Privacy Act and "actual damages"
Lauren Gelman writes:
I’m breaking blog silence to report on an amazing decision out of the DC Circuit holding that the federal Privacy Act’s requirement that Plaintiffs show actual damages does not require pecuniary harm but can be met by a showing of emotional distress. Am. Fed’n of Gov’t Employees v. Hawley, D.D.C., No. 07-00855, 3/31/08.
[T]he plaintiffs’ alleged injury is not speculative nor dependent on any future event, such as a third party’s misuse of the data, the court said. The court finds that plaintiffs have standing to bring their Privacy Act claim.
This follows the Supreme Court’s holding in Doe v. Chao, 540 U.S. 614 (2004) that a plaintiff must prove actual damages to succeed on an alleged Privacy Act violation, however in that case, the court never defined “actual damages.”
Links: Her post, “Am. Fed’n of Gov’t Employees v. Hawley.pdf.”
I think this is a fascinating decision. The assertion that privacy damages are primarily financial is a very narrow one. We have already entered an age in which information is widely understood to have great value. Much of that value derives from a mind-numbing array of intrusions on seclusion, and allows for action on a poor shadow of what we used to call reputation.
As the value and use of that data grows, the costs and risks of abuse or negligence in the gathering, storage or application of that data also grows. There’s every reason to expect that the law will find a way to sort out those torts.
Interesting, indeed. The TSA could still easily win the case, of course. This was a (partial) denial of a motion to dismiss.
It’s good to go beyond actual past financial damages, but “emotional distress” is far too subjective a standard, inviting judges, juries, and expert witnesses to play favorites. If your distress is not of the kind the judges, juries, or psychiatrists sympathize with, or if you can’t act out your distress in the courtroom, you’re out of luck. And on such subjective issues the expert witnesses usually cancel each other out, leaving one at the mercies of the subjective beliefs of judge and jury.
In any case, this test is far to narrow:
[T]he plaintiffs’ alleged injury is not speculative nor dependent on any future event, such as a third party’s misuse of the data.
But risk is not the same thing as speculation. If data is lost in a way that creates quantifiable risk, for example based on past amounts of identification theft based on this kind of data, it is straightforward to price the risk and assess this price as damages. Assessing the contributions of different bits of data out of the assemblages an identity thief needs, e.g. loss of social security number but not birthday, is a little more speculative, but I suspect in the future we will have enough data to quantify even these partial and conditional risks with reasonable confidence.
One should also be able to collect damages for costs incurred in signing up for preventative or insurance services such as the much hyped LifeLock: some fraction of these charges is a reasonable proxy measure for the enhanced risk of identity theft from the data loss.
I expect that as society (and especially insurance companies) gather and analyze more such data, we will switch to risk-based damages in this area, rather than mere past actual damages at the one extreme or emotional damages at the other. But it may take some activism to move us towards this middle ground, as judges love the discretion tests like “emotional distress” give them.
“Gather and analyze such data” is precisely it.
What matters is understanding (and that means quantifying) the linkage (if it exists to a non-trivial degree) between exposed PII and fraud or attempted fraud.
I know there are some smart people trying to do this, and we’ve written about it here on a few occasions.
I’d like to remind commenters that not all privacy issues are those of impersonation fraud, and not all privacy damages result from impersonation.