Doe v. Chao
- Court Dismisses Suits Against OPM Over Data Breach that Affected 22 Million: A federal court in Washington, DC has dismissed two lawsuits against the Office of Personnel Management over the data breaches that compromised the records of 22 million federal employees and family members. The court acknowledged the "troubling allegations" raised by OPM's victims but ruled that "the fact that a person's data was taken" is not "enough by itself to create standing to sue." EPIC has long argued that data breach victims should not wait until they suffer identity theft to sue the parties that failed to protect their data. EPIC also filed comments last year with OPM recommending limits on data collection, has recommended updates to the federal Privacy Act, and has urged the Supreme Court to recognize a right to "informational privacy" and to ensure Privacy Act damages for non-economic harm. (Sep. 20, 2017)
- Congress Considers Bill to Strengthen Privacy Act: Congressman Gerry Connolly (D-VA-11) has introduced legislation to update the federal Privacy Act. The "Safeguarding Individual Privacy Against Government Invasion Act of 2014" would compensate individuals for non pecuniary harms after Privacy Act violations. The proposal is a response to FAA v. Cooper, a Supreme Court case holding that the Privacy Act does not cover mental and emotional damages. EPIC filed a "friend of the court" brief in that case, explaining that privacy laws routinely provide recovery for mental and emotional harm, that such damages are the most common consequence of privacy violations, and that civil remedies are necessary to ensure enforcement of the Privacy Act. Following the decision in FAA v. Cooper, EPIC set out proposals to strengthen the Privacy Act. EPIC has recently recommended that the Privacy and Civil Liberties Oversight Board prioritize Privacy Act enforcement. For more information, see EPIC: FAA v. Cooper, EPIC: Doe v. Chao, and EPIC: The Privacy Act of 1974. (Dec. 8, 2014)
- EPIC Urges Privacy Board to Focus on Privacy Act Enforcement: EPIC has recommended that the Privacy and Civil Liberties Oversight Board prioritize Privacy Act enforcement. The Board is planning to host a conference "Defining Privacy." EPIC stated "The Privacy Act provides a sound framework for privacy protection in the United States. Government agencies within the PCLOB's purview contravene the Privacy Act's intent and pose substantial privacy risks by claiming broad exemptions from coverage under the Act. The Board must improve agency accountability by auditing programs for Privacy Act compliance and recommending expanded authorities under the Privacy Act." EPIC recently provided expert commentary at a Georgetown University Law Center conference celebrating the 40th anniversary of the Privacy Act. For more information, see EPIC: FAA v. Cooper, EPIC: Doe v. Chao, and EPIC: The Privacy Act of 1974. (Nov. 12, 2014)
- Federal Appeals Court Affirms Civil Penalties in Privacy Act Case: A federal appeals court held that the Privacy Act provides monetary damages for harms stemming from inaccurate government records. The case arose in 2006 when Julia Shearson and her four-year-old daughter, both U.S. citizens, reentered the country over the Canadian border. A customs database incorrectly identified Shearson as "ARMED AND DANGEROUS," after which she was handcuffed, questioned for several hours, and then released without explanation. Shearson sued under the Privacy Act and sought damages from the Department of Homeland Security for the agency's failure to ensure the accuracy of its computer records. DHS argued that the Privacy Act permitted the agency to exempt itself from monetary damages provision of the law. The Sixth Circuit disagreed and held that Congress specifically intended that the Privacy Act provide civil remedies for government failures to comply with the Act's mandatory duties. EPIC routinely files comments on the obligation of federal agencies to comply with the Privacy Act and EPIC has also filed a Supreme Court brief in support of damage awards in Privacy Act cases. For more information, see EPIC: Doe v. Chao (US 2004). (Apr. 25, 2011)
- Social Security Protection Act of 2010 Becomes Law: President Obama signed a bill aimed at reducing identity theft by limiting the Government's use of and access to social security numbers. The bill, which passed the House and Senate, prohibits government agencies from printing social security numbers on checks and from allowing prison inmates access to social security numbers. "Social Security numbers are among Americans' most valuable but vulnerable assets," said Sen. Feinstein, a sponsor of the bill. "Identity theft is a serious concern for all consumers, and we should make every effort to protect personal information." EPIC has testified many times before Congress on the need to safeguard the SSN, including House hearings in 2000, 2001, 2006, 2007 and EPIC has also litigated important cases on SSN privacy. For more information, see EPIC: Social Security Numbers, EPIC: Identity Theft, and EPIC: Doe v. Chao. (Dec. 23, 2010)
- Supreme Court Requires Actual Harm for Privacy Act Damages. The Supreme Court has ruled (pdf) in a 6-3 decision in Doe v. Chao that an individual must prove he has suffered actual harm before he can receive a $1,000 minimum statutory award when the government wrongfully discloses his Social Security Number. EPIC, along with a coalition of civil liberties organizations and technical and legal experts, filed a friend of the court brief (pdf) in the case, arguing that the Privacy Act provides damages for those who suffer "adverse effects," though no actual harm. (Feb. 24, 2004)
EPIC collaborated with numerous consumer and privacy organizations, legal scholars and technical experts to submit an amicus brief in Doe v. Chao, an important privacy case before the Supreme Court. This case concerned the wrongful disclosure of the Social Security Number by a federal agency and whether a person should be required to prove actual damages to obtain relief under the Privacy Act. Our view, and the view of most federal courts, was that it should only be necessary to show "adverse effects" to obtain the minimal $1,000 damages under the Act.
In this case, the Department of Labor was sued by a class of coal miners who filed claims with the government for black lung benefits. To process the benefit claims, the Department of Labor used each applicant's SSN to identify that applicant's claim. As identification numbers, the SSNs were subsequently disclosed to other applicants, as well as those applicants' employers and lawyers. The SSNs were also made publicly available in administrative law decisions and computerized legal research databases.
Several coal miners filed suit against the government, alleging violations of the Privacy Act. The United States District Court for the Western District of Virginia consolidated the miner's claims and assigned their case to a magistrate to make recommendations with regard to motions for summary judgment and class certification. The magistrate recommended that the district court grant summary judgment against all the miners with the exception of Buck Doe, finding that they were unable to prove damages. The district court adopted the magistrate's recommendation and granted summary judgment in favor of the government on all claims except that of Doe. With respect to his claim, the court entered summary judgment in favor of Doe, awarding him $1,000 in statutory damages. The court explained that an individual must prove "actual damages" to obtain the $1,000 statutory damages available under the Privacy Act, and that because emotional distress is the chief means of proving damage in privacy cases, such emotional distress is sufficient evidence to allow recovery under the Privacy Act. The court found that Doe had demonstrated enough emotional distress to justify recovery, and thus was entitled to statutory damages.
The miners (other than Doe) appealed the district court's decision to the Fourth Circuit, arguing that proof of "actual damages" is unnecessary to recover under the Privacy Act, and in the alternative, that the district court's holding with respect to Doe was correct because emotional distress is sufficient evidence of injury to permit an award of damages under the Privacy Act. The government also appealed the district court's decision, claiming that recovery under the Privacy Act is limited to individuals who can produce evidence of "actual damages," which includes only monetary loss and not emotional harm. The Fourth Circuit adopted the government's view and determined that Doe was not entitled to damages under the Privacy Act because he failed to show that any tangible consequences flowed from the emotional distress he experienced due to the disclosure of his SSN.
The Supreme Court granted certiorari in June to consider the question of whether an individual bringing suit under the Privacy Act for wrongful SSN disclosure must prove that he suffered actual monetary damages as a result of the disclosure in order to recover the minimum damages provided by the Privacy Act. On February 24, 2004, the Supreme Court ruled (pdf) in a 6-3 decision that an individual must prove he has suffered actual harm before he can receive a $1,000 minimum statutory award when the government wrongfully discloses his Social Security Number.Our Role
The amicus brief first outlined the grave dangers posed by SSN disclosure, specifically discussing identity theft. The brief then pointed out that Congress has provided liquidated damage-the amount of which is determined in advance so that a dollar amount doesn't have to be specifically proved-in other privacy laws to enforce rights that are difficult to put a money value on. Finally, the brief reviewed the Privacy Act's legislative history to demonstrate that Congress has long recognized the risks to privacy posed by unnecessary SSN disclosure. EPIC argued that the award of actual damages in compensation for SNN disclosure under the Privacy Act should be triggered not by a showing of specific monetary damages, but by a showing of adverse affect to the individual, defined as risk of SSN misuse.
Doe v. Chao History
- Supreme Court's opinion (pdf)
- Supreme Court's grant of certiorari (pdf)
- Supreme Court Docket in Doe v. Chao
- Solicitor General's Opposition to Petition of Writ of Certiorari
- Fourth Circuit opinion
- Doe's Brief on the Merits (pdf)
- Solicitor General's Brief on the Merits (pdf)
- Doe's Reply Brief (pdf)
- EPIC's amicus brief (pdf)
- Reporters Committee for Freedom of the Press amicus brief (pdf)
- The Privacy Act of 1974
- Report of the Secretary's Advisory Committee on Automated Personal Data Systems (HEW Report)
- How Much Is Privacy Worth?, Wired News (Dec. 3, 2003)
- The Supreme Court Considers Whether a Privacy Act Plaintiff Can Recover $1000 Even Without Proof of Damages, Findlaw.com (Nov. 25, 2003)
- Access Reports news brief (July 5, 2003)
- Supreme Court Will Settle Privacy Case, Durham Herald Sun (June 27, 2003)
- Supreme Court Will Hear Privacy Case, Sacramento Bee (June 27, 2003)
- 4th Circuit Rules No Recovery Under Privacy Act for Disclosure of SSNs Without Showing of Actual Damages, Tech Law Journal (Sept. 20, 2002)