No Claim Based on Disclosure of Email Address in Violation of Privacy Policy

Are privacy policies worth the paper they are printed on?  I'd say privacy policies have turned out to be useless from a consumer/enforceability standpoint.  Consumers have had little luck bringing claims based on express promises in privacy policies.

You would think that if you signed up for a service using a unique email address and the service provider disclosed or compromised the email address in express violation of the applicable privacy policy (resulting in your receipt of unsolicited commercial email) you would have a claim against the service provider?  No luck.  In a fairly rough result for the consumers involved, a federal court in New York rejected a proposed class action arising out of improper disclosure of email addresses in violation of the service provider's privacy policy.  (Cherny v. Emigrant Bank, 2009 U.S. Dist. Lexis 2486 (March 12, 2009).) 

Background: Plaintiff Stacy Cherny opened an account with EmigrantDirect and provided a unique email address he created specifically for use with this account.  He did not provide the email address to anyone else.  Sometime after he opened the account, he started receiving unsolicited email to this email address.  Emigrant's privacy policy provided that it would "ensure the confidentiality of all of [the customer's] confidential information."  Emigrant did not provide notice to Cherny that it disclosed the email address.  Cherny asserted claims under a variety of state law theories (in a proposed class action).  Judge Marrero of the Southern District of New York rejected the claims and dismissed the case.

The decision:  The crux of the court's ruling was that Cherny failed to allege actual injury or damages.  Cherny had alleged a host of harms, ranging from "loss of privacy" to "undue risk [of loss of confidential information."  The court finds this insufficient:
the release of potentially sensitive information alone, without evidence of misuse, is insufficient to cause damage to a plaintiff.
Cherny argued that the email address likely resided in the same database as his other more sensitive information.  The court was not swayed by this.  In the court's eyes, the ultimate question was whether Cherny could show actual damage.  (This is not an outlier result - courts have consistently held that disclosure of sensitive information alone does not equal damage.  Three recent posts:  the Hewitt data breach case; TJX (recent activity in the First Circuit on this one); and a case involving Acxiom.  Starbucks was recently sued in Washington for a data breach involving the theft of a laptop containing sensitive information.  We'll see how that one turns out.)

How about the Spam?  Cherney also argued that receipt of unsolicited email constituted one harm he suffered.  The court (citing Virtumundo and other cases) rejects the argument that receipt of spam is sufficient to demonstrate harm:
the receipt of spam by itself . . . does not constitute a sufficient injury entitling Cherny to compensable relief.
The Privacy Policy?  Cherny's contractual/misrepresentation claims suffered the same fate as the plaintiff in the tax return case (who alleged that Hewitt breached its privacy policy in putting tax returns in dumpsters).  New York (like Louisiana) apparently has a rule that limits negligent misrepresentation claims to situations involving personal or property damage.  Cherny could only bring contractual claims, and these were barred by his deficient showing of damages. 

My Thoughts:  some legal questions (many) are all about the pendulum.  I think data breach/privacy claims fit in this category.  At this point, courts are at one extreme, rejecting virtually any claim made by a plaintiff around the disclosure of information.  It doesn't matter what the privacy policy says really, in the eyes of the courts.  It doesn't matter what risks are posed by the disclosure.  Courts have rejected any attempts to seek recovery for the improper disclosure of personal information unless there is proof that someone actually misused that information and damaged the plaintiff.  There will probably be a backlash.  Maybe in the form of legislation or in the form of some event or news which pushes courts to go in the other direction.  This case is a bit easier to explain than previous cases.  Courts simply are not sympathetic to cases where someone alleges damage based on receipt of an email.  Maybe it's because like us, they receive spam, and are forced to take the simple step of deleting it?  In reported decisions, spam plaintiffs generally have fared poorly.  On the other hand, I'm surprised defendant's status as a bank did not change the case.  Banks are subject to special federal/state statutory rules around confidentiality and the disclosure of information.  There was little discussion of this.

NB:  the case was brought by a firm that often brings internet consumer cases (Kamber Edelson).  I'd say chances of an appeal are greater than average. 
  • No trackbacks exist for this post.

  • 4/7/2009 12:09 PM Tom wrote:
    Interesting analysis, thanks for posting. So, I get how this "breach" of trust is not actionable though private right of action or class action through the courts. What are your thoughts with regard to the Federal Trade Commission and their purview over consumer trust online and in general?
    Reply to this
  • 5/7/2009 9:52 AM Amanda wrote:
    I'll side with the court on this one. He can't prove that Emigrant Direct released his information - he could have received spam due to a dictionary attack/mass untargeted mailing that just happened to snag this address he created. I have been hit this way at addresses I have never used for any purpose that would have exposed me to spam.
    Reply to this
Leave a comment

Submitted comments are subject to moderation before being displayed.

 Name (required)

 Email (will not be published) (required)


Your comment is 0 characters limited to 3000 characters.