An interesting decision came down last week by U.S. District Court for the District of Columbia that could potentially change the financial liability of data breaches by government agencies and private corporations. For the first time, the district court held that government employees who claimed that a data breach by the Transportation Service Agency (TSA) caused them harm have a valid cause of action against the government. Recent rulings in state courts have dismissed claims for lack of merit based on insufficient proof of emotional harm or financial damage.
In May of 2007, the TSA lost a hard drive containing the personal information of 100,000 of its employees. After the breach was disclosed, the TSA offered free credit-monitoring services to its employees and advised them to alert their financial institutions of potential cases of identity theft.
Since there is no federal law dealing with compensation for data breaches, employees of the TSA brought a civil action against the government under the Privacy Act of 1974. This piece of legislation governs how personal information is to be protected by federal government agencies. The act lays out requirements that the government must meet in order to establish appropriate safeguards in order to ensure the confidentiality of personnel records. It regulates the collection, maintenance, use, and dissemination of personal information by the government.
Employees of the TSA believed that the TSA had violated provisions of the Privacy Act and were negligent in protecting their personal information. TSA had argued that the lawsuit lacked merit because the employees had failed to demonstrate damages and that the â€œconcerns about future harm are too speculative and dependent upon criminal actions of third parties.â€ The Supreme Court and other courts have left open the question of what constitutions damages and this continues to be a point of contention in litigation. However, in this instance, the court held that concern for identity theft, damage to financial suitability, and mental distress are not too speculative or dependent on future events to have the lawsuit dismissed.
This is the first time that a federal court has stated that non-pecuniary injuries would qualify as actual damages. Despite the fact that the employees did not show current or actual financial loss resulting from disclosure of their personal information, the court believed that their claim was valid to proceed with a lawsuit against the TSA.
While this is only the interpretation of a district court and will likely be appealed by the TSA, it does show that courts are beginning to realize the costs of data breaches on the public. Even though no immediate financial injury was demonstrated by TSA employees, the court defined more broadly what they consider to be actual damages. Hopefully, allowing the lawsuit to move forward will pressure other government agencies to have better security standards to protect information in their possession. If this ruling is affirmed, it would potentially impact not only government agencies but even corporations. If federal courts begin to redefine damages, it might not be too long before states courts hold companies liable for their data breaches as well.