[Infowarrior] - Court ruling regarding TSA databreech

Richard Forno rforno at infowarrior.org
Sat Apr 12 14:55:39 UTC 2008 

(c/o dataloss)

------ Forwarded Message

From: Henry Brown

 From Lauren Gelman's blog
Court holds Privacy Act "actual damages requirement" does not require
pecuniary harm
http://cyberlaw.stanford.edu/node/5734

I'm breaking blog silence to report on an amazing decision out of the DC
Circuit holding that the federal Privacy Act's requirement that
Plaintiffs show actual damages does not require pecuniary harm but can
be met by a showing of emotional distress. Am. Fed'n of Gov't Employees
v. Hawley, D.D.C., No. 07-00855, 3/31/08.

[T]he plaintiffs' alleged injury is not speculative nor dependent on any
future event, such as a third party's misuse of the data, the court
said. The court finds that plaintiffs have standing to bring their
Privacy Act claim.

This follows the Supreme Court's holding in Doe v. Chao, 540 U.S. 614
(2004) that a plaintiff must prove actual damages to succeed on an
alleged Privacy Act violation, however in that case, the court never
defined "actual damages."

I think this is a great decision that supports the belief that people's
harm from a privacy loss is not just another's use of that information
to cause financial loss (i.e. identity theft), but that emotional
damages and embarrassment are cognizable harms of privacy violations.
[...]

The Actual court document...
https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2007cv0855-6

Summary provided by Saqib Ali from the FDE newsgroup..

In the recent American Federation Of Government Employees (plaintiff)
v.s. Kip Hawley, in his official capacity as Administrator for TSA, the
plaintiffs alleged that defendants violated the Aviation and
Transportation Security Act ("ATSA") and the Privacy Act by failing to
establish appropriate safeguards to insure the security and
confidentiality of personnel records which resulted in unintended
disclosure of Personally Identifiable Information (PII) of 100,000 TSA
employees.

The defendants argued that "that the individual plaintiffs should be
dismissed for lack of standing for failing to demonstrate an
injury-in-fact. Mot. Dismiss at 13.11 According to defendants,
plaintiffs' concerns about future harm are speculative and dependent
upon the criminal actions of third parties. Mot. Dismiss at 13­15"

The court, however, disagrees: "Plaintiffs allege that because TSA
violated § 552a(e)(10) by failing to establish safeguards to secure the
missing hard drive, they have suffered an injury in the form of
embarrassment, inconvenience, mental distress, concern for identity
theft, concern for damage to credit
report, concern for damage to financial suitability requirements in
employment, and future substantial financial harm, [and] mental distress
due to the possibility of security breach at airports." Compl. 41­42. As
such, plaintiffs' alleged injury is not speculative nor dependent on any
future event, such as a third party's misuse of the data.12 The court
finds that plaintiffs have standing to bring their Privacy Act claim."


[...]

More information about the Infowarrior mailing list