BreachExchange mailing list archives
court ruling regarding TSA databreech
From: Henry Brown <hbrown () knology net>
Date: Sat, 12 Apr 2008 04:14:28 -0500
From Lauren Gelman's blog Court holds Privacy Act "actual damages requirement" does not require pecuniary harm http://cyberlaw.stanford.edu/node/5734 I'm breaking blog silence to report on an amazing decision out of the DC Circuit holding that the federal Privacy Act's requirement that Plaintiffs show actual damages does not require pecuniary harm but can be met by a showing of emotional distress. Am. Fed'n of Gov't Employees v. Hawley, D.D.C., No. 07-00855, 3/31/08. [T]he plaintiffs' alleged injury is not speculative nor dependent on any future event, such as a third party's misuse of the data, the court said. The court finds that plaintiffs have standing to bring their Privacy Act claim. This follows the Supreme Court's holding in Doe v. Chao, 540 U.S. 614 (2004) that a plaintiff must prove actual damages to succeed on an alleged Privacy Act violation, however in that case, the court never defined "actual damages." I think this is a great decision that supports the belief that people's harm from a privacy loss is not just another's use of that information to cause financial loss (i.e. identity theft), but that emotional damages and embarrassment are cognizable harms of privacy violations. [...] The Actual court document... https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2007cv0855-6 Summary provided by Saqib Ali from the FDE newsgroup.. In the recent American Federation Of Government Employees (plaintiff) v.s. Kip Hawley, in his official capacity as Administrator for TSA, the plaintiffs alleged that defendants violated the Aviation and Transportation Security Act ("ATSA") and the Privacy Act by failing to establish appropriate safeguards to insure the security and confidentiality of personnel records which resulted in unintended disclosure of Personally Identifiable Information (PII) of 100,000 TSA employees. The defendants argued that "that the individual plaintiffs should be dismissed for lack of standing for failing to demonstrate an injury-in-fact. Mot. Dismiss at 13.11 According to defendants, plaintiffs' concerns about future harm are speculative and dependent upon the criminal actions of third parties. Mot. Dismiss at 13–15" The court, however, disagrees: "Plaintiffs allege that because TSA violated § 552a(e)(10) by failing to establish safeguards to secure the missing hard drive, they have suffered an injury in the form of embarrassment, inconvenience, mental distress, concern for identity theft, concern for damage to credit report, concern for damage to financial suitability requirements in employment, and future substantial financial harm, [and] mental distress due to the possibility of security breach at airports." Compl. 41–42. As such, plaintiffs' alleged injury is not speculative nor dependent on any future event, such as a third party's misuse of the data.12 The court finds that plaintiffs have standing to bring their Privacy Act claim." [...] _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- court ruling regarding TSA databreech Henry Brown (Apr 12)