Kirk J. Nahra, CIPP
Privacy and security litigation remains an area of intense interest. A wide variety of high-profile security breaches has focused attention on the risks associated with the use, disclosure and maintenance of personal information by entities in essentially all industries. New laws continue to emerge, at both the state and federal level. Yet, there has been a relatively modest amount of privacy and security litigation, and no breakthrough decision that heralds a new era of litigation risks for companies that use and disclose personal information. What can we learn from the recent past on privacy and security litigation?
What Is the State of the Play Today?
- We know there is an increasing awareness of privacy and security issues in litigation, even where a specific privacy law is not the focus of the case.
- The volume of privacy and security litigation has been relatively small, certainly much less than was predicted by many experts (including this one), although the amount of litigation is increasing slowly.
- We are starting to see a wide range of cases based on security beaches or potential identity theft situations, although plaintiffs continue to face uphill struggles in these cases.
- And, while plaintiffs have become very adept at creating privacy and security causes of action, particularly in situations involving individual harm, courts - for the time being - remain relatively skeptical about many of these claims.
Key Lessons Learned
With that background, what are the major lessons learned from recent privacy and security cases?
1. Damages still matter - a lot
It is clear that judges - starting with a limited number of cases and now becoming a clear line of precedent - are imposing a significant hurdle for privacy and security cases, where a failure to allege actual damages is a prohibition to moving forward with litigation. The first key case is also one of the most straightforward - Smith v. Chase Manhattan Bank, 741 N.Y.S.2d 100 (App. Div. 2002).
In Smith, a bank promised its customers that it would not and did not sell their personal information to third parties. Instead, the suit alleged, the bank did sell customer lists to third parties, including a telemarketing firm. The bank allegedly received a percentage of the products sold as a result of these telemarketing services.
Despite this egregious set of allegations, the court's decision is revealing. The court dismissed the complaint, finding no allegations of actual damages. Instead, the court said that "the 'harm' at the heart of this purported class action, is that class members were merely offered products and services which they were free to decline. This does not qualify as actual harm." Moreover, "[t]he complaint does not allege a single instance where a named plaintiff or any class member suffered any actual harm due to the receipt of an unwanted telephone solicitation or a piece of junk mail." Accordingly, the court found that the complaint was dismissed appropriately for failure to state a cause of action. This means the court found that no claim existed on the facts as they were alleged, not that the allegations were wrong.
Smith is the clearest enunciation of the "no damages" theory - but not the only one. More recent decisions (involving DSW and Acxiom Corp.), where potential identity theft has been alleged, follow the same idea - no actual damage, no case.
The court in Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018 (D. Minn. 2006), took this one step further, rejecting a claim by potentially harmed individuals against a bank, where the individuals had asserted negligence and breach of contract claims. This case involved a third-party service provider to a Wells Fargo subsidiary. The service provider was a victim of a theft in which computers containing unencrypted personal financial information was stolen. The bank notified these individuals about the theft; promptly, a class action suit was filed by these bank customers. These plaintiffs asserted a variety of costs related to the theft, primarily to monitor their financial accounts against potential loss.
In line with other cases, the court rejected these claims, essentially because there was no evidence indicating that any information from these computers had been misused. The court also found that the personal time and money spent by this purported class "was not the result of any present injury, but rather the anticipation of future injury that has not materialized."
These cases are now a solid line of precedent. In Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp. 2d 1 (D.D.C. 2007), the court, following the theft of a laptop, found that the plaintiffs had failed to allege any injury that is "actual or imminent, not conjectural or hypothetical." The court then concluded that the plaintiffs' allegations "therefore amount to mere speculation that at some unspecified point in the indefinite future they will be victims of identity theft." Even more recently, in Kahle v. Litton Loan Servicing LP, 486 F.Supp. 2d 705 (S.D. Ohio 2007), the court, following a line of cases that "clearly reject the theory that a plaintiff is entitled to reimbursement for credit monitoring services or for time and money spent monitoring her credit," found that any "injury of the plaintiff is purely speculative," and rejected the idea that this speculative injury could constitute damages in a negligence case.
A lack of actual damages - even in the face of clear security breaches - is now the primary hurdle in most privacy and security cases.
2. Even though there is no private cause of action in most privacy laws, legitimate alternative theories are emerging, particularly for "individual harm" situations.
While plaintiffs have struggled to assert private causes of action directly, they now are learning to be more creative - with the possibility that a new claim for "negligence" may emerge. The most likely candidate for leading precedent in this area is the case of Acosta v. Bynum, 638 S.E.2d 246 (N.C. Ct. App. 2006). Here, the court reinstated claims against a psychiatrist who allegedly allowed an office manager access to psychiatric records that were then used to cause harm to a patient. The appellate court decision found it appropriate to use HIPAA as creating a standard of care in making claims that a defendant violated a standard of care. This decision therefore creates the opportunity to use HIPAA as a measuring stick for a traditional tort claim -even in a situation where there was no obviously egregious behavior. While damages still will be required, this case provides a means of getting around the lack of a cause of action. It is one to watch in the years ahead.
Acosta may be the clearest case on this "negligence" idea, but it is not the only recent case permitting "HIPAA-like" claims to be brought without relying on a HIPAA cause of action. While similar cases have not yet been brought under other statutes, there is no reason that this theory won't work under these laws.
The recent case of Sorensen v. Barbuto, 143 P.3d 295 (Utah Ct. App. 2006), cert. granted, 150 P.3d 544 (Utah 2006), also is interesting. In the case, a patient sued his former doctor, for providing assistance to the defendant in a personal injury suit brought by the patient. While this case may be most noticeable for the idea that - with the right facts - judges may seek out means of remedying these violations, where there is a reasonably defined actual harm or particularly bad behavior, it is an interesting spin on a HIPAA claim.
The Sorensen decision stems from Sorensen's suit against Barbuto (his former physician), brought after Sorensen learned of Barbuto's involvement with his opposing defense counsel. He asserted breach of contract and various tort claims against Barbuto, all of which were dismissed by the trial court. This decision was rendered by the Utah Court of Appeals, reversing most of this dismissal.
The court first rejected Barbuto's claim that he violated no duty because Sorensen had placed his physical condition at issue in the case, finding that this "exception" to the physician-patient privilege doctrine could not be the basis for Barbuto to act against the patient in a suit where Barbuto was a third party. The court then held that "ex parte communication between a physician and opposing counsel constitutes a breach of the physician's fiduciary duty of confidentiality." The court also held that the trial court's dismissal of Sorensen's negligence claim was in error, as the fiduciary duty that existed in this situation could support a negligence claim.
The court also found that Sorensen could pursue a claim for intentional infliction of emotional distress. Because Barbuto not only communicated ex parte with defense counsel, but also became a paid advocate for Sorensen's adversary, the conduct by Barbuto met the threshold of "extreme and outrageous" conduct necessary to sustain a claim for intentional infliction of emotional distress.
Herman v. Kratche, Case No. 86697, 2006 WL 3240680 (Ohio App. Dist. Nov. 9, 2006) is another case to watch. Here, the plaintiff received medical treatment from a clinic. The clinic sent the results of the treatment to the HR Department of plaintiff's employer. The employer and the patient told the clinic that there was no workers' compensation claim, and that nothing should be provided to the employer, yet the material continued to be sent to employer.
The court decision says that the clinic had a fiduciary duty to the patient, a duty to keep information confidential, and breached that duty. The fact that the employer also owed duties to the plaintiff didn't mitigate the clinic's breach. The court properly rejected the interesting idea that the HIPAA "circle of confidentiality" meant there was no unauthorized disclosure - a disclosure to another entity with regulatory obligations would not violate HIPAA. Accordingly, the court permitted various claims to go forward based on the unauthorized disclosure.
These cases are not uniform, but they do represent the realistic possibility of two key theories - negligence, through a failure to meet a standard of care set by legislative or regulatory standards, or "breach of (fiduciary) duty," through failure to meet these same standards.
3. There is no class action breakthrough (yet)
While these "quasi-negligence" cases present a real risk of becoming a new basis for privacy and security claims, these cases - so far - have been focused on individual situations, where a specific individual faced a particular harm.
On a broader basis, there still has been no significant breakthrough case related to class action allegations. For example, even in the series of cases related to the ChoicePoint security breach - one of the most prominent breaches and one where the facts led to development of state notification laws around the country - the class action plaintiffs have come up empty. In the most recent decision, Harrington v. ChoicePoint Inc., CV 05-0124 MRP (C.D. Cal. Oct. 11, 2006), five separate actions were consolidated into a class action suit in the Central District of California, alleging violations of the Fair Credit Reporting Act (FCRA) and various California statutes. The plaintiffs sought actual, statutory and exemplary damages, as well as injunctive relief, attorneys' fees and costs. The court rejected the FCRA claim because the plaintiffs failed to provide any evidence that would support their contention that the disclosed information met the three requirements of a "consumer report" under FCRA. Once the federal claims were dismissed, the court declined to exercise supplemental jurisdiction and dismissed the state claims as well, resulting in a complete dismissal of all claims against ChoicePoint.
The question in these class action cases is whether any particular case will result in a breakthrough - and a turnaround in the attitudes of class action attorneys in these cases. The litigation against TJX presents this possibility - if the multiple cases that have been filed result in a substantial recovery. We also have seen some recent class certifications - for settlement purposes only - in cases involving Commerce Bankcorp and American Express. While these cases do not constitute realistic precedent, and incorporate no court decisions altering the discussion on damages or the appropriateness of a class on the merits, they do warrant attention, as a sufficient number of class-oriented settlements may have the effect of altering the dynamics in these cases.
4. But the plaintiffs are still trying
For plaintiffs, the biggest potential opportunity has involved a substantial number of new cases filed in connection with an alleged breach of a single provision of the Fair and Accurate Credit Transactions Act (FACTA), related to the "truncation" of credit card numbers on receipts provided to customers. (See related page 1 story.) These suits are designed to evade the "no damages" issue; here, the plaintiffs' counsel have asserted "statutory damages" (because no actual damages exist), with claims totaling in the billions of dollars. While these cases are only beginning, they present some real risks for defendants - although the allegations also trivialize the actions of companies around the country to take better steps to protect the data they maintain. In these cases, clearly no one has been harmed; none of the cases even bother to assert any actual harm. But, these cases remain significant and an area for all companies to watch; they also should serve as a reminder to all companies that accept credit cards to make sure their practices fit this statutory standard.
The initial decisions are starting to trickle in. One court rejected a motion to dismiss a FACTA class action, in Leowardy v. Oakley Inc., No. 8:07-cv-0053, 2007 WL 1113984 (C.D. Cal. April 10, 2007), that had asserted that the individuals had no standing to bring the suit under the private cause of action provisions of the statute. A similar standing decision was issued in Eskandari v. IKEA U.S. Inc., No. 8-cv-01248, 2007 WL 845948 (C.D. Cal. March 12, 2007).
A potentially more significant decision was issued in Spikings v. Cost Plus Inc., No. 2:06-cv-08125 (C.D. Cal. May 25, 2007). Here, the court rejected class certification in one of the FACTA cases in which plaintiffs alleged too much information was printed on card receipts. According to the court, "[i]n this case, if a class is certified and Plaintiff prevails, even the minimum statutory damages would be ruinous to Defendant." If the plaintiff was able to prove a willful violation, "statutory damages alone would range from a minimum of $340 million to a maximum of $3.4 billion." Focusing on the plaintiff's testimony that there had been no actual damages, the court also noted that "[m]ost importantly, denial of class certification in this case does not prevent any of Defendant's customers who may have suffered actual damages as a result of Defendant's conduct from proceeding with individual cases to recover those damages."
5. Don't think that privacy laws are a good shield from the discovery process
Recent cases also make clear that most privacy laws do not create a shield that can protect companies from the need to produce information in discovery. For example, the Mississippi Supreme Court in Capital One Services, Inc. v. Page, 942 So. 2d 760 (Miss. 2006), ordered a credit card issuer to turn over documents in a lawsuit brought by a cardholder, rejecting the card firm's claims that disclosure of the information is barred by the Gramm-Leach-Bliley Act's (GLBA) privacy provisions. Similarly, in Ex parte National Western Life Insurance Co., 899 So. 2d 218 (Ala. 2004), the Alabama Supreme Court held that GLBA does not shield the records of financial institutions' customers from disclosure to third parties pursuant to a discovery order in a private suit. Realistic litigation has been recognized as an appropriate means for the production of personal information, and, as long as the required procedures are followed, companies cannot use these laws to prevent discovery.
6. Beware of state FOIA claims
Perhaps similar to the discovery cases, companies (and individuals) need to be aware of the new risk that sensitive personal information may be subject to disclosure through government "open records" laws. For example, in State ex rel. Cincinnati Enquirer v. Daniels, 844 N.E. 2d 1181 (2006), the Ohio Supreme Court, in dicta, indicated that the State Freedom of Information laws trumped the HIPAA Privacy Rule, so that information held by the state, to the extent it had a HIPAA-covered entity role, also would be subject to disclosure under the freedom of information act. A similar opinion was issued by the attorney general in Texas, indicating that the open government law "requirements" indicated that HIPAA protected data would be subject to disclosure. Companies and government entities should be re-evaluating their production processes or reconsidering exceptions to these laws, so that personal information is not disclosed inappropriately.
Privacy and security litigation is not going away. There is a continuing perfect storm of a large number of new laws that have overlapping and potentially conflicting requirements, with increased enforcement and ongoing security breaches. Companies in all industries need to be aware of the risks of litigation and take steps to reduce risks.
With that said, many uphill challenges remain to bringing successful privacy/security suits (or, conversely, lots of defenses still exist, even when companies have not behaved well). Damages are a substantial hurdle, particularly in class action cases. In "individual harm" situations, companies need to be careful to meet existing privacy and security standards, even where these standards contain no private cause of action, as courts are beginning to recognize these standards as setting a standard of care that must be met.
Kirk Nahra is a Partner with Wiley Rein LLP in Washington, D.C., where he specializes in privacy and information security litigation and counseling. He is chair of the firm's Privacy Practice. He serves on the IAPP Board of Directors and is the Editor of The Privacy Advisor.
He is a Certified Information Privacy Professional. He is the Chair of the Confidentiality, Privacy and Security Workgroup, a panel of government and private sector privacy and security experts advising the American Health Information Community (AHIC). He may be reached at