Skip to main content
Find a Lawyer

A Court Holds that When a Company Breaks Its Promise to Keep Information Safe, It Cannot Be Sued: The Right Result, but One that Suggests the Need to Change the Law?


Friday, Jan. 30, 2009

Many companies have privacy polices in which they promise to keep safe any confidential information they collect – from Social Security numbers, to personal financial information, and even sexual history. Given such promises, is your information safe? The answer is a resounding no. The headlines are full of stories of security breaches, stolen company laptops, and even untrustworthy employees who steal customer data.

Such stories raise an important legal question: Does a company face any legal consequences if it breaks a confidentiality promise? The answer is: Not necessarily.

Indeed, a recent Louisiana case highlights how current law is inadequate to deal with the growing problem of security breaches and the insecurity of confidential customer data.

The Louisiana Case

The facts are as follows: In 2006, Louisiana resident Vicki Pinero hired Crescent City Tax Service -- a franchisee of Jackson Hewitt Tax Service -- to prepare her tax returns. She provided the company with confidential information, including her Social Security and driver's license numbers, date of birth, and information about her finances. Pinero alleges that she was shown and duly signed Jackson Hewitt's privacy policy. The company policy states that it had procedures in place (such as. physical, electronic, and procedural safeguards) to protect customers' private data. She also alleges that she relied on this statement in her decision to hire the company and to hand over her information.

In early 2008, Pinero alleges, the company disposed of Pinero's 2005 federal and state tax returns, and those of over 100 other people, in a public dumpster, where a passerby found them. The returns were intact; they had not been shredded, burned or otherwise made illegible as required by federal and state law. The passerby contacted a local television news station and local law enforcement, in order to alert them of the documents, and as a result, the news station returned the tax returns to Pinero. Crescent City later issued a public statement asserting that the documents had been stolen.

Pinero sued -- alleging, among other causes of action, breach of contract and false inducement to enter into a contract.

Why the Court Dismissed the Louisiana Claims: No Compensable Damages, and No Fraudulent Inducement

Pinero claimed that she suffered emotional injury, worry, and distress as a result of the breach. She also sought reimbursement for out-of-pocket expenses relating to monitoring her credit for suspicious activity after she learned of the breach. But the court held that these damages did not count. It pointed out that for breach of contract, only monetary damages can be sought, and also that "[n]umerous courts have held that expenses related to credit monitoring to guard against future identity theft is not compensable damages."

As noted above, the plaintiff also sued for fraudulent inducement to enter into a contract -- claiming that the company misrepresented its privacy protections to convince her to hire them. However, the court found that Pinero had not pled facts showing that the company intended to misrepresent itself at the time the contract was signed, which is required for a fraudulent inducement claim. (It did, however, give her time to amend her complaint to attempt to plead such facts.)

In a JetBlue Lawsuit, the Court Ruled Similarly

A court reached a similar result in a 2005 suit against the airline JetBlue, which I described in a prior column. As part of its anti-terrorism efforts, the federal Transportation and Security Administration had asked that JetBlue transfer its passenger name records to a Department of Defense contractor for a trial run of a data mining and analysis program relating to airline data. In response, JetBlue transferred a large amount of customer data to defense contractor Torch Concepts -- in violation of its own privacy policy, where it promised not to disclose personal information to third parties. The JetBlue passengers were not notified by JetBlue in advance of the disclosure either.

As in the Pinero case, the court in the JetBlue case dismissed the contract claim for lack of alleged economic damages, noting that customers had no expectation of being compensated for the value of their personal information, either by JetBlue or by Torch.

It's Time to Change the Law to Effectively Protect Confidential Customer Data

Both of these courts were correct on the law – but, in my view, that means we should seriously considering changing the law.

In both cases, the company violated its affirmative promise to customers (theoretically a promise that helped it garner more revenue and more customers). And in Pinero's case, she and 100 other suffered an increased risk of identity theft, and had to vigilantly monitor their credit reports.

Until and unless the law changes, consumers' main recourse is to complain to the Federal Trade Commission (FTC) – which can punish companies that violate their own privacy policies, and has done so in the past. Large breaches could even incur hefty FTC fines. . Customers can also protect themselves to some extent by asking for their records to be returned to them after the business transaction is over, and that no copies be kept – but in an age of electronic data, this remedy is only partial. Ultimately, Congress needs to think about ways to make companies more accountable – perhaps by heightening both FTC enforcement and state-level enforcement.

Anita Ramasastry is the D. Wayne and Anne Gittinger Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, computer data security issues, and other legal issues for this site, which contains an archive of her columns.

Was this helpful?

Copied to clipboard