A federal judge in Louisiana has continued the trend of courts rejecting privacy claims due to disclosure of information where the plaintiff fails to allege actual (out of pocket) damages.  This one hurts!  (Access the order here [pdf].)

Facts:  The cases arises out of an incident in 2008 where Jackson Hewitt tax services (allegedly) disposed of plaintiff's tax returns in a public dumpster in Gretna, Louisiana.  Someone found the tax returns in a dumpster (which were in readable form) and contacted the local media and law enforcement.  The media identified and contacted plaintiff.  Hewitt alleged that the returns were stolen.  Plaintiff (on behalf of herself and others similarly situated) alleged that she relied on statements in Hewitt's privacy policy that they would safeguard plaintiff's financial and tax information.  Plaintiff's identity was not stolen as a result of the data breach, but she sued for "fear, panic, anxiety" (etc.).  Defendants moved to dismiss the claims, and the court largely granted the motion. 

Negligence:  The court rejected the negligence claims, finding that plaintiff "has not alleged that any third party accessed her information and stole her identity. . . .  That the documents were exposed to a good samaritan, who returned the documents to plaintiff, does not in itself establish damage."  The court reviewed recent decisions of federal courts holding that in order to allege these types of claims, plaintiff must show that "someone actually used the disclosed information to his detriment."  (citing Pisciotta v. Old Nat'l Bancorp., 499 F.3d 69, 639-40 (7th Cir. 2007), discussed in this post). Pisciotta held that "allegations of increased risk of future identity theft . . . without more" are not sufficient to state a claim for damages based on a data breach.  The court also cited to Louisiana law which holds that emotional damages are not ordinarily recoverable in negligence absent physical injury.

Data Breach Notification Claim:  Plaintiff also sought to assert claims under Louisiana's data breach statute [link], which allows a plaintiff to recover "actual damages" resulting from the failure to timely disclose a data breach.  Unfortunately for plaintiff, the statute defines "breach of the security of the system" to mean the compromise of "the security, confidentiality, or integrity of computerized data"  (emphasis added).  Here the complaint only alleged breach of the returns in paper form.  The court held that this failed to state a claim.

Breach of Contract:  The court also dismissed the breach of contract claim despite the allegations in the complaint that plaintiff signed on to Hewitt's privacy policy "which stated that defendants had policies and procedures in place, including physical, electronic, and procedural safeguards, to protect customers' private information."  (Plaintiff also alleged that she relied on these statements in deciding to turn over her information.)  The court's rationale was that under Louisiana law, nonpecuniary losses were not typically available in contract cases.  Such damages were only available if the plaintiff "proves either that the contract was intended to gratify a nonpecuniary interest of which defendants were aware or that defendants intended to aggrieve the feelings of plaintiff." 

Fraudulent Inducement Claim:  Plaintiff also alleged that she was fraudulently induced to enter into the agreement with Hewitt.  The court found that plaintiff failed to plead this claim with particularity, and gave plaintiff 20 days to amend the complaint to allege fraudulent inducement with particularity.  (A consumer protection claim which was tied to the fraudulent inducement claim suffered the same fate.) 

Invasion of Privacy Claim:  The claims for invasion of privacy survived, but the court seemed skeptical of the claim, noting only that the court "has not found any caselaw, controlling or otherwise, with facts similar to those alleged here that states that similar allegations do not amount to an invasion of privacy."

7 U.S.C. Section 6103:  Finally, plaintiff brought a claim under a federal statute which protects against unauthorized disclosure of tax returns (and related information).  According to the court, the statute only applied to the IRS (or other governmental agencies who come into contact with tax return information) or third parties who obtain such information from the IRS.  Since Hewitt did not obtain the tax return information from the IRS, the court finds that plaintiff cannot state a claim under this statute.

*****

What to make of this decision? 

1.  Harm From Disclosure v. Exploitation:  The court's decision reflects a deep skepticism of the notion that the harm from unauthorized disclosure of information flows from use of the information and not from the mere disclosure of the information.  Whether or not this is the appropriate approach is not a topic that lends itself to discussion on a blog and is probably more suited for law review articles and treatises.  But the numerous cases cited by the court for the proposition that a claim must be supported by actual out of pocket harm should be alarming to privacy advocates.

2.  Narrow Interpretation of LA Data Breach Statute:  The court's interpretation of Louisiana's data breach statute was incredibly narrow, but the language of the statute is clear that it only applies to computerized data.  Although the state government in Louisiana (like all state governments) warns consumers of the dangers of data breaches, the focus seems to be on data that is not in paper format.  This is what it is.

3.  Privacy Policies are Useless?:  While the court's conclusion on the damage/harm issue is noteworthy, its analysis of the contract/privacy policy issue is equally noteworthy.  Lawyers who draft privacy policies often muse as to whether "contractual" privacy restrictions are worth the paper (or bits and bytes) they are written on.  But to see the court reject a claim by an aggrieved customer who alleged a pretty colorable link between the privacy policy and the breach is astounding.  Particularly so, where the information involved is confidential financial information.

*****

All things considered, defendants skated free on this one (the court let the air out of the tires on this one, at least at the trial court level).  The decision is fairly significant, as it embraces the Seventh Circuit's decision in Pisciotta and moves the ball down the field a bit.

Added:  Tom O'Toole at BNA's Tech Law blog makes the important observation that the bulk of data breach laws on the state level are all similarly structured - most of them don't speak to a paper data breach [link] [emphasis added]:

This is likely more in the nature of "news to me" than "news." I learned, or at least I think I learned, that most of the many state data breach notification laws don't reach a common source of privacy violations: personal information snatched by dumpster divers.
...

I did a little investigation and, as it turns out, a lot of state laws are written in the same fashion as Louisiana's data breach statute. If other courts interpret "computerized data" the same way as the Louisiana court, then carelessness with paper records containing personal information is not going to get a business in hot water in very many states.

Good point.