Plaintiffs are increasingly filing privacy lawsuits that allege harm and seek compensation. But to date, courts have grappled with discrepancies between plaintiffs’ “harm” claims and the scope of the law—particularly when the harm can’t be qualified, such as in cases of emotional distress or humiliation, leaving many plaintiffs empty-handed when the judge strikes the gavel.
Experts say the recent Supreme Court ruling in Federal Aviation Administration (FAA) v. Cooper illustrates the difficulty plaintiffs face in collecting damages under the Privacy Act of 1974, which dictates how agencies under the Executive Branch manage confidential records.
In the case, pilot Stan Cooper withheld his HIV status from the FAA in applying for the certificate he needed to comply with FAA medical standards on four separate occasions. When his health deteriorated in 1995, Cooper applied to the Social Security Administration (SSA) for disability--revealing his HIV status. A cross-agency investigation compared FAA and SSA records and found Cooper had lied. Following a guilty plea, Cooper’s pilot certificate was revoked and he was sentenced to two years of probation and a $1,000 fine for intentionally withholding information from a government agency.
In turn, Cooper sued the FAA, its parent, the Department of Transportation and the Social Security Administration for violating the Privacy Act by sharing his medical records among themselves; revealing his HIV diagnosis, and thus causing him “humiliation, embarrassment, mental anguish, fear of social ostracism and other severe emotional distress,” the suit alleged.
The Ninth Circuit Court of Appeals in San Francisco ruled in February 2010 that Cooper could seek damages for emotional distress, as the San Francisco Chronicle reported. But the U.S. Supreme Court voted 5-3 in March of this year that though the government had violated the Privacy Act, Cooper could not collect damages for the emotional distress he suffered because “the act does not authorize the recovery of damages from the government for nonpecuniary mental or emotional harm.”
Since then, the Electronic Privacy Information Center has proposed changes to the Privacy Act that would in fact compensate individuals for nonpucuniary harms such as mental or emotional distress. Sen. Daniel Akaka (D-HI) introduced a bill in October 2011 that would revise the Privacy Act to allow for civil and criminal penalties for Privacy Act violations.
D. Reed Freeman, CIPP/US, of Morrison Foerster, said courts are increasingly hearing class-action cases that seek “harm” damages and that to date, defendants have largely been successful in having the allegations dismissed, citing plaintiffs’ failure to meet the Constitution’s “cognizable harm” statute.
“What you’re seeing is that by and large, plaintiffs have a very difficult time proving harm in the data loss or theft cases,” said Andrew Serwin of Foley & Lardner. Serwin added that although sovereign immunity applies in the Cooper case, “even now in the public-sector side, you’re seeing courts say ‘you can’t prove damages, and therefore, you can’t state a claim.’”
However, FAA v. Cooper, while illustrative of the growing trend toward monetary compensation sought for non-monetary damages, may not set a precedent in a broad sense because of the government’s sovereign immunity, the legal doctrine immunizing the government from liability in cases of ambiguity, experts say.
Though the government-as-defendant makes the impact of the ruling less significant in this case, the case could have a stronger persuasive value when it comes to state laws, according to Ann Waldo, CIPP/US, of Wittie, Letsche & Waldo.
“Since Congress didn’t make the Privacy Act clear in explicitly allowing damages for nonpecuniary injuries, the court said that this had to be construed narrowly,” Waldo said. “The holding unquestionably relied on (the justices’) perceived sense that they were compelled to limit actual damages narrowly because of the very strong canon of statutory interpretations.”
“With respect to claims of Privacy Act breaches against the government, the court has made it difficult to assert those claims,” agreed InfoLawGroup’s Dave Navetta, CIPP/US. He said that although the Cooper case may have a limited impact on future holdings, its outcome isn’t rare, adding that, in general, plaintiffs have struggled to allege harm because of the law’s narrow scope. Even time lost or the cost of credit monitoring are “damages that are typically not recognized in a court of law” and are often dismissed.
“I think plaintiffs in many cases may have the facts in their favor, but the law, in terms of harm, is very much not in their favor,” he said.
However, Navetta said high-profile cases where loss of data has occurred and a brand’s reputation is at risk may be more likely to be settled.
“With brand-name companies, even if it looks like cases are going to be dismissed early on the ‘harm’ issue, there’s still some risk involved. I think defendants look at them differently than smaller breaches where the risk may not be as great,” he said.
Carnegie Mellon researchers found that breaches that have occurred due to “unauthorized disclosure or disposal” of data are twice as likely to result in lawsuits than those due to hacking incidents and that financial loss and proof of harm were determining factors in whether companies settled suits.
Navetta points to the Hannaford Brothers data breach of 2007, in which millions of payment card numbers were exposed and fraudulent charges placed. A First Circuit Court in Maine ruled that victims could recover costs incurred when they purchased credit insurance or new identity theft monitoring--cognizable harms.
In September 2011, however, a U.S. District Court judge dismissed a group of consolidated class-action suits alleging that Apple and eight mobile-application makers shared users’ personal information without their consent, writing in her opinion that the plaintiffs did not show any tangible injuries.
In FAA v. Cooper, the defendant argued that while Cooper may have suffered an “adverse effect,” he didn’t necessarily suffer “actual damages.” One justice said Congress likely did intend the Privacy Act to cover emotional distress suits, but in the end, the majority disagreed.
Simon Frankel of Covington and Burling agrees that the question at hand is how lower courts will apply the Cooper ruling to other cases.
“Will lower courts interpret Cooper narrowly to mean that ‘actual damages’ is limited to monetary harm where it allows monetary relief against the government, acting as a waiver of sovereign immunity, or treat it as a broader holding that when statutes allow for actual damages, they only allow for recovery of monetary harm and not emotional distress or damages or reputational damages,” he said. “That’s what I think is the difficult open question.”
Mali Friedman, also of Covington and Burling, said the Cooper holding is representative of a tactic frequently used by plaintiff’s counsel, “which is to allege emotional harm and other types of damages that simply aren’t cognizable under certain statutes.”
Friedman said courts also have yet to attach the same value to personal data that plaintiffs deem it to have.
“No court has yet held that the collection or disclosure of an individual’s data has any cognizable economic value to that individual. Of course, personal data in the aggregate often has value to a company, but courts repeatedly have found that there is no compensable loss where an individual’s information is collected or shared.”
Dr. Deborah Peel, a physician and health privacy advocate, says the implications of Cooper are significant from a health privacy standpoint.
“Emotional injuries are real and they cause great harm,” said Peel. “All you have to do is think about post-traumatic stress disorder in the military.
She said the FAA and SSA’s actions in comparing personal data send a daunting message to Americans asked to disclose sensitive data to government agencies, such as Cooper’s HIV status, and those messages can have repercussions.
“Where you have situations where reporting a condition is going to destroy livelihood, reputation or future, many people will not seek medical treatment. Cooper counted on the Privacy Act to keep his records private, and it didn’t.”
As the U.S. healthcare system moves towards electronic health records, Peel said it’s “incredibly important that we move toward systems that are trusted. How can we ask the public to participate in these systems when they don’t even know where the data goes?”
Waldo said she expects the case could raise issues regarding future government data sharing.
“This was only in 2002,” she said of the agencies’ investigation into Cooper. “In 2012, there are many efforts–and in the next decade, I predict far more efforts–to make government more modern, integrated and data-interoperable. As that goes on, I think many people can expect some unwelcome surprises from government…Increasingly, government will become far more efficient and aggressive in achieving that data interoperability.”
As an example, Waldo noted strong efforts to connect state databases on prescription drug abuse for law enforcement purposes.
In the end, Morrison and Foerster’s Freeman said that although plaintiffs now struggle to collect harm damages, there’s time yet.
“There’s some possibility that the inability of consumers to have their day in court for the perceived privacy violations could spark Congress or state legislatures to respond with a new law that remedies that problem,” he said.