A Court Holds that When a Company Breaks Its Promise to Keep Information Safe, It Cannot Be Sued: The Right Result, but One that Suggests the Need to Change the Law?
By ANITA RAMASASTRY
|Friday, Jan. 30, 2009|
Many companies have privacy polices in which they promise to keep safe any confidential information they collect – from Social Security numbers, to personal financial information, and even sexual history. Given such promises, is your information safe? The answer is a resounding no. The headlines are full of stories of security breaches, stolen company laptops, and even untrustworthy employees who steal customer data.
Such stories raise an important legal question: Does a company face any legal consequences if it breaks a confidentiality promise? The answer is: Not necessarily.
Indeed, a recent Louisiana case highlights how current law is inadequate to deal with the growing problem of security breaches and the insecurity of confidential customer data.
The Louisiana Case
In early 2008, Pinero alleges, the company disposed of Pinero's 2005 federal and state tax returns, and those of over 100 other people, in a public dumpster, where a passerby found them. The returns were intact; they had not been shredded, burned or otherwise made illegible as required by federal and state law. The passerby contacted a local television news station and local law enforcement, in order to alert them of the documents, and as a result, the news station returned the tax returns to Pinero. Crescent City later issued a public statement asserting that the documents had been stolen.
Pinero sued -- alleging, among other causes of action, breach of contract and false inducement to enter into a contract.
Why the Court Dismissed the Louisiana Claims: No Compensable Damages, and No Fraudulent Inducement
Pinero claimed that she suffered emotional injury, worry, and distress as a result of the breach. She also sought reimbursement for out-of-pocket expenses relating to monitoring her credit for suspicious activity after she learned of the breach. But the court held that these damages did not count. It pointed out that for breach of contract, only monetary damages can be sought, and also that "[n]umerous courts have held that expenses related to credit monitoring to guard against future identity theft is not compensable damages."
As noted above, the plaintiff also sued for fraudulent inducement to enter into a contract -- claiming that the company misrepresented its privacy protections to convince her to hire them. However, the court found that Pinero had not pled facts showing that the company intended to misrepresent itself at the time the contract was signed, which is required for a fraudulent inducement claim. (It did, however, give her time to amend her complaint to attempt to plead such facts.)
In a JetBlue Lawsuit, the Court Ruled Similarly
As in the Pinero case, the court in the JetBlue case dismissed the contract claim for lack of alleged economic damages, noting that customers had no expectation of being compensated for the value of their personal information, either by JetBlue or by Torch.
It's Time to Change the Law to Effectively Protect Confidential Customer Data
Both of these courts were correct on the law – but, in my view, that means we should seriously considering changing the law.
In both cases, the company violated its affirmative promise to customers (theoretically a promise that helped it garner more revenue and more customers). And in Pinero's case, she and 100 other suffered an increased risk of identity theft, and had to vigilantly monitor their credit reports.
Until and unless the law changes, consumers' main recourse is to complain to the Federal Trade Commission (FTC) – which can punish companies that violate their own privacy policies, and has done so in the past. Large breaches could even incur hefty FTC fines. . Customers can also protect themselves to some extent by asking for their records to be returned to them after the business transaction is over, and that no copies be kept – but in an age of electronic data, this remedy is only partial. Ultimately, Congress needs to think about ways to make companies more accountable – perhaps by heightening both FTC enforcement and state-level enforcement.
Anita Ramasastry is the D. Wayne and Anne Gittinger Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, computer data security issues, and other legal issues for this site, which contains an archive of her columns.