acquisition of private information about them, and promote[] compliance with state and federal privacy laws.”12 Under the provisions of the new policy, the University is required to provide “timely and appropriate notice to affected individuals when there has been a breach of security of private data about them.”13

In less than six months, the University reported that several hundred students’ personal information was compromised when two Apple computers were stolen from a locked office. Most of the records on the computers did not contain Social Security numbers, but did contain addresses, phone numbers, student IDs, birth dates, citizenship and other personal information.

e. The Boeing Co.
In April 2006, The Boeing Co. reported that the names, Social Security numbers, addresses and phone numbers of 3,600 current and former employees were compromised after someone stole a human resource employee’s laptop at an airport.14 After the theft, Boeing purged all personal information off of the human resources laptops. Like many of the other companies, Boeing offered free credit reporting for those employees who were affected by the theft. Additionally, Boeing reported that in the future, all the data on laptops will be encrypted, and employees handling sensitive personal information must participate in special training.15

f. Ameriprise Financial, Inc.
Ameriprise Financial reported a similar breach in January 2006 when thieves stole a company laptop from an employee’s car. A file on the laptop contained names, and financial account numbers for 158,000 Ameriprise clients and 68,000 advisers.16 Ameriprise terminated the employee after learning that, in violation of Ameriprise’s policy, the files on the laptop were not properly encrypted.

g. Government Breaches
Private businesses are not the only victims of theft relating to confidential information. In the largest security breach on record involving Social Security numbers, a U.S. Department of Veteran’s Affairs employee violated agency policy by taking a laptop containing the sensitive personal information of 26.5 million veterans discharged after 1975.17 Burglars stole the laptop from the employee’s home. The information stolen included names, Social Security numbers, disability ratings, spouses, and dates of birth.18 In June, veterans filed class-action lawsuits seeking $1,000.00 for each of the 26.5 million people listed in the missing database files.19

On a smaller scale, two Federal Trade Commission laptops disappeared from a locked trunk. The FTC attorneys were working on a case, and were authorized to have the laptops. The information on the laptops included the names, addresses, Social Security numbers, financial account information, and dates of birth for persons the FTC had

investigated. The laptops did not contain any information about FTC employees or government officials. Ironically, the laptops contained sensitive personal information for defendants that had been investigated for stealing other people’s identities. The FTC offered free credit monitoring for 110 people as a result of the theft.

III. Legal Ramifications of Data Theft
For both government and private entities, the cost of the data loss may be significant. In the Veteran’s Administration case, the personal information on the employee’s laptop was not encrypted and was easily accessible.20 The two class-action lawsuits currently pending in federal courts are based, in part, on violations of the Privacy Act. The Privacy Act prohibits government agencies from disclosing personal information without the individual’s consent. Members of the class can recover not less than $1,000.00 each for the unauthorized disclosure of their personal information.

a. Federal Class Action Litigation
On May 30, 2006, Paul Hackett and Matthew Page filed a class action complaint against the Veteran’s Administration in the Eastern District of Kentucky. Hackett is a veteran of the United States Marine Corps and Page is a veteran of the United States Navy. The plaintiffs allege that over three years, an unidentified, low-ranking data analyst and long-time VA employee removed files containing private personal information of 26.5 million veterans. The employee then took the files home and copied the files onto his computer for an “unspecified purpose.”21

The plaintiffs also allege that high-ranking officials at the VA delayed reporting the unauthorized activity until three weeks after the employee reported the laptop stolen.22 Additionally, the plaintiffs claim that the VA has previously received failing grades for its computer security practices from both the General Accounting Office and the United States House of Representative’s Committee on Government Reform. The plaintiffs based their claims on violations of the Privacy Act, and the Fourth and Fifth Amendments to the United States Constitution.

Separate groups of plaintiffs filed the second class action lawsuit on June 6, 2006 in the District Court of Washington, D.C.23 These plaintiffs claimed that the VA violated the Privacy Act and the Administrative Procedures Act.24

b. State Class Action Litigation
Although the Privacy Act does not apply to private businesses, entities whose data has been breached, like continued, page 3 »