[Dataloss] court ruling regarding TSA databreech

Henry Brown hbrown at knology.net
Sat Apr 12 09:14:28 UTC 2008 

 From Lauren Gelman's blog
Court holds Privacy Act "actual damages requirement" does not require 
pecuniary harm
http://cyberlaw.stanford.edu/node/5734

I'm breaking blog silence to report on an amazing decision out of the DC 
Circuit holding that the federal Privacy Act's requirement that 
Plaintiffs show actual damages does not require pecuniary harm but can 
be met by a showing of emotional distress. Am. Fed'n of Gov't Employees 
v. Hawley, D.D.C., No. 07-00855, 3/31/08.

[T]he plaintiffs' alleged injury is not speculative nor dependent on any 
future event, such as a third party's misuse of the data, the court 
said. The court finds that plaintiffs have standing to bring their 
Privacy Act claim.

This follows the Supreme Court's holding in Doe v. Chao, 540 U.S. 614 
(2004) that a plaintiff must prove actual damages to succeed on an 
alleged Privacy Act violation, however in that case, the court never 
defined "actual damages."

I think this is a great decision that supports the belief that people's 
harm from a privacy loss is not just another's use of that information 
to cause financial loss (i.e. identity theft), but that emotional 
damages and embarrassment are cognizable harms of privacy violations.
[...]

The Actual court document...
https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2007cv0855-6

Summary provided by Saqib Ali from the FDE newsgroup..

In the recent American Federation Of Government Employees (plaintiff) 
v.s. Kip Hawley, in his official capacity as Administrator for TSA, the 
plaintiffs alleged that defendants violated the Aviation and 
Transportation Security Act ("ATSA") and the Privacy Act by failing to 
establish appropriate safeguards to insure the security and 
confidentiality of personnel records which resulted in unintended 
disclosure of Personally Identifiable Information (PII) of 100,000 TSA 
employees.

The defendants argued that "that the individual plaintiffs should be 
dismissed for lack of standing for failing to demonstrate an 
injury-in-fact. Mot. Dismiss at 13.11 According to defendants, 
plaintiffs' concerns about future harm are speculative and dependent 
upon the criminal actions of third parties. Mot. Dismiss at 13–15"

The court, however, disagrees: "Plaintiffs allege that because TSA 
violated § 552a(e)(10) by failing to establish safeguards to secure the 
missing hard drive, they have suffered an injury in the form of 
embarrassment, inconvenience, mental distress, concern for identity 
theft, concern for damage to credit
report, concern for damage to financial suitability requirements in 
employment, and future substantial financial harm, [and] mental distress 
due to the possibility of security breach at airports." Compl. 41–42. As 
such, plaintiffs' alleged injury is not speculative nor dependent on any 
future event, such as a third party's misuse of the data.12 The court 
finds that plaintiffs have standing to bring their Privacy Act claim."


[...]

More information about the Dataloss mailing list