When are Privacy Violations Sufficient to Sue?

In order to get into court – particularly federal court – a party has to demonstrate that they have “standing” to sue — that is, that they have personally suffered some kind of concrete and demonstrable harm as a result of someone else’s conduct that gives rise to a right to seek damages or injunctive relief. In other words, that the person suing is not just some guy off the street.

When it comes to violations of laws designed to protect the privacy rights of individuals, courts have been hesitant to find “standing” to sue, and, when suits actually proceed, to find actual damages. As a result, even where Congress has dictated that companies must protect certain private data and has provided individuals with a right to sue when that data is not protected, judges have closed the courthouse gates when plaintiffs cannot demonstrate that they have suffered significant and concrete injuries. This is particularly true in the case of class action lawsuits, where a large class of potential “victims” of a privacy violation, each of whom may have suffered some violation of their personal privacy, attempt to sue as a class. Unless each member of the class can show concrete injury, the class action fails. And when it comes to privacy violations – where personal data is exposed improperly – it is often difficult, if not impossible, to put a dollar value on the injury.

The U.S. Supreme Court is currently considering a case in which credit reporting giant TransUnion improperly listed thousands of people as being on a U.S. government terrorist watch list by using a third-party service provider that simply matched these people’s names against a government list of “Specially Designated Nationals” (SDN’s) who were prohibited, by law, from engaging in financial transactions in the U.S. Thus, if your name was similar to a name on the list, your credit file was flagged as being that of a terrorist. When you applied for credit, this information would show up at the car dealership, mortgage broker, or your local Best Buy. Congress had long had a law – the Fair Credit Reporting Act – which required credit reports to be accurate, and which provided a “private right of action” – a right to sue for violations of the statute.

But who, exactly has “standing” to sue for the violations? While thousands of people had erroneous SDN information placed on their credit reports in violation of the statute, only a subset of those thousands had actually applied for credit and been denied as a result of someone seeing that bad information. While those whose erroneous “terrorist” label was exposed to potential creditors may have suffered some injury, and those actually denied credit may have suffered some damages, could those who had the “mark of Cain” placed on their record but which was never actually seen sue as part of a class of people injured? The United States Court of Appeals for the Ninth Circuit said “Yes,” and TransUnion is asking the United States Supreme Court to reverse that ruling.

In that respect, TransUnion has some powerful allies. Various tech giants, including Google, Facebook, eBay and others have told the Court that the rules of standing should be narrowly applied to close the doors to the courthouse to anyone who cannot show specific and demonstrable harm resulting from a statutory violation where Congress has given a right to sue. They point to a host of laws passed by Congress that give individuals a right to sue for violations which may – or may not – cause actual physical or economic harm to the individual.

For example, the federal wiretap law prohibits the “interception” of people’s communications (including electronic communications) under certain circumstances. Tech giants pass billions of communications between themselves, often using automated tools to read, analyze and act upon the contents of those communications in ways that might violate the statute. The same is true for statutes like the Electronic Communications Privacy Act, the Stored Communications Act, the Video Privacy Act and the Telecommunications Privacy Act, each of which protect the privacy of different kinds of information in different ways. If Google, Facebook, AT&T, Verizon or others were systematically violating these statues, but you didn’t know it, have you suffered an actual “injury?” That’s the problem with privacy. When it is violated, it is next to impossible to point to a specific thing that happens and say, “That was due to the privacy violation,” in anything other than the most egregious cases.

It is important here to distinguish between “standing” to sue, and “damages” resulting from a suit, although courts have been hesitant to recognize either in the privacy space. To establish “standing,” you have to show some concrete injury or harm, but that harm need not be economic, and the remedy need not be financial. Thus, if TransUnion had continued to keep the bad SDN data on its credit reports, those improperly flagged might have standing to sue TransUnion to get an order preventing the practice and requiring the credit reporting agency to validate the identity of those it places on the SDN list. The “harm” is potential future harm if the practice is not stopped. But in the area of “damages” – that is, when the suit actually progresses to trial and the injured party seeks compensation – courts have been equally reluctant to recognize potential future harm as being something you can seek or get paid for.

For example, if a company suffers a data breach, unlawfully exposing your name, address, phone number, social security number and credit card number (PAN, expiration date and CVV) to the public, you may have a fear that, some day in the future, someone might use that data to commit identity fraud or identity theft.

Courts are split on whether this “fear of future harm” is sufficient to allow you to get damages today. The concepts of standing and damages are distinct, but intertwined, and Courts often confuse the two.

All told, these cases reflect the fact that Courts and companies which collect, store and process massive amounts of personal data do not value the privacy of their customers and data subjects. By this I don’t mean that Courts and companies don’t think that privacy is important – they may, to one extent or another. But they don’t place a specific economic value on privacy itself. They look to some “other” harm resulting from the loss of privacy, and don’t see the loss of privacy itself as a harm. If someone sees your medical records, and now knows that you have high cholesterol and high blood pressure – well, so what? Sure, if it’s a potential employer, and you can show that they didn’t hire you because they felt you were a health or insurance risk, now you have cognizable harm. But the mere exposure of personal information? Meh. A peeping Tom sees you naked in the shower. If you can show that you suffered some emotional harm (psychiatric bills, etc.) you can get compensation, but mere embarrassment? Courts are hesitant.

The standing issue is even more difficult, since it closes the courthouse to the litigant completely. This is particularly problematic where Congress has expressly required companies to do something (or refrain from doing it) and provided a right to sue for a violation. Sure, companies like Google, Facebook and other “big data” companies have reason to fear frivolous and vexatious class actions asserting violations of privacy laws and demanding what they call “ad terrorum” settlements – essentially, extortion. But the answer for that is not to close the door on class action standing, but to impose sanctions on class action lawyers who file frivolous lawsuits under Rule 11 of the Federal Rules of Civil Procedure. Privacy is important, and the less we place a value on it, the less we will value it.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark