” Simpkins v. D.C. Gov’t, Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 53 of 86 38 108 F.3d 366, 369 (D.C. Cir. 1997). Accordingly, injunctive relief is not available under Bivens, even though “injunctive relief has long been recognized as the proper means for preventing entities from acting unconstitutionally.” Corr. Serv. Corp., 534 U.S. at 74. Thus, even if plaintiffs’ Bivens claims were not precluded by the Privacy Act, they would not be entitled to the injunctive relief they seek under Bivens. D. Qualified Immunity Bars Plaintiffs’ Bivens Claims Against Secretary Nicholson and Deputy Secretary Mansfield Even if Bivens claims were not precluded by the Privacy Act, qualified immunity protects government officials from suit for allegedly unconstitutional conduct unless they violate “clearly established . . . constitutional rights of which a reasonable person would have known.” Harlow v. Fitzgerald, 457 U.S. 800, 818 (1982). Its purpose is to serve the “strong public interest in protecting public officials from the costs associated with the defense of damages actions” by permitting “insubstantial lawsuits to be quickly terminated.” Crawford-El v. Britton, 523 U.S. 574, 590 (1998); Simpkins, 108 F.3d at 370 (federal courts have a “duty . . . to stop insubstantial Bivens actions in their tracks and get rid of them. Such lawsuits impose undue burdens on the officer being sued, and thus interfere with the operations of the government.”) (citations omitted). Accordingly, “[u]nless the plaintiff’s allegations state a claim of violation of clearly established law, a defendant pleading qualified immunity is entitled to dismissal before the commencement of discovery.” Mitchell v. Forsyth, 472 U.S. 511, 526 (1985). When this “powerful” defense is raised, Eversole v. Steele, 59 F.3d 710, 717 (7th Cir. 1995), a court must engage in a two-step analysis. First, it must determine if the Bivens defendant is alleged to have been personally involved in “a violation of a constitutional right at all.” Siegert Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 54 of 86 To the extent that the Secretary and Deputy Secretary are alleged to be personally18 responsible for the alleged improper delay in publicizing the theft, Hackett Am. Compl. ¶ 20; Rosato Compl. ¶ 21, those allegations simply fail to state a claim for a “clearly established” constitutional violation. 39 v. Gilley, 500 U.S. 226, 232 (1991). If not, then the inquiry is over, and the defendant is entitled to immunity. Saucier v. Katz, 533 U.S. 194, 201 (2001). The second step of the analysis, which the Court here need not reach given plaintiffs’ failure to allege personal involvement on the part of Secretary Nicholson and Deputy Secretary Mansfield, but which also supports immunity in this case, requires the court to “ask whether the right was clearly established,” Saucier, 533 U.S. at 201, “at the time the defendant acted,” Siegert, 500 U.S. at 232. In Hackett, plaintiffs sue Secretary Nicholson and Deputy Secretary Mansfield. Hackett Am. Compl. ¶¶ 12-13. In Rosato, they sue Secretary Nicholson. Rosato Compl. ¶ 14. The essence of their complaints against both officials is that they failed to carry out their responsibilities as the leadership of the VA in a manner that plaintiffs deem appropriate. See Hackett Am. Compl. ¶¶ 12-13; Rosato Compl. ¶¶ 2, 14, 36-37, 46. Indeed, the Rosato complaint makes clear that Secretary Nicholson is being sued for his alleged failure to “ensure lawful compliance by his subordinates.” Id. ¶ 37 (emphasis added).18 Additionally, in Bivens cases “there is no vicarious liability,” Anderson v. Cornejo, 355 F.3d 1021, 1028 (7th Cir. 2004), and “Bivens claims cannot rest merely on respondeat superior,” Simpkins, 108 F.3d at 369. Rather, only federal officials “directly responsible” for alleged constitutional violations may be held liable. Corr. Serv. Corp., 534 U.S. at 71. Thus, to overcome qualified immunity, “[t]he complaint must at least allege that the defendant federal official was personally involved in the illegal conduct.” Simpkins, 108 F.3d at 369 (emphasis Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 55 of 86 Likewise, the facts as alleged do not state a claim for a violation of a “clearly19 established” constitutional right. Siegert, 500 U.S.C. at 232. As discussed above, plaintiffs fail to allege any personal involvement by Secretary Nicholson and Deputy Secretary Mansfield in the alleged illegal conduct at issue in their complaints. Instead, the Rosato complaint merely alleges generally that “Defendant Nicholson failed to properly perform the duties of his position . . . and did not protect the privacy rights of Plaintiffs . . . and failed to institute and enforce procedures mandated by law for the protection of veterans’ and service members’ private and personal information.” Rosato compl. ¶ 2. Such vague allegations do not suffice to establish violation of a clearly established constitutional right. To the extent that plaintiffs allege that Secretary Nicholson and Deputy Secretary Mansfield “unreasonably delayed reporting the disclosures [stemming from the theft of the hard drive] to law enforcement agencies,” Hackett Compl. at ¶ 20; Rosato Compl. ¶ 21, such allegedly improper delay does not rise to the level of a constitutional violation. Siegert, 500 U.S. at 232 (“A necessary concomitant to the determination of whether the constitutional right asserted by a plaintiff is “clearly established” at the time the defendant acted is the determination of whether the plaintiff has asserted a violation of a constitutional right at all.”). 40 added). “Bivens claims against [defendants], whose only relationship to the instant litigation is their ultimate supervisory status, must therefore be dismissed.” Robertson v. Merola, 895 F. Supp. 1, 4 (D.D.C. 1995). See also id. at 4 (“Bivens claims” may not be maintained against officials “whose only relationship to the instant litigation is their ultimate supervisory status.”). Accordingly, plaintiffs’ Bivens claims against Secretary Nicholson and Deputy Secretary Mansfield should be dismissed as they fail to allege any such personal involvement.19 IV. PLAINTIFFS’ PRIVACY ACT CLAIMS SHOULD BE DISMISSED FOR FAILURE TO STATE A CLAIM As discussed above, plaintiffs bring numerous claims under the Privacy Act, alleging violations of the Act’s provisions governing disclosure (§ 552a(b)), accounting (§ 552a(c)(1)), maintenance of records (§ 552a(e)(1)), the collection of information (§ 552a(e)(2)), publication of notices (§ 552a(e)(4)), accuracy (§ 552a(e)(6)), and safeguards (§ 552a(e)(10)). Defendants submit that all of plaintiffs’ Privacy Act claims should be dismissed for numerous reasons. First, Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 56 of 86 41 all of plaintiffs’ Privacy Act claims should be dismissed because plaintiffs have failed to plead facts from which one could infer an intentional or willful violation of the Act. We then address each of plaintiffs’ claims under the Act, and explain why each such claim (with the exception of the safeguards claim under subsection (e)(10)) should be dismissed for failure to state a claim. In most cases, plaintiffs have failed to plead any non-conclusory facts in support of their Privacy Act claims; rather, they have simply asserted that defendants have violated a provision of the Act without any additional factual allegations. With respect to plaintiffs’ claims regarding disclosure (subsection (b)) and accuracy (subsection (e)(6)), the facts pled simply do not state a claim for violation of the Act. Finally, many of plaintiffs’ claims should be dismissed because there is no rational connection between the injury alleged in the complaints and the alleged violations of the Act. In such cases, plaintiffs cannot demonstrate the requisite “adverse effect”, or, in fact, any “adverse effect” necessary to maintain a claim under the Act, and the claims should be dismissed. In addition, the claims of those plaintiffs who have not incurred pecuniary loss as a result of the theft should be dismissed because such plaintiffs have not incurred any “actual damages” under the Act. For the Court’s convenience, attached as Exhibit 23 is a chart setting forth, with respect to each of the alleged Privacy Act violations asserted by plaintiffs, which complaint asserts such a claim and where, the applicable bases for dismissal of the claim, and whether defendants have moved for summary judgment with respect to the claim. Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 57 of 86 42 A. Plaintiffs’ Privacy Act Claims Should Be Dismissed for Failure To Plead Intentional or Willful Violations of the Act No plaintiff may obtain an award of damages under the Act unless “the court determines that the agency acted in a manner which was intentional or willful.” 5 U.S.C. § 552a(g)(4). “[This] standard is high.” Clark, 407 F. Supp. 2d at 130. “By requiring a showing that any violation of the Act be willful and intentional, it is clear that Congress intended to reserve civil liability only for those lapses which constituted an extraordinary departure from standards of reasonable conduct.” Kostyu v. United States, 742 F. Supp. 413, 417 (E.D. Mich. 1990). Accordingly, no damages may be awarded under the Act in the absence of a showing “that the agency ‘acted with something greater than gross negligence.’” Deters v. U.S. Parole Comm’n, 85 F.3d 655, 660 (D.C. Cir. 1996) (quoting Tijerina v. Walters, 821 F.2d 181, 189 (D.C. Cir. 1987)). To make such a showing, the plaintiff must demonstrate that the agency acted “‘either by committing the act without grounds for believing it to be lawful, or by flagrantly disregarding others’ rights under the Act.’” Id. (quoting Albright v. United States, 732 F.2d 181, 189 (D.C. Cir. 1984)). Any violation must be “‘so patently egregious and unlawful that anyone undertaking the conduct should have known it unlawful.’” Id. (quoting Laningham v. U.S. Navy, 813 F.2d 1236, 1242 (D.C. Cir. 1987)). In light of this legal standard, a claim for damages under the Act may be dismissed if “nothing in the complaint permits the inference that the alleged Privacy Act violations were intentional or willful.” Foncello v. U.S. Dep’t of the Army, 2005 WL 2994011, at *4 (D. Conn. Nov. 7, 2005). With respect to all of plaintiffs’ Privacy Act allegations, plaintiffs make no allegations from which one could reasonably infer that any of the myriad alleged failures to act Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 58 of 86 43 resulted from anyone’s “‘flagrant[] disregard[]’” of “‘others’ rights under the Act.’” See Deters, 85 F.3d at 655 (quoting Albright, 732 F.2d at 189). Accordingly, none of these alleged failures constitutes a basis for the award of damages, and these claims should be dismissed. B. Plaintiffs Fail to State a Claim for an Improper Disclosure Under the Privacy Act (§ 552a(b)) Plaintiffs allege that defendants made disclosures in violation of the Privacy Act when (i) John Doe obtained access to the information that he ultimately stored on his external hard drive; (ii) he “remov[ed] the data files . . . from the VA facility,” (iii) he transferred the data to his personal hard drive, and (iv) the hard drive was stolen by third parties. Hackett Am. Compl. ¶¶ 2, 19, 36; see VVA Compl. ¶¶ 29-31, 65; Rosato Am. Compl. ¶¶ 5, 16, 24-25. For the following reasons, plaintiffs are mistaken on all counts. 1. Plaintiffs Fail to State a Claim with Respect to John Doe’s Access to the Information “Under subsection (b) of the Act, 5 U.S.C. § 552a(b), agencies may not ‘disclose any record which is contained in a system of records’ unless certain exceptions apply, id.” McCready 2006 WL 2669375 at * 4. One of the exceptions “expressly permits disclosure of records to agency employees ‘who have a need for the record in the performance of their duties.’” Maydak, 363 F.3d at 521 (quoting § 552a(b)(1)). Plaintiffs allege that John Doe’s access to the information that was ultimately stored on the hard drive that was stolen violated section 552a(b). Yet they allege no facts from which one could infer that Doe did not have a need for the records in the performance of his duties. Rather, the complaints contain only conclusory allegations that Doe’s access to the records violated the Act. See, e.g., Hackett Am. Compl. ¶ 19 (“Doe’s access to ... this information was a disclosure in Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 59 of 86 As discussed below, defendants are also entitled to summary judgment on this claim, as20 the undisputed facts demonstrate that Doe did, in fact, have a need to access these records in the performance of his duties. See infra § V.A.1. 44 violation of § 552a(b)); Rosato Compl. ¶ 16 (same); VVA Compl. ¶ 31 (VA disclosed information to “employees who did not have a need”). Such “conclusory allegations unsupported by any factual assertions will not withstand a motion to dismiss.” Briscoe v. LaHue, 663 F.2d 713, 723 (7 Cir. 1981). “[I]t is axiomatic thatth defendants in an action under the Federal Rule of Civil Procedure are entitled to ‘ . . . fair notice of actual wrong, openly stated on the basis of facts asserted.’” Harper v. United States, 423 F. Supp. 192, 196 (D.S.C. 1976) (quoting Spiegler v. Wills, 60 F.R.D. 681, 683 (S.D.N.Y. 1973)). Accordingly, “[n]either the court nor defendants should be required to speculate as to the actions and injuries of which the plaintiff complains.” Id. “These principles are no less applicable in the context of Privacy Act litigation than in any other context.” Id. Where, as here, the allegations consist solely of a “recitation of legal conclusions . . . wholly devoid of facts,” Briscoe, 663 F.3d at 723, dismissal is appropriate. See also Kowal v. MCI Communications Corp., 16 F.3d 1271, 1276 (D.C. Cir. 1994) (“the court need not accept inferences drawn by plaintiffs if such inferences are unsupported by the facts set out in the complaint. Nor must the court accept legal conclusions cast in the form of factual allegations.”) (emphasis added). Because plaintiffs have not alleged any facts from which the Court could reasonably conclude that Doe did not have a need to access these records in the performance of his duties, this aspect of plaintiffs’ disclosure claim should be dismissed.20 Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 60 of 86 45 2. Plaintiffs Fail to State a Claim with Respect to John Doe’s Removal of the Information from the VA To the extent that the Hackett and Rosato plaintiffs seek to assert a disclosure claim based on John Doe’s “removal of the data files . . . from the VA”, Hackett Am. Compl. ¶ 2, 19; Rosato Compl. ¶¶ 5, 16, those claims fail to state a claim for the simple reason that “removing files” from a building does not constitute a prohibited “disclosure” under the Act. That this is so is evident both from the plain language of the Act and from a common sense reading of the term “disclose.” The Act itself provides only that “[n]o agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency,” except as provided for in the Act. 5 U.S.C. § 552a(b) (emphasis added). Removing files from a building simply does not constitute disclosure “to any person” or “to another agency” and is thus not prohibited by the Act. A common sense definition of the term “disclose” further supports such a plain reading of the Act. “Disclose” is defined to mean, inter alia, “to expose to view” or “to make known or public.” Merriam-Websters Collegiate Dictionary at 330 (10 ed. 2002). Removing electronicth records stored on digital media from a building and carrying the media home simply does not constitute “expos[ing]” such records to view or making them “known or public.” See also Harper, 423 F. Supp. at 197 (“While the Act does not specifically define the term ‘disclosure,’ common sense requires that this term be taken to denote the imparting of information which . . . was previously unknown to the person to whom it is imparted.”) (emphasis added). To the extent that plaintiffs purport to state a claim under the Privacy Act based on John Doe’s removal of the records from the VA, therefore, that claim should be dismissed. Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 61 of 86 46 3. Plaintiffs Fail to State a Claim with Respect to John Doe’s Transfer of the Records to His Personal Hard Drive For the same reasons, plaintiffs fail to state a claim for violation of the Privacy Act based on John Doe’s transfer of the records to his personal hard drive. See Hackett Am. Compl. ¶¶ 2, 19; Rosato Am. Compl. ¶¶ 5, 16. Copying records from one digital medium onto another does not constitute a “disclosure” and certainly not a disclosure “to any person” or “to another agency.” Accordingly, no disclosure took place in violation of the Privacy Act when Mr. Doe copied the material onto his personal hard drive. 4. Plaintiffs Fail to State a Claim with Respect to the Theft of the Hard Drive Nor do the facts alleged with respect to the theft of the hard drive from Mr. Doe’s house state a claim for a disclosure in violation of the Act. The Act provides that “[n]o agency shall disclose” protected information except as authorized. 5 U.S.C. § 552a(b) (emphasis added). The allegation that a “third party” stole hardware containing the information, Hackett Am. Compl. ¶ 2; Rosato Comp., ¶ 5, simply does not state a claim for violation of a statutory provision prohibiting an “agency” from disclosing information. “When interpreting a statute, [courts] look first to the language,” Richardson v. United States, 526 U.S. 813, 818 (1999), and “where the statutory language provides a clear answer,” the analysis “ends there,” Hughes Aircraft Co. v. Jacobson, 525 U.S. 432, 438 (1999). Here, the language of the Act - which uses the active tense of the verb “disclose” - demonstrates that its prohibition is intended to apply to affirmative acts undertaken by an agency through its employees, and not acts of a third party. See, e.g. Schmidt v. U.S. Dep’t of Veterans Affairs, 218 F.R.D. 619, 630 (E.D. Wis. 2003), on reconsid., 222 F.R.D. 592 (2004) (A “disclosure” under Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 62 of 86 To the extent that plaintiffs’ claim is based upon agency actions or inactions that21 resulted in exposing the information to the risk of theft, their claim is properly seen as a safeguards claim under Section 552a(e)(10). Indeed, plaintiffs make just such a claim, as discussed below. As discussed below, defendants are also entitled to summary judgment on this claim, as22 evidence demonstrates to a high degree of confidence that the information on the hard drive was 47 the Act requires “the placing into the view of another information which was previously unknown.”). Indeed, acts of theft by a third party are not ordinarily considered “disclosures” by the victim of the theft. Thus, for example, the victim of a mugging would not be thought to have “disclosed” his credit card information to the thief. Similarly, here, theft of the hard drive containing VA information should not be deemed to be a “disclosure” by John Doe or the VA. The deterrent purpose of the Act’s civil penalty provisions further supports such a common sense reading of the Act’s language. Providing a civil penalty (with minimum statutory damages) serves as a strong deterrent for improper agency disclosures. Yet there is no deterrent effect on third party thieves who might steal protected information, and it makes no sense to provide for such a penalty based on actions outside an agency’s control.21 Finally, that the Act provides for civil penalties only when the “agency acted in a manner which was intentional or willful,” 5 U.S.C. § 552a(g)(4), further supports the conclusion that third party conduct cannot form the basis of liability, for such third party conduct cannot have been “inten[ded]” or “will[ed]” by the agency. And, even if a theft might somehow be deemed a “disclosure” by the victim, there is no doubt that such a theft cannot, by definition, constitute an “intentional or willful” disclosure by the agency. The facts as pled, therefore, simply do not state a claim for an intentional or willful violation of the Act’s disclosure provision, as is required to maintain a cause of action under the Act.22 Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 63 of 86 never accessed and thus never “disclose[d].” See infra § V.A.2. 48 C. Plaintiffs Fail to State a Claim Based on the Accounting Provisions of the Privacy Act (§ 552(c)(1)) With certain exceptions, the Privacy Act requires an agency to keep “an accurate accounting” of disclosures it makes from systems of records. 5 U.S.C. § 552a(c)(1). The accounting requirement does not apply, however, to disclosures made pursuant to subsection (b)(1) to an agency employee who has a need for the records in the performance of his duties. Id. § 552a(c)(1) (“except for disclosures made under subsection[] (b)(1)”). As noted above, in VVA and Rosato plaintiffs allege that defendants violated subsection (c)(1) of the Act by “failing to keep or maintain an accurate accounting” of the disclosures allegedly made in violation of Section 552a(b). VVA Compl. ¶ 32; Rosato Compl. ¶ 26. Plaintiffs fail to state a claim for violation of this provision of the Act, however, and their claims should be dismissed. First, any claim for a violation of subsection (c)(1)’s accounting requirement necessarily requires an antecedent disclosure. That is, there is no obligation to keep an accounting absent a disclosure. As just discussed, however, plaintiffs fail to state a claim for any disclosure in violation of the Act. Their subsection (c)(1) accounting claim must therefore be dismissed. To the extent plaintiffs’ accounting claim is based on the only disclosure that admittedly took place - i.e., the disclosure of the data to John Doe - their claim also fails. As discussed above, plaintiffs fail to state a claim that the disclosure to John Doe does not fall within subsection (b)(1). That is, there are no facts pled from which to conclude that the disclosure to John Doe was not authorized under subsection (b)(1). Such a (b)(1) disclosure, however, is not subject to the accounting requirement. The same pleading deficiency that is fatal to plaintiffs’ disclosure Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 64 of 86 As noted above, defendants are also entitled to summary judgment with respect to23 plaintiffs’ disclosure claims insofar as they are based on the disclosure to John Doe. Because plaintiffs’ subsection (c)(1) accounting claims turn on their disclosure claims, summary judgment is also appropriate with respect to the (c)(1) claim. See infra V.B. 49 claim with respect to John Doe is thus also fatal to their accounting claim with respect to that disclosure; because plaintiffs have failed to state a claim that the disclosure to John Doe violated subsection (b)(1), and because subsection (c)(1) does not require agencies to retain an accounting of subsection (b)(1) disclosures, plaintiffs likewise fail to state a (c)(1) claim with respect to the disclosure to John Doe.23 Second, plaintiffs’ accounting claims fail because they have failed to plead any facts in support of their claim. The only statements in the VVA and Rosato complaints relevant to the accounting allegations are the conclusory allegations that defendant “fail[ed] to keep or maintain an accurate accounting of the disclosures of the Personal Information.” VVA Compl. ¶ 32; Rosato Compl. ¶ 26. As discussed above, such conclusory allegations are insufficient to state a claim. Third, the complaints utterly fail to allege facts with respect to either “adverse effects” or “actual damages” incurred as a result of the alleged accounting violation. Even if the Court were to hold that the general allegations of damages are sufficient to withstand dismissal of all of plaintiffs’ Privacy Act claims, those allegations are logically too remote from any alleged accounting violation to state a claim under the Act. Although plaintiffs conclusorily assert that the alleged accounting violations caused plaintiffs “adverse effects,” VVA Compl. ¶ 32; Rosato Compl. ¶ 26, it is difficult to envision how the alleged failure to maintain an accurate accounting of alleged disclosures of the information - to John Doe, to the hard drive, or to the thieves - could have affected plaintiffs at all. Similarly, it is difficult to understand how any of the alleged Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 65 of 86 50 damages they supposedly incurred - ranging from “purchasing comprehensive credit reports and/or monitoring of their identity and credit,” Rosato Compl. ¶ 35, to unspecified “pecuniary damages,” VVA Compl. ¶ 40; Rosato Compl. ¶ 38, to “embarrassment, inconvenience, unfairness, mental distress, [and] emotional trauma,” VVA Compl. ¶ 40; Rosato Compl. ¶ 38 - were sustained “as a result of” the alleged failure to keep an accounting, as is necessary to sustain a claim for damages under the Act. 5 U.S.C. § 552a(g)(4)(A). For this reason too, the accounting claims should be dismissed. D. Plaintiffs Fail to State a Claim Based on the Agency’s Maintenance of the Information (§ 552a(e)(1)) Both the VVA and the Rosato plaintiffs allege that defendants have violated subsection (e)(1) of the Privacy Act - which requires an agency to “maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President” - by “illegally maintaining a database of personal information unrelated to claims for benefits.” VVA Compl. ¶ 3 & see id. ¶ 33; Rosato Compl. ¶ 3 & see id. ¶ 27. This claim suffers from many of the same defects discussed above and should be dismissed. Plaintiffs do not identify the “database of personal information” to which they refer, or plead any other facts in support of this alleged violation of the Act. Assuming they are referring to the data downloaded by John Doe to his hard drive, like their accounting claims, the only relevant allegations in the complaints consist of the conclusory assertions quoting the Act itself and alleging that defendants violated it. VVA Compl. ¶ 33; Rosato Compl. ¶ 27. Accordingly, Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 66 of 86 In addition, defendants are entitled to summary judgment on this claim, as the record24 demonstrates that the information at issue was maintained for an appropriate purpose. See infra V.C. 51 plaintiffs fail to state a claim under § 552a(e)(1) upon which relief can be granted.24 E. The VVA Plaintiffs Fail to State a Claim Based on the How the Agency Collected the Information at Issue (§ 552a(e)(2)) For many of these same reasons, the VVA plaintiffs fail to state a claim that defendants violated the Act’s requirements that an agency maintaining a system of records “collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual’s rights, benefits, and privileges under Federal programs.” 5 U.S.C. § 552a(e)(2). See VVA, Comp., ¶ 34. As with many of the other alleged Privacy Act violations discussed above, the only allegation in the VVA complaint regarding this claim is one that conclusorily asserts that defendants violated the Act by “failing to collect [the information contained on the hard drive] directly from the subject individuals to the greatest extent practicable.” Compl. ¶ 34. No other facts are pled identifying the basis of the claim. Thus, for example, plaintiffs do not identify what information they believe was obtained from third party sources or who those sources were. Such conclusory pleading is insufficient to state a claim for relief. Nor is there any logical connection between defendants’ alleged violation of subsection (e)(2) and the general allegations of adverse effect and actual damages in the VVA Complaint. In this regard it is important to note that the purpose of subsection (e)(2) was to “encourage the accuracy of Federal data gathering.” Waters v. Thornburgh, 888 F.2d 870, 874 (D.C. Cir. 1989) (quoting Analysis of House and Senate Compromise Amendments to the Federal Privacy Act, Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 67 of 86 In addition, as discussed below, defendants are also entitled to summary judgment on25 this claim because Privacy Act notices were in fact published for the information at issue. See infra V.D. 52 120 Cong. Rec. 40,405, 40,407 (1974), reprinted in Legislative History of the Privacy Act of 1974, at 991 (1976)). Yet there is no connection between any possible inaccuracies in the information and any harm allegedly suffered by plaintiffs. Indeed, to the extent that plaintiffs’ alleged harm consists of “being placed in fear of identity theft [and] financial fraud,” VVA Compl. ¶ 1, any inaccuracies in the information as a result of a failure to collect the information directly from plaintiffs would only mitigate the likelihood of any damages. Accordingly, the VVA plaintiffs fail to state a claim under subsection (e)(2). F. The VVA Plaintiffs Fail to State a Claim Based on the Publication of Privacy Act Notices (§ 552a(e)(4)) An agency maintaining a system of records is required to publish a notice of the “existence and character of the system” in the Federal Register. 5 U.S.C. § 552a(e)(4). In VVA, plaintiffs allege that the material downloaded to the hard drive was a system of records for which no notice had been published. VVA Compl. ¶ 35. As with the other claims discussed above, this claim must be dismissed both because no non-conclusory facts are pled in support of the claim; the sole allegation in the Complaint related to this claim is the conclusory assertion that defendants violated this provision of the Act. In addition, there is no rational connection between the harms allegedly suffered by plaintiffs and the alleged violation. That is, plaintiffs would have suffered the same “adverse effects” that they allege regardless of whether the VA published a Federal Register notice with respect to the systems of records at issue. This claim, therefore, should be dismissed.25 Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 68 of 86 The Rosato plaintiffs also assert that defendants acted improperly by “requiring that26 veterans’ and service members’ records be maintained and accessed through their individual, private and personal social security numbers or other identifiers that were required by law to be kept confidential.” Rosato Am. Compl. ¶ 3. Such an allegation does not state a claim for violation of the Privacy Act, as the Act does not prohibit agencies from maintaining records accessed by individuals’ Social Security numbers or other personal identifiers. To the contrary, 53 G. The VVA Plaintiffs Fail to State a Claim Based on the Accuracy of the Information (§ 552a(e)(6)) The VVA plaintiffs also allege that defendants violated subsection (e)(6) of the Act, which provides that “prior to disseminating any record about an individual to any person other than an agency,” an agency shall “make reasonable efforts to assure that such records are accurate, complete, timely, and relevant for agency purposes.” 5 U.S.C. § 552a(e)(6). See VVA Compl. ¶ 36. This claim should be dismissed for several reasons. First, subsection (e)(6) “does not apply when information is disclosed within the agency or to another agency.” Thompson v. Dep’t of State, 400 F. Supp. 2d 1, 21 (D.D.C. 2005). As discussed above, in these cases the sole “disclosure” that took place was a disclosure to Mr. Doe, i.e., a disclosure “within the agency,” and subsection (e)(6) has no applicability here. Second, as with many of their other claims, plaintiffs have pled no non-conclusory facts in support of this allegation; the only assertion in the VVA Complaint with respect to this issue is the conclusory statement that defendants failed to comply with this provision of the Act. Third, there is no rational connection between the harms alleged by plaintiffs and the alleged violation. To the contrary, as with plaintiffs’ subsection (e)(2) claim, the harms alleged by plaintiffs would be mitigated by any inaccuracies in the information on the stolen hard drive, as such inaccuracies would render it more difficult for someone to commit identity theft with the information. For all of these reasons, the VVA plaintiffs’ subsection (e)(6) claim should be dismissed.26 Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 69 of 86 the Act seeks to regulate, and thus implicitly condones, agencies’ maintenance and use of “systems of records,” a term expressly defined by the Act to mean “a group of any records . . . from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.” 5 U.S.C. § 552a(a)(5). Indeed, no agency would be able to retrieve information pertaining to a particular individual without using “the name of the individual or . . . some identifying number, symbol, or other identifying particular assigned to the individual.” Plaintiffs’ allegation is therefore without merit. 54 H. Plaintiffs’ Privacy Act Claims Should Be Dismissed to the Extent they Are Based on Non-Pecuniary Damages In Doe v. Chao, 540 U.S. 614 (2004), the Court held that “an individual subjected to an adverse effect has injury enough to open the courthouse door, but without more has no cause of action for damages under the Privacy Act.” 540 U.S. at 624-25. Accordingly, the Court held that “the statute guarantees $1,000 only to plaintiffs who have suffered some actual damages.” Id. at 627. The Court left for another day the question of whether the term “actual damages” includes “demonstrated mental anxiety even without any out-of-pocket loss.” Id. at 627 n.12. Since Doe was decided, courts have split over the suitability of non-pecuniary injuries as a basis for damages under the Act. See, e.g., Hatfill v. Ashcroft, et al., 03-1793 (RBW) (D.D.C.) (unpublished September 8, 2006 Order denying, without separate opinion, defendants’ motion to preclude non-pecuniary damages); Montemayor v. Fed. Bureau of Prisons, 2005 WL 3274508, at *5 (D.D.C. Aug. 25, 2005) (holding non-pecuniary injuries to be appropriate as a basis for damages); Boyd v. Snow, 335 F. Supp. 2d 28, 39 (D.D.C. 2004) (same); Schmidt v. VA, 222 F.R.D. 592, 594 (E.D. Wis. 2004) (holding “pecuniary loss” to be the only permissible basis for damages under the act). See also DiMura v. Federal Bureau of Investigation, 823 F. Supp. 45, 47-48 (D. Mass. 1993) (because Privacy Act is a waiver of sovereign immunity and it is “plausible” to read the term “actual damages” to refer only to pecuniary damages, this reading Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 70 of 86 Prior to Doe, the D.C. Circuit declined to rule on this issue, and it remains undecided in27 this Circuit. See Tomasello v. Rubin, 167 F.3d 612, 618 n. 6 (D.C. Cir. 1999); Albright v. U.S., 732 F.2d 181, 185-86 (D.C. Cir. 1984). Two of the three Circuit Courts that have ruled on the issue held that only pecuniary losses qualify as actual damages under the Act. Hudson v. Reno, 130 F.3d 1193, 1207 & n.11 (6 Cir. 1997); Fitzpatrick v. IRS, 665 F.2d 329, 331 (11 Cir.th th 1982). But see Johnson v. Dep’t of Treasury, 700 F.2d 971, 972 (5 Cir. 1983). Johnson failedth to address the sovereign immunity argument set forth below. 55 must be adopted); Pope v. Bond, 641 F. Supp. 489, 501 (D.D.C. 1986) (“‘[A]ctual damages’ does not include damages for emotional trauma, anger, fright, or fear.”). For two reasons, non-27 pecuniary injuries should not be considered a suitable basis for damages. First, the provision of the Act permitting the recovery of damages, 5 U.S.C. § 552a(g)(4), “is a waiver of sovereign immunity and, as such, ‘must be construed strictly in favor of the sovereign, and not enlarge[d] . . . beyond what the language requires.’” Tomasello v. Rubin, 167 F.3d 612, 618 (D.C. Cir. 1999) (quoting United States v. Nordic Village, Inc., 503 U.S. 30, 34 (1992)). See Galvan v. Federal Prison Indus., Inc., 199 F.3d 461, 464 (D.C. Cir. 1999) (“So long as a statute supposedly waiving immunity has a plausible non-waiver reading, a finding of waiver must be rejected.”) (internal quotation marks and citation omitted). Accordingly, “to the extent there may be ambiguity concerning whether the term ‘actual damages’ includes emotional distress as well as a pecuniary loss, the ambiguity must be resolved by construing the term narrowly.” Schmidt, 222 F.R.D. at 594. See also Hudson, 130 F.3d at 1207 n.11 (applying “bedrock principle” of narrow construction of waivers of sovereign immunity to conclude that “actual damages” must be “narrowly interpreted” to cover only pecuniary losses); DiMura, 823 F. Supp. at 47-48 (same). The Court’s analysis should end here, given the lack of an express waiver of sovereign immunity in the Privacy Act for non-pecuniary damages. See Lane v. Pena, 518 U.S. 187, 192 (1996) (“A statute’s legislative history cannot supply a waiver that does not appear clearly in any Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 71 of 86 56 statutory text; the ‘unequivocal expression’ of elimination of sovereign immunity that we insist upon is an expression in statutory text”) ( internal quotation marks and citation omitted). Nonetheless, the legislative history also supports defendants’ position that the non-pecuniary damages are precluded under the Privacy Act. Section 552a(g)(4) was a legislative compromise. The Senate bill that ultimately became the Privacy Act “would have authorized an award of ‘actual and general damages.’” Doe, 540 U.S. at 623 (emphasis supplied). However, “the provision for general damages” was “trimmed from the final statute,” and Congress “left the question of general damages” for “another day.” Id. at 622, 623. Anticipating further consideration of the issue, Congress included provisions in the Privacy Act establishing a commission, the Privacy Protection Study Commission, and directing the commission to study “whether the Federal Government should be liable for general damages incurred by an individual as the result of a willful or intentional violation [of the Act].” Pub. L. No. 93-579, §§ 5(a)(1) & (c)(2)(B)(iii), 88 Stat. 1896, 1905, 1907 (1974). The Commission issued its report in July 1977, concluding first that nothing could be accomplished by analyzing the term “actual damages” because “there is no generally accepted definition of ‘actual damages’ in American law.” Personal Privacy in an Information Society: The Report of the Privacy Protection Study Commission 530 (May 1977) (“Commission Report”). The Commission also concluded on the basis of “[t]he legislative history and language of the Act . . . that Congress meant to restrict recovery to specific pecuniary losses until the Commission could weigh the propriety of extending the standard of recovery.” Id. (emphasis added); accord 120 Cong. Rec. 36,659, 36,956 (1974) (Rep. Eckhardt) (defending an amendment that would have awarded “actual damages” for any violation of the Act on the ground that such Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 72 of 86 57 damages still would be limited to “actual out of pocket expenses”). Believing that “recovery for intangible injuries” should be permitted, the Commission recommended that the Act be amended to permit “the recovery of special and general damages sustained by an individual as a result of a violation of the Act.” Commission Report at 531. To date, Congress has not responded. See Doe, 540 U.S. at 636 (Ginsburg, J., dissenting) (“Congress did not endorse massive recoveries” when it enacted the Privacy Act). Indeed, the Eleventh Circuit, in holding that the Privacy Act does not allow for non-pecuniary damages, recognized the significance of Congress’s rejection of a “general damages” remedy. See Fitzpatrick, 665 F.2d at 329-31. In cases where an agency is authorized “to elucidate a specific provision of [a] statute,” the elucidation that the agency provides is entitled to “controlling weight” unless the elucidation is “arbitrary, capricious, or manifestly contrary to the statute.” Chevron, U.S.A., Inc. v. Natural Res. Def. Council, 467 U.S. 837, 844 (1984). This principle applies here. When Congress enacted the Privacy Act, it created the Privacy Protection Study Commission and directed the commission to study whether the government should be liable for non-pecuniary damages under the Act. Pub. L. No. 93-579, § 5(c)(2)(B)(iii). The Commission concluded that “Congress meant to restrict recovery to specific pecuniary losses until the Commission could weigh the propriety of extending the standard of recovery.” Commission Report at 530. This conclusion was not “arbitrary, capricious, or manifestly contrary to the statute.” See Chevron, 467 U.S. at 844. To the contrary, it was the only plausible explanation for the Commission’s having been asked by Congress to look at the issue of non-pecuniary damages in the first place. Accordingly, the conclusion of the Commission that recovery for non-pecuniary damages is not permitted by the Act is entitled to great, if not “controlling[,] weight.” See id. Accordingly, no plaintiff whose Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 73 of 86 Nor are plaintiffs entitled to any injunctive relief under the Privacy Act. “The Privacy28 Act expressly provides for injunctive relief for only two types of agency misconduct, that is, wrongful withholding of access to documents under subsection (d)(1) and wrongful refusal to amend an individual’s record under subsection (d)(3).” Clarkson v. IRS, 678 F.2d 1368, 1375 n.11 (11th Cir. 1982). See also Doe, 540 U.S. at 635 (Ginsburg, J., dissenting) (“Injunctive relief . . . [is] available under the Act in two categories of cases”). “The remedy for violations of all other provisions of the Act is limited to recovery of damages upon a showing that the agency acted in an intentional or willful manner.” Clarkson, 678 F.2d at 1375 n.11. In these cases, plaintiffs allege that defendants have violated numerous provisions of the Privacy Act but do not allege that they have violated subsection (d)(1) or (d)(3). Accordingly, plaintiffs are not entitled to the injunctive relief that they seek. 58 injury was exclusively non-pecuniary would be entitled to damages under the Act, and the claims of any such plaintiffs should be dismissed.28 V. DEFENDANTS ARE ENTITLED TO SUMMARY JUDGMENT ON ANY PRIVACY ACT CLAIMS NOT DISMISSED A. Defendants Are Entitled to Summary Judgment on Plaintiffs’ Disclosure Claims (§ 552a(b)) 1. John Doe Properly Had Access to the Information at Issue As discussed above, plaintiffs allege that John Doe’s access to the information he ultimately copied onto his personal hard drive constituted an unauthorized disclosure under the Act. The Act, however, expressly permits disclosure of records to agency employees “who have a need for the record in the performance of their duties.” 5 U.S.C. § 552a(b)(1). We argue above that plaintiffs have failed to plead facts sufficient to state a claim that Doe’s access was improper. In the event that the Court declines to dismiss this aspect of plaintiffs’ disclosure claim, it should enter summary judgment in favor of defendants, as the undisputed facts demonstrate that Mr. Doe’s access to the information was proper. As set forth in the OIG Report, the material that John Doe accessed and ultimately copied onto his hard drive included “large record extracts” from the C&P File and BIRLS. OIG Rep’t at Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 74 of 86 59 3. Because Mr. Doe was “responsible for planning and designing analytical projects and supporting surveys involving all aspects of VA policies and programs, he was authorized access to, and use of, these and other large VA databases.” Id. (emphasis added); Tran Decl. ¶ 4; Moore Decl. ¶¶ 3-5. Mr. Doe used the material that he downloaded to the hard drive to do such things as try to identify the veterans who had been exposed to mustard gas during World War II. OIG Rep’t at 6; Tran Decl. ¶¶ 3-4. He was assigned to this project by one of his project managers. OIG Rep’t at 6; see also Tran Decl. ¶¶ 3-4. He also used the material that he downloaded to the hard drive to try to determine the reliability of the NSV for 2001. OIG Rep’t at 5; Moore Decl. ¶¶ 3-5. This project was one that his second-tier supervisor, Mr. McLendon, described as “a legitimate work effort.” OIG Rep’t at 6. In addition, the duties of Mr. Doe within OPP&P included “providing computer specialist expertise to support the administration of the NSV and to support a program of research to continually enhance the veteran survey program.” OIG Rep’t at 4; Moore Decl. ¶¶ 3-5 and attachment thereto (describing John Doe’s position and skills). In view of the foregoing, the material that Mr. Doe downloaded to the hard drive was material for which he “[had] a need . . . in the performance of [his] duties.” See 5 U.S.C. § 552a(b)(1). See Moore Decl. ¶¶ 3-5; Tran Decl. ¶¶ 3-4. Accordingly, no disclosure took place in violation of the Privacy Act when Mr. Doe obtained access to that material, and defendants are entitled to summary judgment on this claim. Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 75 of 86 60 2. The Theft of the Hard Drive Did Not Result in the Disclosure of the Information at Issue As explained above, to the extent that plaintiffs’ disclosure claims are based upon the theft of Mr. Doe’s hard drive, those claims should be dismissed, as theft by a third party cannot constitute a “disclosure” by an “agency” prohibited by the Act. In addition, defendants are entitled to summary judgment on plaintiffs’ disclosure claim insofar as it is based on the theft of the hard drive, as the undisputed facts demonstrate that the information at issue was never transferred to the possession and control of someone outside the VA, and thus not disclosed. As the OIG Report makes clear, both “the FBI and OIG are highly confident that the files on the external hard drive were not compromised after the burglary.” OIG Rep’t at ii; see also November 15, 2006 ID Analytical Letter. Because the files were never accessed, the information was never disclosed to the thieves or to “to any [other] person, or to another agency.” 5 U.S.C. § 552a(b). Accordingly, no disclosure of the information took place when the hard drive was stolen, and defendants are entitled to summary judgment on this aspect of plaintiffs’ disclosure claims as well. B. Defendants Are Entitled to Summary Judgment on Plaintiffs’ Accounting Claims (§ 552a(c)(1)) As discussed above, plaintiffs’ claims under subsection (c)(1) of the Act should be dismissed because there was no disclosure of information necessitating an accounting under subsection (c)(1). To the extent the Court declines to dismiss these claims, defendants are entitled to summary judgment on these claims. As explained above, Mr. Doe had a need for access to the information he stored on his hard drive for the performance of his duties, and subsection (c)(1)’s Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 76 of 86 61 accounting requirement does not apply to disclosures to agency employees who have such a need. 5 U.S.C. § 552a(b)(1), (c)(1); see also Moore Decl. ¶¶ 3-5, and attachment thereto; Tran Decl. ¶¶ 3-4. The disclosure to Mr. Doe, therefore, cannot form the basis of a claim under subsection (c)(1). Moreover, in light of the fact that the data on the hard drive was not accessed after the theft, the theft of the hard drive by itself did not constitute a disclosure, and the theft also cannot form the basis for a subsection (c)(1) accounting claim. Accordingly, defendants are entitled to summary judgment on these claims. C. Defendants Are Entitled to Summary Judgment on Plaintiffs’ Maintenance Claims (§ 552a(e)(1)) As discussed above, plaintiffs’ claims that defendants “illegally maintain[ed] a database of personal information unrelated to claims for benefits” in violation of subsection (e)(1) of the Act should be dismissed. In the alternative, defendants are entitled to summary judgment on these claims. As the OIG Report makes clear, the information at issue consisted of extracts from the C&P File and from BIRLS. OIG Rep’t at 6. The C&P File is maintained by the VA “in order to enable it to administer the[] statutory benefits programs” the agency is responsible for administering. GPO Notice for C&P File at 3. The statutory authority for the maintenance of the C&P File as set forth in the Federal Register Notice for this system of records is 38 U.S.C. § 501(a) and Chapters 11, 13, 15, 18, 23, 30-32, 34-36, 39, 51, 53, 55. GPO Notice for C&P File at 2. BIRLS is used by VA, among other purposes, “to determine the location of a veteran’s file or to record a veteran’s death.” OIG Rep’t at 3. The statutory authority for the maintenance Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 77 of 86 The GPO Notice for BIRLS lists the statutory authority for the maintenance of the29 system as 38 U.S.C. § 210(c)(1). GPO Notice for BIRLS at 1. That was the original authority for the system of records when the first Privacy Act notice for the system was promulgated in 1975. See 40 Fed. Reg. 38112. Section 210 was repealed in 1991, when section 501 was promulgated. See Pub. L. No. 102-83 (Aug. 6, 1991), § 2(a). The current section 501(a) provides the same authority as former section 210(c)(1). Compare 38 U.S.C. § 210(c)(1) (1975) with 38 U.S.C. § 501(a) (2006). 62 of the BIRLS system of records is 38 U.S.C. § 501(a). 29 In addition, as noted above, OPP&P manages a VA system of records know as the PERD Records, which consists of extracts from other VA systems of records, for the purpose of “evaluat[ing] on a continuing basis the effectiveness of all programs authorized under Title 38” of the United States Code (relating to Veterans Affairs). 66 Fed. Reg. 29633, 29634-35. That, of course, is precisely what Mr. Doe was doing with the records here at issue. See Moore Decl. ¶¶ 3-5; Tran Decl. ¶¶ 3-4. The statutory authority for the PERD Records is 38 U.S.C. § 527(b) (which authorizes the Secretary to “collect, collate, and analyze on a continuing basis full statistical data regarding . . . all programs carried out under this title”). Id. at 29634. Clearly, each of these databases was appropriately maintained by the VA “to accomplish a purpose of the agency required to be accomplished by statute.” Id. § 552a(e)(1). Accordingly, defendants are entitled to summary judgment on plaintiffs’ subsection (e)(1) claims. D. Defendants Are Entitled to Summary Judgment on the VVA Plaintiffs’ Publication Claim (§ 552a(e)(4)) An agency maintaining a system of records is required to publish a notice of the “existence and character of the system” in the Federal Register. 5 U.S.C. § 552a(e)(4). In VVA, plaintiffs allege that the material downloaded to the hard drive was a system of records for which no notice Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 78 of 86 63 had been published. VVA Compl. ¶ 35. Plaintiffs are mistaken. As just discussed, the hard drive contained “large record extracts” from the C&P File and from BIRLS. OIG Rep’t at 6. Such extracts are maintained by OPP&P in the PERD Records. 66 Fed. Reg. at 29634-35. A notice for the PERD Records was published in the Federal Register on May 31, 2001. 66 Fed. Reg. 29633. In addition, a notice for the C&P File was published in the Federal Register on March 3, 1976, 41 Fed. Reg. 9294, and a notice for BIRLS was published in the Federal Register on August 26, 1975, 40 Fed. Reg. 38112. Because the VA properly published notices describing the “existence and character” of the systems of records at issue, defendants are entitled to summary judgment on this claim. E. Defendants Are Entitled to Summary Judgment on Plaintiffs’ Safeguards Claims (§ 552a(e)(10)) Agencies that maintain systems of record are required by 5 U.S.C. § 552a(e)(10) to “establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records.” Plaintiffs allege in these actions that defendants failed to establish the safeguards that § 552a(e)(10) requires. Hackett Am. Compl. ¶ 3; VVA Compl. ¶¶ 4, 37; Rosato Compl. ¶ 8. As discussed above, plaintiffs’ safeguards claims should be dismissed because they lack standing and have failed to allege facts demonstrating a willful or intentional violation of the Act. In the event these claims are not dismissed, summary judgment should be entered for defendants. Section 552a(e)(10) was never intended to place an onerous burden on agencies. When the Privacy Act was enacted, Congress refrained from prescribing “in this subsection or in this Act a general set of specific technical standards for security of systems.” S. Rep. No. 93-1183, at 54 Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 79 of 86 64 (1974), reprinted in 1974 U.S.C.C.A.N. 6916, 6969. Instead, it directed each agency “merely . . . to establish those administrative and technical safeguards which it determines appropriate and finds technologically feasible for the adequate protection of the particular information it keeps.” Id. Endorsing the notion that “the term ‘appropriate safeguards’ should incorporate a standard of reasonableness,” Congress enacted a statute that “thus provides reasonable leeway for agency allotment of resources to implement this subsection. At the agency level, it allows for a certain amount of ‘risk management’ whereby administrators weigh the importance and likelihood of the threats against the availability of security measures and the consideration of cost.” S. Rep. No. 93-1183, at 54, 55 (1974), reprinted in 1974 U.S.C.C.A.N. 6916, 6969. Consistent with the legislative intent, “[t]he Privacy Act does not make administrative agencies guarantors of the integrity and security of materials which they generate,” much less authorize the federal courts to act as “micro-managers” of agencies’ “records practices.” Kostyu, 742 F. Supp. at 417. Instead, “the agencies are to decide for themselves how to manage their record security problems, within the broad parameters set out by the Act.” Id. In doing so, “the agencies have broad discretion to cho[o]se among alternative methods of securing their records commensurate with their needs, objectives, procedures, and resources.” Id. So long as the precautions adopted by an agency are “within the range of reasonableness defined by Congress,” the courts lack the authority to second guess the decision that an agency makes in providing a particular level of security for a particular record. Id. In these cases, the Privacy and Security Courses described above contained safeguards meeting the requirements of § 552a(e)(10). Mr. Doe was aware of those safeguards because he completed the Privacy and Security Courses shortly before his home was burglarized. See Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 80 of 86 65 Williams Decl., Exh B; Wallace Decl., Exh B. The Privacy Course informed him that it was his responsibility as an employee of the VA to “[r]ecognize personal information in whatever form it appears,” “[u]nderstand what causes a breach of privacy,” “[u]nderstand what can be done to protect privacy,” and “[p]revent use by, or disclosure to, unauthorized persons.” Wallace Decl., Exhibit A at 8. The course also notes penalties for improper disclosure of private data. Id. at 22. Reinforcing the message of the Privacy Course, the Security Course told him that he had a “personal responsibility” to ensure “the confidentiality, integrity, and appropriate availability of veterans’ private data.” Williams Decl., Exhibit A at 7. It explained to him what a “strong” password was and informed him that the “VA requires strong passwords on all information systems.” Id. at 10, 12. It also instructed him that backup storage media such as diskettes, zip disks, CDs, and tapes should be “lock[ed] away . . . in a secure area if [they] contain[] sensitive data,” and noted that “[p]rivate and uncontrolled media from back ups may present a security risk if left unprotected or in places where access to them is unrestricted. Great care is taken to manage and protect data while it is on the VA network but all this can be for nothing if the back up media is unprotected.” Id. at 20-21. Mr Doe was warned again to “store your back ups in a safe and secure place” Id. at 21, and that “the same computers that help us serve veterans can also be used for theft and fraud” because “[t]hey can be stolen and vandalized.” Id. at 32. It prefaced all of these remarks by telling him: “[W]hile the information you review in this course is specific to [the VA], many of the principles which are discussed are also relevant to you as an individual computer user.” Id. at 7. In hindsight, it might have been wise for the VA to have supplemented the above safeguards by advising its employees that large extracts from VA systems of records ought not to Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 81 of 86 66 be removed from VA facilities, even for work at home, unless extraordinary precautions are taken. However, “[n]o law can cover all possible situations,” Contract Cartage Co. v. Morris, 59 F.2d 437, 446 (E.D. Ill. 1932) (3-judge ct.); accord Young v. Julian, 97 F. Supp. 370, 374 (D. Del. 1951). To the contrary,“‘[i]t would be almost impossible to state in an ordinance or law every condition or set of circumstances wherefrom an emergency might be said to arise or exist.’” Contract Cartage, 59 F.2d at 446 (quoting City of Chicago v. Marriotto, 163 N.E. 369, 370 (Ill. 1928)). Similarly, an agency implementing “appropriate” safeguards under the Act cannot possibly conceive of, and protect against, all possible scenarios by which its information might be compromised. What is crucial is that an agency consider “the wisdom of its policy on a continuing basis” and make changes as circumstances dictate. See Chevron, U.S.A., Inc. v. Natural Res. Def. Council, 467 U.S. 837, 864 (1984). Even assuming, arguendo, that the VA ought to have adopted additional safeguards, the safeguards that it did adopt were well within “the range of reasonableness defined by Congress.” See Kostyu, 742 F. Supp. at 417. The Security Courses instructed that files be password protected and stored in a secure location. Williams Decl., Exhibit A at 10-12, 20-21. Password protection and secure storage would have reduced the likelihood of the hard drive being stolen and, if it was stolen, the likelihood of its contents being accessed. Because the VA adopted “reasonable” safeguards for the information at issue, defendants are entitled to summary judgment on plaintiffs’ safeguards claims. In these cases, Mr. Doe sought to help veterans by taking work home, e.g., to identify service members exposed to mustard gas and to help ensure the reliability of the NSV. OIG Rep’t at 5; see also Tran Decl. ¶¶ 3-4; Moore Decl. ¶ 3. Even assuming, arguendo, that he acted Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 82 of 86 Although the factual findings found in the OIG report are admissible evidence, see30 Federal Rule of Evidence 803(8), to the extent the OIG report concluded that the VA’s data safeguard policies and procedures were lacking, OIG Rep’t at 27-42, the OIG’s conclusions are not relevant to whether the VA’s safeguards were “appropriate” for purposes of the Privacy Act. § 552a(e)(10). 67 negligently or imprudently when he failed to put a password on the hard drive or to lock it away when he was not using it, he did not commit any act that was “‘so patently egregious and unlawful that anyone undertaking the conduct should have known it unlawful.’” See Deters, 85 F.3d at 660 (quoting Laningham v. U.S. Navy, 813 F.2d 1236, 1242 (D.C. Cir. 1987)). The same applies to the safeguards for the protection of information that the VA adopted. Even assuming, arguendo, that additional safeguards would have been advisable, “[p]eople often fail to foresee disasters of a kind that have not yet occurred and to take effective precautions against them, and ordinarily such lack of foresight is at worst negligence.” Duckworth v. Franzen, 780 F.2d 645, 654 (7th Cir. 1985) (Posner, J.). Because the award of damages under the Act requires “‘something greater than gross negligence,” no basis for any such award exists here. See Deters, 85 F.3d at 660 (quoting Tijerina, 821 F.2d at 189).30 Ignoring these considerations, plaintiffs allege in Hackett and Rosato that defendants knew or should have known that the VA safeguards were inadequate because, “[i]n 2003, a study conducted by the General Accounting Office (GAO) gave the VA a failing grade for its computer security practices.” Hackett Am. Compl. ¶ 22; Rosato Compl. ¶ 28. However, no such study is posted on the GAO website, even though the website contains GAO reports dating from “Pre- 1970.” See http://www.gao. gov/ (Sept. 8, 2006). In addition, no such study appears on the list of “[GAO] Products Related to VA Information Security” that GAO published after the hard drive was stolen. GAO-06-866T (attached hereto as Exhibit 24) at 30-31. Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 83 of 86 FISMA was adopted in 2002 to replace certain legislation, adopted in 2000, that31 contained a sunset provision. H.R. Rep. No. 107-202, pt. 1, at 54 (2001), reprinted in 2002 U.S.C.C.A.N. 1880, 1889. The purposes of FISMA were to “permanently authorize a government-wide risk-based approach to information security” by eliminating the sunset provision and to “further strengthen Federal information security by requiring compliance with minimum mandatory management controls for securing information and information systems, clarifying and strengthening current management and reporting requirements, and strengthening the role of National Institute of Standards and Technology.” Id. 68 GAO did issue a report, dated January 2003, in which it said that the VA “need[ed] to implement appropriate security measures to ensure that financial, health care, and benefits payment information is not at risk of inadvertent or deliberate misuse, fraud, improper disclosure, or destruction.” GAO-03-110 (attached hereto as Exhibit 25) at 32. This report, however, focused exclusively on the “information security management plan” that the VA had adopted in 2000 “to provide a framework for addressing long-standing department-wide computer security weaknesses.” Id. The report did not criticize the VA for its lack of attention to employees who might wish to take data home for the purpose of conducting agency business that they did not have time to complete at the office. Plaintiffs also allege in Hackett and Rosato that defendants knew or should have known that VA safeguards were inadequate because, “[i]n March 2006, the United States House of Representatives Committee on Government Reform gave the VA an ‘F’ in its annual report card relating to information security.” Hackett Am. Compl. ¶ 22; Rosato Compl. ¶ 28. Plaintiffs are mistaken. Purporting to “examine the status of agency compliance with the Federal Information Security Management Act (FISMA),” Pub. L. No. 107-296, tit. X, 116 Stat. 2259 (2002), the report card gave seven cabinet departments, including the VA, an “F” in “computer security” for 2005. Statement by Congressman Davis (Mar. 16, 2006) (attached hereto as Exhibit 26) at 1, 3. 31 Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 84 of 86 69 However, the elements used to formulate the grades were “Annual Testing,” “Plan of Action and Milestones,” “Certification and Accreditation,” “Configuration Management,” “Incident Detection and Response,” “Training,” and “Inventory.” Id. at 6-9. Accordingly, the issuance of the grades did nothing to warn the VA that it had failed to adopt adequate safeguards to cover employees, like Mr. Doe, who might wish to work from home. For all of these reasons, defendants are entitled to summary judgment on plaintiffs’ safeguards claims. CONCLUSION For the foregoing reasons, defendants’ motion to dismiss or, in the alternative, for summary judgment should be granted. Dated: February 22, 2007. Respectfully submitted, PETER D. KEISLER Assistant Attorney General JEFFREY A. TAYLOR United States Attorney _________/s/___________________________ ELIZABETH J. SHAPIRO, DC Bar 418925 ORI LEV, DC Bar 452565 HEATHER R. PHILLIPS, CA Bar 191620 DAVID M. GLASS, DC Bar 544549 Attorneys, Department of Justice 20 Mass. Ave., N.W., Room 7140 Washington, D.C. 20044 Tel: (202) 514-4469/Fax: (202) 616-8470 E-mail: david.glass@usdoj.gov Attorneys for All Defendants Except John Doe in His Individual Capacity Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 85 of 86 UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ____________________________________ In Re: DEPARTMENT OF VETERANS ) AFFAIRS (VA) DATA THEFT ) LITIGATION ) ____________________________________) Misc. Action No. 06-0506 (JR) ) MDL Docket No. 1796 This Document Relates To: ) ALL CASES ) ____________________________________) ORDER Upon defendants’ motion to dismiss or, in the alternative, for summary judgment, the materials submitted in support thereof and in opposition thereto, and good cause having been shown, it is hereby ordered as follows: 1. Defendants’ aforesaid motion is hereby granted. 2. These actions are hereby dismissed. Dated: ________________ ________________________________ UNITED STATES DISTRICT JUDGE Case 1:06-mc-00506-JR Document 9 Filed 02/22/2007 Page 86 of 86
