Potential Lawsuit Over Alleged NASA Data Breach
A stolen NASA laptop, allegedly containing personal information on 10,000 NASA employees, has prompted a potential civil lawsuit. As reported in the Pasadena Star News, the unencrypted computer was taken from a Washington, D.C. parking lot.
According to the article, NASA has taken several corrective measures, including the issuance of an apology, the hiring of a security firm and the institution of a policy of data encryption. At least four of the employees have retained a California attorney who is threatening a class action suit.The article raises the question of exactly what the lawsuit would claim. Certainly the accidental dissemination of personal data is a breach of trust, and a huge potential source of inconvenience and embarrassment. But could it lead to a valid claim for monetary damages?
Perhaps the biggest potential roadblock for the employees will be proving damages. In other words, were the employees actually harmed by the theft? For instance, if the computer was immediately destroyed, or thrown into the ocean, then the employees personal information was not actually disseminated to third parties. In that case, it is difficult to see how the employees could prove a right to monetary damages. But if the data was retrieved, and disseminated to third parties, then it would be a whole different ball game. So I think question one is going to be “what happened to the computer, and the data it contained”?
Another question will be what theory of liability the employees would allege. My guess is that it will be a claim based on negligence and/or invasion of privacy. In a negligence suit, the employees would likely argue (1) that NASA had a duty to preserve and secure their confidential information (2) it breached that duty by allegedly failing to encrypt the data and secure the laptop and (3) they were damaged monetarily as a result. Pertinent inquiries would be whether NASA’s policies met applicable industry standards for data encryption and security of computers containing confidential data.
In order to win a suit for invasion of privacy in Texas, the person bringing the suit typically has to prove:
1. The defendant publicized information about the plaintiff’s private life;
2. The publicity would be highly offensive to a reasonable person;
3. The matter publicized is not of legitimate public concern; and
4. The plaintiff suffered an injury as a result of the defendant’s disclosure.
Whether the employees could win such a suit would turn on whether private information about them was actually publicized, and whether they were actually damaged as a result. Based on the limited information available about the event, it’s impossible to predict whether they will be able to do so.