When Donald Trump, Donald Trump Jr., Eric Trump, and the Trump Organization sued the Internal Revenue Service and the Department of the Treasury for $10 billion over the leak of Trump-family tax information, the headline number was both astonishing and familiar. Astonishing, because $10 billion is not the kind of number one usually associates with an IRS confidentiality case. Familiar, because in privacy and data-breach litigation, plaintiffs’ lawyers have long attempted to turn a single compromise of data into a large damages number by asking a deceptively simple question: How many times did the private information move, get opened, get queried, get copied, get transmitted, or get viewed?

That is the real cybersecurity question in Trump v. IRS. Not whether confidential taxpayer information was disclosed. It was. Not whether the taxpayer return information is supposed to be confidential. It is. The harder question is how the law counts the harm. Is the leak one disclosure? Is each act of access by the leaker a separate unauthorized inspection? Is each transmission to a reporter a separate disclosure? Is each downstream publication a new disclosure? And, most provocatively, is each reader, viewer, click, download, or database query a separate statutory violation?

The Trump case grew out of the conduct of Charles Littlejohn, a former IRS contractor who unlawfully accessed and disclosed tax-return information belonging to Trump and other wealthy taxpayers. Littlejohn was sentenced in January 2024 to five years in prison after leaking tax information to The New York Times and ProPublica. Public reporting later indicated that the IRS notified more than 400,000 taxpayers whose private information had been implicated in the Littlejohn leak.

Trump’s lawsuit, filed in the Southern District of Florida, alleged that the IRS and Treasury failed to protect confidential tax information and sought $10 billion in damages. The case was later resolved through a settlement in which Trump and the other plaintiffs received a formal apology but no direct monetary payment, while the Department of Justice established a $1.776 billion “Anti-Weaponization Fund.” Trump Drops IRS Lawsuit in Exchange for DOJ $1.8 Billion ‘Weaponization’ Fund, Reuters (May 18, 2026) – at least for now. Nothing in the documents creating the Anti-Weaponization Fund precludes the President or members of his family, or companies he controls, from applying for, and receiving funds from the Fund, or from firing any Commissioners who refuse to pay the family. What the agreement provides is that Trump and the named plaintiffs release the government from claims related to the disclosure, but not from the general concept of “weaponization.” So the President and his family can still file claims against the fund.

The settlement agreement itself describes the case as one arising under 26 U.S.C. § 6103, 26 U.S.C. § 7431, and the Privacy Act, and states that the complaint concerned Littlejohn’s illegal access to and disclosure of the plaintiffs’ tax returns and return information. However, the creation of the fund does not settle the pending class action lawsuit arising from the Littlejohn breach, or any other individual claims filed. Indeed, those Plaintiffs may or may not be entitled to compensation under the Weaponization Fund, and therefore would likely be permitted to continue their individual litigation against the IRS. This was not a global settlement and was not approved by or overseen by any court.

The statutory hook is important. Section 6103 provides that tax returns and return information “shall be confidential” and may not be disclosed except as authorized by the Internal Revenue Code. 26 U.S.C. § 6103(a), Section 7431 creates a civil damages remedy when an officer or employee of the United States knowingly, or by reason of negligence, inspects or discloses a taxpayer’s return or return information in violation of § 6103. 26 U.S.C. § 7431(a)(1). The damages provision then states that the United States is liable for the greater of $1,000 “for each act of unauthorized inspection or disclosure,” or actual damages plus, in cases of willful or grossly negligent disclosure, punitive damages, plus costs and, where applicable, attorneys’ fees. 26 U.S.C. § 7431(c).

There is nothing unusual about statutory damages. Congress uses statutory damages precisely because privacy harms are often real but difficult to monetize. The difficulty is counting. A stolen tax return is not like a broken window. It can be copied indefinitely, replicated perfectly, searched instantly, transferred globally, and read by millions. If the statute says “$1,000 per disclosure,” then every data-breach plaintiff will ask the same question Trump’s claim reportedly raised: per disclosure to whom, by whom, and when?

The strongest tax-disclosure cases support counting discrete government disclosures separately. They do not clearly support counting every downstream public view as a separate governmental disclosure.

In Barrett v. United States, an IRS special agent sent circular letters to 386 patients of a plastic surgeon under criminal tax investigation. Of those, 126 were returned as undeliverable, leaving 260 letters outstanding. The Fifth Circuit affirmed the denial of actual and punitive damages but noted that the district court had awarded statutory damages of $260,000—$1,000 for each outstanding letter. Barrett v. United States, 100 F.3d 35, 37–38 & n.5 (5th Cir. 1996).  That is a clean “one mailing, one recipient, one disclosure” model. It helps a plaintiff who can identify discrete disclosures. It does not answer whether a newspaper reader’s later view of already-leaked tax information is a new disclosure by the government.

In Mallas v. United States, the Fourth Circuit addressed IRS revenue-agent reports sent to investors after criminal convictions were reversed. The district court found the government liable for seventy-three unlawful disclosures about each taxpayer and awarded $73,000 apiece. The Fourth Circuit explained that § 7431(c)(1)(A) imposes damages of “$1,000 for each act of unauthorized disclosure,” and that § 6103 defines “disclosure” as “the making known to any person in any manner whatever a return or return information.” It concluded that the act to be counted is the “making known to any person in any manner whatever” of the return information. Mallas v. United States, 993 F.2d 1111, 1125–26 (4th Cir. 1993). Again, this supports per-recipient counting where the IRS or government actor makes the information known to particular persons. It is not a holding that each later reader of leaked information commits, or causes the government to commit, a fresh § 7431 disclosure.

In Aloe Vera of America, Inc. v. United States, the Ninth Circuit dealt with alleged IRS disclosures of tax information to Japanese tax authorities. The court held that an inquiry notice for limitations purposes is not triggered by a single generalized event, but by knowledge of “each particular disclosure.” Aloe Vera of America, Inc. v. United States, 699 F.3d 1153, 1159–62 (9th Cir. 2012). That is useful for plaintiffs because it treats particular disclosures separately for limitations purposes. But it cuts both ways. It reinforces the need to identify a specific disclosure event. It does not collapse all subsequent public attention into new government disclosures.

Trump’s theory of liability is greater. While courts have treated individual government disclosures of tax information as discrete events giving rise to potential damages, in Trump’s case, the contractor (not the government) made one disclosure to the media. Once the information was published by the NY Times and ProPublica, the “disclosure” occurred. Trump’s theory of liability was that each reader of the Times or ProPublica, each download, each viewing, and each times a person told another about what they read about the Trump Organization’s tax returns constituted a new violation with new statutory damages.

The successful § 7431 cases tend to count government-originated disclosure events: Letters, reports, meetings, transmissions, or other discrete acts by IRS personnel or federal actors. Barrett counted letters. Mallas counted reports to investors. Aloe Vera treated particular government disclosures separately. None of them turns a newspaper’s readership, a website’s traffic logs, or the public’s subsequent inspection of published material into a new statutory disclosure by the government.

That distinction matters. Section 7431 reaches unauthorized “inspection or disclosure” by federal officers, employees, or certain other covered persons. If an IRS employee opens a taxpayer’s file ten times without authorization, those may be ten unauthorized inspections. If the employee sends the return to five reporters, those may be five disclosures. If a federal agency posts a return to a public website and it is downloaded 100,000 times, a plaintiff will argue that each download is a disclosure. But the government will argue that the disclosure was the act of posting or transmitting, not every later act by a member of the public who encountered the information. The statutory text does not give an easy answer, but the case law is much friendlier to counting affirmative disclosure acts than passive downstream views.

This is not unique to tax law. Privacy statutes often turn on the defendant’s own act of disclosure, not every later act of consumption by others. Under the Video Privacy Protection Act, for example, plaintiffs have challenged repeated transmissions of viewing data to Facebook, Google, or other analytics providers through pixels and software development kits. Courts tend to ask whether the defendant itself transmitted personally identifiable viewing information to a third party. The focus is the platform’s disclosure event, not every later internal view by employees of the recipient. See, e.g., In re Hulu Privacy Litigation, 86 F. Supp. 3d 1090, 1094–95 (N.D. Cal. 2015); Salazar v. National Basketball Association, 685 F. Supp. 3d 232, 239–44 (S.D.N.Y. 2023).

The Driver’s Privacy Protection Act presents a closer analogy because it regulates obtaining, disclosing, and using personal information from motor-vehicle records. Courts have allowed claims based on improper database lookups by government employees or others with access to protected records. But even there, the actionable event is typically the defendant’s access, use, or disclosure—not the abstract fact that the information could later be viewed by others. See Senne v. Village of Palatine, 695 F.3d 597, 603–08 (7th Cir. 2012) (en banc). The lesson is statutory and operational: If the defendant causes repeated transmissions, repeated lookups, or repeated disclosures, the damages count may grow. If the defendant commits one leak and the world reads it, the “each reader equals a separate statutory disclosure” theory is much harder.

The same problem appears in ordinary data breach cases. Companies often ask whether damages should be measured by the number of breached individuals, the number of compromised records, the number of database queries, the number of exfiltrated files, the number of threat-actor downloads, or the number of downstream misuses. Most breach statutes and common-law theories do not treat every later criminal use or every later view as a new disclosure by the breached entity. Instead, courts generally focus on injury, standing, causation, statutory text, contractual duties, negligence, notice obligations, and whether the defendant’s failure to secure data caused a legally cognizable harm. That is why many breach cases rise or fall on Article III standing and concrete injury rather than on pure multiplication of views. See TransUnion LLC v. Ramirez, 594 U.S. 413, 424–31 (2021). Spokeo, Inc. v. Robins, 578 U.S. 330, 340–43 (2016).

Trump’s theory, if framed as multiplying statutory damages by the number of times someone accessed or viewed the returns, would be aggressive but not irrational. Cybersecurity cases are increasingly about logs. Access logs show who opened a record. Exfiltration logs show what was copied. Web analytics show how many times a page was viewed. Cloud audit trails show every API call. In the digital environment, the temptation is to convert every log event into a legal event. Sometimes that is exactly right. If the statute prohibits unauthorized access, each unauthorized access may matter. If the statute prohibits disclosure to a person, each transmission to a new person may matter. If the statute imposes damages per affected individual, each matter. But if the statute imposes liability for the defendant’s disclosure, courts will usually ask what the defendant did, not how much attention the leaked information later received.

That is the key distinction between “disclosure” and “virality.” A disclosure is a legal act. Virality is a consequence. The former may create liability. The latter may increase actual damages, reputational injury, punitive considerations, and settlement value. But unless the statute clearly defines each downstream view as a new disclosure, virality should not automatically multiply statutory damages.

There is also a constitutional and policy problem. If every downstream reader of leaked material created a new statutory damages event against the original custodian, damages could become effectively infinite. A tax leak published by a major newspaper could generate billions of “disclosures” in minutes. And each time a reader re-reads the article, this might constitute a separate event. A ransomware leak posted to a dark-web site could create unknowable exposure. A public agency’s accidental upload of a spreadsheet could create damages based not on the agency’s wrongful act, but on traffic analytics. Courts are usually reluctant to adopt statutory-damages theories that produce annihilating liability unless Congress clearly commanded that result.

For CISOs and privacy lawyers, the lesson is practical. Access logs are not just security telemetry. They are damages evidence. In a statutory privacy case, the difference between one disclosure and 10,000 disclosures may be the difference between a nuisance settlement and existential liability. Organizations need to know not just that data was accessed, but who accessed it, when, under whose credentials, for what purpose, whether it was copied, whether it was transmitted, and to whom. In the tax context, recordkeeping is the difference between a statutory violation and a billion-dollar theory of statutory damages.

For now, the best reading of the cases is this: Under § 7431, multiple unauthorized inspections and multiple affirmative disclosures by covered actors can support multiple statutory-damages awards. The cases support counting letters, reports, meetings, database inspections, and particular transmissions. They do not yet support the proposition that every member of the public who later reads leaked tax information creates a new $1,000 claim against the government. That theory remains technologically seductive, rhetorically powerful, and legally unproven. For others suffering a data breach, it is important to determine the nature of the information disclosed and the statutory provisions protecting that information to see if they provide for a “per disclosure” damage award. On the internet, those can aggregate really quickly.

Recent Articles By Author

• Give a Mouse a Cookie – California Court Partially Dismisses Cookie Tracking Case Against Capitol One Under “No Harm, No Foul” Doctrine
• Perry Machine and the Case of the Privileged Prompt – Courts Consider Whether AI Legal Advice is Privileged
• “Hey Rocky, Watch Me Pull a Rabbit Out of My Hat!”. Is This the Year the Federal Government Passes Comprehensive Privacy Legislation?

More from Mark Rasch