DPI16_Banner_300x250 WITH COPY

Kirk J. Nahra, CIPP

Privacy and security litigation remains an area of intense interest. A wide variety of high-profile security breaches has focused attention on the risks associated with the use, disclosure and maintenance of personal information by entities in essentially all industries. New laws continue to emerge, at both the state and federal level. Yet, there has been a relatively modest amount of privacy and security litigation, and no breakthrough decision that heralds a new era of litigation risks for companies that use and disclose personal information. What can we learn from the recent past on privacy and security litigation?

What Is the State of the Play Today?

  • We know there is an increasing awareness of privacy and security issues in litigation, even where a specific privacy law is not the focus of the case.
  • The volume of privacy and security litigation has been relatively small, certainly much less than was predicted by many experts (including this one), although the amount of litigation is increasing slowly.
  • We are starting to see a wide range of cases based on security beaches or potential identity theft situations, although plaintiffs continue to face uphill struggles in these cases.
  • And, while plaintiffs have become very adept at creating privacy and security causes of action, particularly in situations involving individual harm, courts - for the time being - remain relatively skeptical about many of these claims.

Key Lessons Learned
With that background, what are the major lessons learned from recent privacy and security cases?

1. Damages still matter - a lot
It is clear that judges - starting with a limited number of cases and now becoming a clear line of precedent - are imposing a significant hurdle for privacy and security cases, where a failure to allege actual damages is a prohibition to moving forward with litigation. The first key case is also one of the most straightforward - Smith v. Chase Manhattan Bank, 741 N.Y.S.2d 100 (App. Div. 2002).

In Smith, a bank promised its customers that it would not and did not sell their personal information to third parties. Instead, the suit alleged, the bank did sell customer lists to third parties, including a telemarketing firm. The bank allegedly received a percentage of the products sold as a result of these telemarketing services.

Despite this egregious set of allegations, the court's decision is revealing. The court dismissed the complaint, finding no allegations of actual damages. Instead, the court said that "the 'harm' at the heart of this purported class action, is that class members were merely offered products and services which they were free to decline. This does not qualify as actual harm." Moreover, "[t]he complaint does not allege a single instance where a named plaintiff or any class member suffered any actual harm due to the receipt of an unwanted telephone solicitation or a piece of junk mail." Accordingly, the court found that the complaint was dismissed appropriately for failure to state a cause of action. This means the court found that no claim existed on the facts as they were alleged, not that the allegations were wrong.

Smith is the clearest enunciation of the "no damages" theory - but not the only one. More recent decisions (involving DSW and Acxiom Corp.), where potential identity theft has been alleged, follow the same idea - no actual damage, no case. 

The court in Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018 (D. Minn. 2006), took this one step further, rejecting a claim by potentially harmed individuals against a bank, where the individuals had asserted negligence and breach of contract claims. This case involved a third-party service provider to a Wells Fargo subsidiary. The service provider was a victim of a theft in which computers containing unencrypted personal financial information was stolen. The bank notified these individuals about the theft; promptly, a class action suit was filed by these bank customers. These plaintiffs asserted a variety of costs related to the theft, primarily to monitor their financial accounts against potential loss.

In line with other cases, the court rejected these claims, essentially because there was no evidence indicating that any information from these computers had been misused. The court also found that the personal time and money spent by this purported class "was not the result of any present injury, but rather the anticipation of future injury that has not materialized."

These cases are now a solid line of precedent. In Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp. 2d 1 (D.D.C. 2007), the court, following the theft of a laptop, found that the plaintiffs had failed to allege any injury that is "actual or imminent, not conjectural or hypothetical." The court then concluded that the plaintiffs' allegations "therefore amount to mere speculation that at some unspecified point in the indefinite future they will be victims of identity theft." Even more recently, in Kahle v. Litton Loan Servicing LP, 486 F.Supp. 2d 705 (S.D. Ohio 2007), the court, following a line of cases that "clearly reject the theory that a plaintiff is entitled to reimbursement for credit monitoring services or for time and money spent monitoring her credit," found that any "injury of the plaintiff is purely speculative," and rejected the idea that this speculative injury could constitute damages in a negligence case. 
A lack of actual damages - even in the face of clear security breaches - is now the primary hurdle in most privacy and security cases.
2. Even though there is no private cause of action in most privacy laws, legitimate alternative theories are emerging, particularly for "individual harm" situations.
While plaintiffs have struggled to assert private causes of action directly, they now are learning to be more creative - with the possibility that a new claim for "negligence" may emerge. The most likely candidate for leading precedent in this area is the case of Acosta v. Bynum, 638 S.E.2d 246 (N.C. Ct. App. 2006). Here, the court reinstated claims against a psychiatrist who allegedly allowed an office manager access to psychiatric records that were then used to cause harm to a patient. The appellate court decision found it appropriate to use HIPAA as creating a standard of care in making claims that a defendant violated a standard of care. This decision therefore creates the opportunity to use HIPAA as a measuring stick for a traditional tort claim -even in a situation where there was no obviously egregious behavior. While damages still will be required, this case provides a means of getting around the lack of a cause of action. It is one to watch in the years ahead.

Acosta may be the clearest case on this "negligence" idea, but it is not the only recent case permitting "HIPAA-like" claims to be brought without relying on a HIPAA cause of action. While similar cases have not yet been brought under other statutes, there is no reason that this theory won't work under these laws.

The recent case of Sorensen v. Barbuto, 143 P.3d 295 (Utah Ct. App. 2006), cert. granted, 150 P.3d 544 (Utah 2006), also is interesting. In the case, a patient sued his former doctor, for providing assistance to the defendant in a personal injury suit brought by the patient. While this case may be most noticeable for the idea that - with the right facts - judges may seek out means of remedying these violations, where there is a reasonably defined actual harm or particularly bad behavior, it is an interesting spin on a HIPAA claim.

The Sorensen decision stems from Sorensen's suit against Barbuto (his former physician), brought after Sorensen learned of Barbuto's involvement with his opposing defense counsel. He asserted breach of contract and various tort claims against Barbuto, all of which were dismissed by the trial court. This decision was rendered by the Utah Court of Appeals, reversing most of this dismissal.

The court first rejected Barbuto's claim that he violated no duty because Sorensen had placed his physical condition at issue in the case, finding that this "exception" to the physician-patient privilege doctrine could not be the basis for Barbuto to act against the patient in a suit where Barbuto was a third party. The court then held that "ex parte communication between a physician and opposing counsel constitutes a breach of the physician's fiduciary duty of confidentiality." The court also held that the trial court's dismissal of Sorensen's negligence claim was in error, as the fiduciary duty that existed in this situation could support a negligence claim.

The court also found that Sorensen could pursue a claim for intentional infliction of emotional distress. Because Barbuto not only communicated ex parte with defense counsel, but also became a paid advocate for Sorensen's adversary, the conduct by Barbuto met the threshold of "extreme and outrageous" conduct necessary to sustain a claim for intentional infliction of emotional distress.

Herman v. Kratche, Case No. 86697, 2006 WL 3240680 (Ohio App. Dist. Nov. 9, 2006) is another case to watch. Here, the plaintiff received medical treatment from a clinic. The clinic sent the results of the treatment to the HR Department of plaintiff's employer. The employer and the patient told the clinic that there was no workers' compensation claim, and that nothing should be provided to the employer, yet the material continued to be sent to employer.

The court decision says that the clinic had a fiduciary duty to the patient, a duty to keep information confidential, and breached that duty. The fact that the employer also owed duties to the plaintiff didn't mitigate the clinic's breach. The court properly rejected the interesting idea that the HIPAA "circle of confidentiality" meant there was no unauthorized disclosure - a disclosure to another entity with regulatory obligations would not violate HIPAA. Accordingly, the court permitted various claims to go forward based on the unauthorized disclosure.

These cases are not uniform, but they do represent the realistic possibility of two key theories - negligence, through a failure to meet a standard of care set by legislative or regulatory standards, or "breach of (fiduciary) duty," through failure to meet these same standards.

3. There is no class action breakthrough (yet)
While these "quasi-negligence" cases present a real risk of becoming a new basis for privacy and security claims, these cases - so far - have been focused on individual situations, where a specific individual faced a particular harm.

On a broader basis, there still has been no significant breakthrough case related to class action allegations. For example, even in the series of cases related to the ChoicePoint security breach - one of the most prominent breaches and one where the facts led to development of state notification laws around the country - the class action plaintiffs have come up empty. In the most recent decision, Harrington v. ChoicePoint Inc., CV 05-0124 MRP (C.D. Cal. Oct. 11, 2006), five separate actions were consolidated into a class action suit in the Central District of California, alleging violations of the Fair Credit Reporting Act (FCRA) and various California statutes. The plaintiffs sought actual, statutory and exemplary damages, as well as injunctive relief, attorneys' fees and costs. The court rejected the FCRA claim because the plaintiffs failed to provide any evidence that would support their contention that the disclosed information met the three requirements of a "consumer report" under FCRA. Once the federal claims were dismissed, the court declined to exercise supplemental jurisdiction and dismissed the state claims as well, resulting in a complete dismissal of all claims against ChoicePoint.

The question in these class action cases is whether any particular case will result in a breakthrough - and a turnaround in the attitudes of class action attorneys in these cases. The litigation against TJX presents this possibility - if the multiple cases that have been filed result in a substantial recovery. We also have seen some recent class certifications - for settlement purposes only - in cases involving Commerce Bankcorp and American Express. While these cases do not constitute realistic precedent, and incorporate no court decisions altering the discussion on damages or the appropriateness of a class on the merits, they do warrant attention, as a sufficient number of class-oriented settlements may have the effect of altering the dynamics in these cases.  

4. But the plaintiffs are still trying
For plaintiffs, the biggest potential opportunity has involved a substantial number of new cases filed in connection with an alleged breach of a single provision of the Fair and Accurate Credit Transactions Act (FACTA), related to the "truncation" of credit card numbers on receipts provided to customers. (See related page 1 story.) These suits are designed to evade the "no damages" issue; here, the plaintiffs' counsel have asserted "statutory damages" (because no actual damages exist), with claims totaling in the billions of dollars. While these cases are only beginning, they present some real risks for defendants - although the allegations also trivialize the actions of companies around the country to take better steps to protect the data they maintain. In these cases, clearly no one has been harmed; none of the cases even bother to assert any actual harm. But, these cases remain significant and an area for all companies to watch; they also should serve as a reminder to all companies that accept credit cards to make sure their practices fit this statutory standard.

The initial decisions are starting to trickle in. One court rejected a motion to dismiss a FACTA class action, in Leowardy v. Oakley Inc., No. 8:07-cv-0053, 2007 WL 1113984 (C.D. Cal. April 10, 2007), that had asserted that the individuals had no standing to bring the suit under the private cause of action provisions of the statute. A similar standing decision was issued in Eskandari v. IKEA U.S. Inc., No. 8-cv-01248, 2007 WL 845948 (C.D. Cal. March 12, 2007).

A potentially more significant decision was issued in Spikings v. Cost Plus Inc., No. 2:06-cv-08125 (C.D. Cal. May 25, 2007). Here, the court rejected class certification in one of the FACTA cases in which plaintiffs alleged too much information was printed on card receipts. According to the court, "[i]n this case, if a class is certified and Plaintiff prevails, even the minimum statutory damages would be ruinous to Defendant." If the plaintiff was able to prove a willful violation, "statutory damages alone would range from a minimum of $340 million to a maximum of $3.4 billion." Focusing on the plaintiff's testimony that there had been no actual damages, the court also noted that "[m]ost importantly, denial of class certification in this case does not prevent any of Defendant's customers who may have suffered actual damages as a result of Defendant's conduct from proceeding with individual cases to recover those damages."

5. Don't think that privacy laws are a good shield from the discovery process
Recent cases also make clear that most privacy laws do not create a shield that can protect companies from the need to produce information in discovery. For example, the Mississippi Supreme Court in Capital One Services, Inc. v. Page, 942 So. 2d 760 (Miss. 2006), ordered a credit card issuer to turn over documents in a lawsuit brought by a cardholder, rejecting the card firm's claims that disclosure of the information is barred by the Gramm-Leach-Bliley Act's (GLBA) privacy provisions. Similarly, in Ex parte National Western Life Insurance Co., 899 So. 2d 218 (Ala. 2004), the Alabama Supreme Court held that GLBA does not shield the records of financial institutions' customers from disclosure to third parties pursuant to a discovery order in a private suit. Realistic litigation has been recognized as an appropriate means for the production of personal information, and, as long as the required procedures are followed, companies cannot use these laws to prevent discovery.

6. Beware of state FOIA claims
Perhaps similar to the discovery cases, companies (and individuals) need to be aware of the new risk that sensitive personal information may be subject to disclosure through government "open records" laws. For example, in State ex rel. Cincinnati Enquirer v. Daniels, 844 N.E. 2d 1181 (2006), the Ohio Supreme Court, in dicta, indicated that the State Freedom of Information laws trumped the HIPAA Privacy Rule, so that information held by the state, to the extent it had a HIPAA-covered entity role, also would be subject to disclosure under the freedom of information act. A similar opinion was issued by the attorney general in Texas, indicating that the open government law "requirements" indicated that HIPAA protected data would be subject to disclosure. Companies and government entities should be re-evaluating their production processes or reconsidering exceptions to these laws, so that personal information is not disclosed inappropriately.
Privacy and security litigation is not going away. There is a continuing perfect storm of a large number of new laws that have overlapping and potentially conflicting requirements, with increased enforcement and ongoing security breaches. Companies in all industries need to be aware of the risks of litigation and take steps to reduce risks.

With that said, many uphill challenges remain to bringing successful privacy/security suits (or, conversely, lots of defenses still exist, even when companies have not behaved well). Damages are a substantial hurdle, particularly in class action cases. In "individual harm" situations, companies need to be careful to meet existing privacy and security standards, even where these standards contain no private cause of action, as courts are beginning to recognize these standards as setting a standard of care that must be met.

Kirk Nahra is a Partner with Wiley Rein LLP in Washington, D.C., where he specializes in privacy and information security litigation and counseling. He is chair of the firm's Privacy Practice. He serves on the IAPP Board of Directors and is the Editor of The Privacy Advisor.
He is a Certified Information Privacy Professional. He is the Chair of the Confidentiality, Privacy and Security Workgroup, a panel of government and private sector privacy and security experts advising the American Health Information Community (AHIC). He may be reached at


This e-mail address is being protected from spam bots, you need JavaScript enabled to view it



If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»