Re: Negligence for privacy/security breach standard in tort

["Shackelford, Scott James" <sjshacke () INDIANA EDU>]

Dear all,

To piggy back off this important topic, I just wanted to mention that a reseach team and I have a law review 
forthcoming that explores the development of a standard of cybersecurity care in the US paying particular attention to 
the impact of the NIST Framework. Here’s a link: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2446631.

Cheers,
-Scott

--
Scott J. Shackelford, JD, Ph.D. | Assistant Professor of Business Law and Ethics | Indiana University, Kelley School of 
Business | Distinguished Fellow & Visiting Assistant Professor | University of Notre Dame | Senior Fellow | Center for 
Applied Cybersecurity Research | Indiana University | 1309 E. Tenth St. | Bloomington, IN 47405-1701 | tel (812) 
856-6728 | fax (812) 855-8679 | sjshacke () gmail com<mailto:sjshacke () gmail com> |
--------------------------------------------------
View my research on my SSRN Author page:
http://ssrn.com/author=1195469
--------------------------------------------------


From: Tracy Beth Mitrano <tbm3 () CORNELL EDU<mailto:tbm3 () CORNELL EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Thursday, November 20, 2014 at 5:07 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Negligence for privacy/security breach standard in tort

We have been waiting for this kind of case to set the standard for negligence in common law torts for privacy or 
security breaches, and Dan Solove makes a good argument that the current standards that exist in privacy laws, HIPAA 
and even FERPA, may be exactly that.

Pulled it off of Linked In at:

https://www.linkedin.com/pulse/article/20141118051323-2259773-lawsuits-for-hipaa-violations-and-beyond-a-journey-down-the-rabbit-hole?trk=mp-reader-card


Text below for those who are registered on that site.

Tracy


____________________________________________________________________


At first blush, it seems impossible for a person to sue for a HIPAA violation. HIPAA lacks a private cause of action. 
So do many other privacy and data security laws, such as FERPA, the FTC Act, the Gramm-Leach-Bliley Act, among others. 
That means that these laws don’t provide people with a way to sue when their rights under these laws are violated. 
Instead, these laws are enforced by agencies.

[https://media.licdn.com/mpr/mpr/p/4/005/09c/051/28bcd01.jpg]But wait! Stop the presses!

A recent decision by the Connecticut Supreme Court has concluded that people really can sue for HIPAA violations. As I 
will explain later, this is not a radical conclusion . . . though the implications of this conclusion could be quite 
radical and extend far beyond HIPAA.

A number of folks have blogged about this case, but not many have explored the depths of this rabbit hole.

Let’s start with the Connecticut Supreme Court decision, and then follow the White Rabbit. . . .

The Connecticut Supreme Court Invites HIPAA In

In Byrne v. Avery Center for Obstetrics and 
Gynecology<http://www.jud.ct.gov/external/supapp/Cases/AROcr/CR314/314CR78.pdf>, No. 18904, 2014 WL 5507439 (Conn. Nov. 
11, 2014), Bryne received medical care from the Avery Center, while in a personal relationship with Andro Mendoza. 
Bryne warned the Avery Center not to release her medical records to Mendoza. Mendoza later filed a paternity suit, and 
the court issued a subpoena to the Avery center to appear with Bryne’s medical records. The Avery center mailed a copy 
of the medical forms to the court. Byrne claimed that the disclosure of the medical forms was not done properly under 
HIPAA and that she should have been notified of the subpoena.

As a result of the disclosure, Bryne filed suit for breach of contract, negligently releasing her medical file without 
authorization, negligent misrepresentation of the Center’s privacy policy, and negligent infliction of emotional 
distress.

The Connecticut Supreme Court held that HIPAA could be used as a basis in establishing the standard of care for 
negligence. According to the court, “to the extent it has become the common practice for Connecticut health care 
providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its 
implementing regulations may be utilized to inform the standard of care applicable to such claims arising from 
allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”

The Common Law in Privacy and Data Security Cases

[https://media.licdn.com/mpr/mpr/p/3/005/09c/051/3e8a90d.jpg]How can this be? The answer stems from the nature of the 
common law. The common law provides a myriad of causes of action for plaintiffs to bring in lawsuits. Some of the most 
common ones in privacy cases include the privacy torts, the breach of confidentiality tort, and negligence.

Breach of Confidentiality

In the medical context, for example, when a physician, hospital, or other entity has a duty of confidentiality and then 
breaches that duty, a plaintiff can sue under the breach of confidentiality tort. HIPAA comes in not to provide the 
cause of action – that’s supplied by the common law – but instead to define the standard used by the common law. For 
breach of confidentiality, courts look to norms, ethical rules, and laws to determine the duties that caregivers owe to 
patients. HIPAA is a law that establishes duties, and thus serves as a useful source of duties for the common law.

More than ten years ago, Peter Winn wrote a terrific article about this point,Confidentiality in Cyberspace: The HIPAA 
Privacy Rules and the Common Law<https://epic.org/privacy/imshealth/winn_rutgers_02.pdf>, 33 Rutgers L.J. 617 (2002). 
He argued that state courts would likely use the HIPAA standards to evaluate breach of confidentiality claims. Winn 
contended that HIPAA could even expand the reach of the breach of confidentiality tort beyond healthcare providers to 
business associates.

Negligence

Negligence is becoming more frequently used as a cause of action for privacy and data security violations. Typically, 
people think of negligence in terms of accidents. The traditional negligence case involves a car accident or a slip and 
fall. But negligence is quite a broad cause of action. It applies whenever a person owes other individuals a reasonable 
duty of care and that person breaches that duty of care and causes injury to an individual.

In R.K. v. St. Mary’s Medical 
Center<http://scholar.google.com/scholar_case?case=8937709822272365187&hl=en&as_sdt=6&as_vis=1&oi=scholarr>, 735 S.E.2d 
715 (W.Va. 2012), R.K was admitted to St. Mary’s as a psychiatric patient while in divorce proceedings with his 
estranged wife. While a patient, an employee of the hospital inappropriately accessed his files and shared confidential 
information with his wife. R.K. sued claiming negligence, among other causes of action. The defendant argued that many 
of R.K.’s claims were pre-empted by HIPAA.

The West Virginia Supreme Court of Appeals held that not only did HIPAA fail to preempt state law, but HIPAA may 
provide the standard of care for tort claims including negligence per se (an even more powerful result than regular 
negligence because negligence per se often gives plaintiffs a rebuttable presumption that the defendant was negligent).

The Byrne<http://www.jud.ct.gov/external/supapp/Cases/AROcr/CR314/314CR78.pdf> court noted that “several courts have 
found that a HIPAA violation may be used either as the basis for a claim of negligence per se, or that HIPAA may be 
used to supply the standard of care for other tort claims.”

This conclusion is actually not controversial. These courts are just applying a traditional and well-established common 
law principle – that statutes and regulation can readily be used to establish duties and standards of care.

Even though HIPAA lacks a private right of action, plaintiffs can still use HIPAA to establish a duty or standard of 
care under state common law. That means that the requirements of HIPAA can readily become the basis of a lawsuit, as 
there are many common law causes of action (such as negligence) that can be used to bring lawsuits for privacy and data 
security incidents.

These implications are radical enough. But why stop here? Let’s journey all the way to Wonderland!

[https://media.licdn.com/mpr/mpr/p/2/005/09c/052/168bbd8.jpg]Down the Rabbit Hole

We’ve stepped into the rabbit hole. And there’s room to go down.

That’s because the Connecticut Supreme Court’s reasoning doesn’t just apply to HIPAA – it can also apply to the 
numerous privacy and data security laws that lack a cause of action.

Et tu FERPA?

For example, consider FERPA, which also lacks a private cause of action. InGonzaga University v. 
Doe<http://www.law.cornell.edu/supct/html/01-679.ZO.html>, 36 U.S. 273 (2002), a student tried to sue a university that 
improperly disclosed information about him in violation of FERPA. The U.S. Supreme Court held that FERPA lacked a 
private cause of action, and that student could not sue under FERPA or under 42 U.S.C. § 1983, which allows people to 
sue for violations of federal law.

FERPA enforcement has oft been criticized as being as ferocious as a miniature poodle with its teeth removed and on 
tranquilizers.

But there is a way for people to enforce FERPA. Sue! Like HIPAA, FERPA can serve as a source of duties and standards of 
care in the common law.

FTC Act

[https://media.licdn.com/mpr/mpr/p/1/005/09c/052/294098f.jpg]Let’s go further down the rabbit hole.

Other privacy and data security laws can serve as sources of common law duties and standards of care, regardless of 
whether they have a private cause of action. The FTC Act, for example, prohibits “unfair” and “deceptive” trade 
practices. The FTC has interpreted the Act to protect against privacy and data security violations, and has brought 
quite an extensive number of enforcement actions. For more detail about these actions, see my article. The FTC and the 
New Common Law of Privacy<http://ssrn.com/abstract=2312913>, 114 Columbia Law Review 583 (2014) (with Woodrow Hartzog). 
The FTC’s cases might be used as the basis for a duty or standard of care in the common law for privacy and data 
security.

COPPA

The Children’s Online Privacy Protection Act (COPPA) provides privacy protections for data gathered by websites about 
children under 13. It lacks a private right of action, but it too could be used to establish common law duties and 
standards of care. Unlike HIPAA, FERPA, and many other privacy laws, COPPA preempts state law, and this fact might stop 
it from being used in this way.

GLBA

The Gramm-Leach-Bliley Act (GLBA), which imposes privacy and data security requirements on financial institutions, 
could also be a source of duties and standards of care in the common law. So could other laws without a private right 
of action – whether federal or state.

The Rabbit Hole Goes Deeper

There’s no reason why the principle of looking to statutes to help establish duties and standards of care in the common 
law cannot be applied to statutes that have their own causes of action, such as the Electronic Communications Privacy 
Act (ECPA), the Cable Communications Policy Act (CCPA). The common law could expand the ways in which an entity could 
be liable beyond the contours of the particular cause of action.

[https://media.licdn.com/mpr/mpr/p/2/005/09c/053/1b38d09.png]For example, one of the major limitations of the Computer 
Fraud and Abuse Act (CFAA), which prohibits unlawful access to another’s computer, is that there is a $5000 threshold 
to receive damages. That means that plaintiffs will not be able to receive compensation when another person or entity 
unlawfully accesses their computer unless they can prove a “loss aggregating at least $5000 in value” This has made it 
very hard for plaintiffs to proceed.

But this threshold does not exist in the common law. Common law torts could be used to bring a suit, and the CFAA could 
be used to establish a duty.

Even Deeper . . .

We’re not to the bottom yet.

When finding duties in the common law, courts will often look beyond the law of their particular state to see what 
other states are doing. If other state laws or common law cases establish duties or standards of care, then courts can 
use these to establish a duty or standard of care in their own state.

Deeper Still . . .

You think we hit bottom? Hardly a chance!

When looking for duties and standards of care in the common law, courts will also look beyond law to various ethical 
rules and other professional codes of conduct– even to widely-followed norms.

[https://media.licdn.com/mpr/mpr/p/4/005/09c/053/071844a.png]Consider McCormick v. 
England,<http://scholar.google.com/scholar_case?case=12160226891904363096&hl=en&as_sdt=6&as_vis=1&oi=scholarr> 494 
S.E.2d 431 (S.C. Ct. App. 1997), where the court recognized a duty of confidentiality for physicians. The court stated: 
“In the absence of express legislation, courts have found the basis for a right of action for wrongful disclosure in 
four main sources: (1) state physician licensing statutes, (2) evidentiary rules and privileged communication statutes 
which prohibit a physician from testifying in judicial proceedings, (3) common law principles of trust, and (4) the 
Hippocratic Oath and principles of medical ethics which proscribe the revelation of patient confidences.”

For privacy and data security, there are a number of industry codes such as thePayment Card Industry’s Data Security 
Standard (PCI-DSS). Perhaps this could be used to establish common law duties and standard of care.

So could other codes, such as advertising industry codes regarding privacy and data security (NAI, DMA, etc.). So could 
the widely-articulated and adopted Fair Information Practice Principles (FIPPs).

Nearly anything can be used as evidence of a common law duty or standard of care . . . even an oath from antiquity.

Conclusion

Thus far, courts have barely traveled down the rabbit hole. Only a few cases have been decided drawing from other 
sources to find duties regarding privacy and data security in the common law. But the rabbit hole runs deep, and we’ll 
have to wait and see how far courts will follow the White Rabbit.