IL Appellate Court: No Duty Exists to Safeguard SSNs for Purposes of a Negligence Claim
In one of InfoLawGroup’s first blogposts to kick off 2011 we surveyed a handful of privacy lawsuits that are in the process of potentially altering the privacy and security legal risk landscape. ILG recently discovered another case (through an excellent service we use called Nymity), one of the first that we are aware of in the United States, that dives deep into the issue of whether a common law duty exists to safeguard personal information. In Cooney, et. al v. Chicago Public Schools, et. al¸ an Illinois appellate court upheld a lower court’s dismissal of a lawsuit involving the unauthorized disclosure of sensitive personal information, including names, addresses, social security numbers, marital status, dates of birth, medical and dental insurers and health insurance plan information. While we have seen plenty of courts dismissing data breach cases on motion to dismiss, most of those have focused on the lack of alleged damages. In Cooney, however, the court actually rendered a decision on whether any common law duty exists to safeguard personal information for purposes of a negligence claim. The Cooney court's ultimate answer was that no such duty exists. In this blogpost we take a closer look at the court’s rationale for dismissing the plaintiffs’ negligence claim, as well as the other interesting holdings of the court.
Background
In Cooney, the main defendants were the Chicago Public Schools and its Board (“CPS”), and a printing and mailing company known as All Printing & Graphics, Inc. (“All Printing”). All Printing was retained by CPD to print, package and mail a COBRA Open Enrollment List to approximately 1,750 former CPS employees. Unfortunately each of the 1750 employees was sent a list containing the personal information of all the other 1749 former employees, including names, addresses, social security numbers, marital status, medical and dental insurers and health insurance plan information. CPS notified the employees of the breach and offered one year of free credit protection insurance. Several of the employees filed individual and class action lawsuits, which were consolidated at the trial court level. The complaints alleged several causes of action (including common law negligence), which were all dismissed by the lower court. The appellate court set out to determine whether the dismissal was in error, and ultimately held that it was proper. One of the appellate judges, however, dissented. The following is a summary of the court’s opinion for the main causes of action alleged.
Common Law Negligence
In addressing the plaintiffs’ common law negligence claim, the court laid out the traditional elements necessary to allege negligence, and first set out to determine whether CPH was under a duty to safeguard the plaintiffs’ personal information.
First, under Illinois law, a violation of a statue designed to protect human life and property may be used as prima facie evidence of negligence (e.g. it can be used to allege a “duty” for purposes of negligence, and a violation of that duty). In this case, the plaintiffs argued that HIPAA and Illinois' breach notice law (815 ILCS 530) created a duty for negligence purposes. The court, however, rejected both arguments.
On HIPAA the court indicated that 45 CFR § 160.103 excluded “employment records held by a covered entity in its role as employer” from HIPAA coverage. According to the reasoning of the majority, since the CPH "held" the plantiffs’ health insurance elections in its role as employer, the disclosure of such records was not a HIPAA violation. Notably, however, the dissenting judge disagreed with this assessment. He indicated that the exception only applied to employment records actually “held” by the covered entity, as opposed to those disclosed (and therefore no longer held by CPH) to unauthorized third parties. In the dissent's view, then, the plaintiffs did properly plead a negligence claim based on allegations that HIPAA had been violated. If this is appealed to the Illinois Supreme Court this will likely be a key issue in the case. One important item to note here is that it appears that both the majority and dissent agreed that a data security statute can be used to establish a duty for negligence purposes even if the underlying statute does not itself provide a private right of action.
The plaintiffs also claimed that Illinois' breach notice law was violated because a “breach of the security of the system data” had occurred as defined in that law. The court rejected this argument as well, noting that Illinois' breach notice law already provided a specific and exclusive remedy for a breach of security of the system data: notice to the data subjects (which was properly provided in this case).
Second, the court considered whether a "new" duty to safeguard personal information existed in general for negligence purposes (i.e. without having to rely on a specific statute). On this issue, the court rejected the plaintiffs’ argument that the sensitivity of personal information such as birth dates and social security numbers justified the recognition of a duty. Notably the court did not consider any “foreseeability” arguments or analyze whether a duty should have existed based on something like Judge Learned Hand's risk formula. Based on the foregoing, the court found that the lack of an alleged duty justified dismissal of the common law negligence claim against both CPH and All Printing.
IL Consumer Fraud and Deceptive Business Practices Act
Section 2QQ of Illinois Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505/1, et. seq.) prohibits a “person” from publicly posting or displaying an individual’s social security number. In this case the court held the CPH Board was a “body politic” and therefore not a “person” under the Act. In addition, while All Printing does qualify as a “person” covered under the Act, the plaintiffs failed to allege actual damages as required under the Act. Relying on the large body of case law on the damages issue, the Court specifically rejected plaintiffs’ contention that increased risk of identity theft, and costs to pay for credit monitoring, constitute actual damages.
Traditional Privacy Torts
The plaintiffs also alleged “intrusion upon seclusion” and “public disclosure of private facts.” In considering these theories the court indicated that both torts require disclosure of “private” matters or facts. The court held that the privacy element was not satisfied because no law existed in Illinois defining social security numbers as private information. In addition, names and dates of birth did not qualify as private facts because they are matters of public records. Finally, while Illinois law had defined social security numbers as “personal information,” the court held that personal information does not equate to “private” information. Private information, in the court’s view, means private facts that are facially embarrassing and highly offensive, if disclosed. As such, the court ruled that these claims were properly dismissed by the trial court.
Other Miscellaneous Causes of Action
The appellate court, sometimes in a very cursory fashion, affirmed the dismissal of other causes of action the plaintiffs attempted to allege, including:
- Negligent infliction of emotional distress (dismissed because traditional negligence elements had not been alleged, as required)
- Breach of fiduciary duty (dismissed because no authority found to indicate that a fiduciary duty exists based on the plaintiffs providing their personal information “in confidence” to the CPS)
- HIPAA violations (dismissed because the plaintiffs did not allege that they had been deprived of a constitutionally protected right caused by a “municipal policy”; and because HIPAA does not provide a private right of action against non-state actors like All Printing)
- 4th Amendment privacy violation (dismissed because the plaintiffs failed to properly raise the issue before the trial court)
Conclusion
This case is very interesting because it is one of the first (if not the first) to squarely rule on whether a common law duty exists to safeguard personal data. It will be very interesting to see if this case is appealed to the Illinois Supreme Court. Based on the strong dissent it appears as if the majority opinion may be at risk for an overturn. What is somewhat disappointing, however, is the lack of deep analysis by the appellate court (especially on the issue of whether a common law negligence duty existed). It may be that key issues were not raised or briefed by the plaintiffs, but it would have been nice to see a full-throated analysis of "law school 101" issues like foreseeability, reasonableness and risk reduction. InfoLawGroup will try to get a hold of the appellate briefs and other underlying documents to see if they provide additional insight as to how the court reached its decisions (and we will post them here once we have them). We look forward to your thoughts, comments and questions on this case.
Quon: US Supreme Court Rules Against Privacy on Employer-Issued Devices
The United States Supreme Court issued its decision today in City of Ontario, California v. Quon, ruling that a public employer's examination of an employee's personal text messages on a government-issued pager did not violate the Fourth Amendment. Justice Kennedy's opinion for the Court remarked that a review of messages on an employer-provided device would similarly be regarded as “reasonable and normal in the private-employer context.”
The City of Ontario asked its wireless service provider for details about the text messages sent and received by the city’s police officers, when their texts regularly exceeded the monthly limit for which the city had contracted. Officer Quon was disciplined for violating police department rules when the city discovered that he sent numerous personal messages, some of them sexually explicit, both on and off duty. He and other individuals who communicated with him sued the city, arguing that the city’s actions represented an unreasonable search in violation of the Fourth Amendment of the US Constitution, the privacy clause found in Article I, section 1 of the California constitution, and also the federal Stored Communications Act (SCA).
The US 9th Circuit Court of Appeals, citing the Supreme Court’s 1987 ruling in O’Connor v. Ortega, 480 US 709, found that Quon had a reasonable expectation of privacy in his message content and that the city's examination of his text messages was not reasonable, even though there was a legitimate, work-related purpose for auditing the officer’s wireless usage. The appellate court noted that the city could have used less intrusive means to review wireless usage and charges. The appellate decision drew widespread attention, including a 2008 article in the Los Angeles Daily Journal by my colleague Tanya Forsheit. Tanya pointed out that while the Fourth Amendment applies directly only to monitoring by government employers, a restrictive interpretation under the California constitution’s privacy clause (or the SCA) could affect communications monitoring by private-sector employers as well.
Today, the Supreme Court (addressing only the Fourth Amendment issues) reversed the 9th Circuit decision and ruled that the city’s examination of Quon’s text messages was reasonable under the Supreme Court’s O’Connor standard:
Petitioners’ warrantless review of Quon’s pager transcript was reasonable under the O’Connor plurality’s approach because it was motivated by a legitimate work-related purpose, and because it was not excessive in scope.
The city had a reasonable interest in not controlling excessive personal use of communications devices, and also in setting an appropriate level of city-funded communications so that officers were not forced to pay for work-related communications. The Court observed that the city’s review was limited to a two-month sample of messages and that the city redacted Quon’s messages sent and received while he was off duty, to limit the intrusion into his personal life.
The Court noted that any reasonable privacy expectations were probably limited by the city’s Computer Policy, which stated (as do the policies of many employers) that users “should have no expectations of privacy or confidentiality” when using city computers. A subsequent memo made it clear that this policy extended as well to communications devices furnished by the city. Quon argued that this policy was modified by his superior’s subsequent verbal assurance that there would be no audit as long as officers paid for excess text usage. The Court declined to make a finding on that argument, assuming for purposes of the decision that Quon had some reasonable expectation of privacy. But the Court ruled that the city’s search of message content was reasonable because it was undertaken for a work-related purpose and used measures that were not excessively intrusive in the circumstances. And because the employer’s search was reasonable, the other parties who sent messages to Quon could not prevail on their argument that the review of message content violated their own Fourth Amendment rights.
The Supreme Court justices often disagree on what is a “reasonable expectation of privacy” and whether the government entity in question has appropriately limited the scope of its intrusion into private life. The O’Connor opinion, for example, was rendered by only a plurality of the justices. But Quon is a unanimous decision on its results, with limited concurring opinions by Justices Stevens and Scalia.
Justice Scalia’s concurring opinion argued that the "reasonable expectations" of employees using employer-issued devices should be addressed generally and not limited to public employees. In response, Justice Kennedy’s opinion for the Court suggests that reasonable expectations of privacy are typically limited in private sector employment just as they are for government employees:
For these same reasons—that the employer had a legitimate reason for the search, and that the search was not excessively intrusive in light of that justification—the Court also concludes that the search would be ‘regarded as reasonable and normal in the private-employer context’
Justice Kennedy wisely cautions that judges should not rush to broad conclusions about reasonable privacy expectations with regard to the use of rapidly changing technologies:
The Court must proceed with care when considering the whole concept of privacy expectations in communications made on electronic equipment owned by a government employer. The judiciary risks error by elaborating too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear.
The Quon decision suggests a prudential approach to monitoring employee use of the employer’s computer or communications facilities, whether the employment is in the public or private sector:
• Employers should establish the level of privacy expectations with a coherent policy that covers all the technologies deployed.
• Employers are at risk when they delve into the content of messages or computer searches, or ask their service providers to do so, without a clearly articulated, work-related purpose (such as a targeted investigation of suspected wrongdoing or a non-investigative financial or administrative objective).
• Content review should be structured so as to limit privacy intrusions. The Quon decision emphasizes that this does not mean the “least intrusive search practicable” but simply a search reasonably limited to the employer’s legitimate, work-related objectives.
• A reasonably structured review of employee communications can also serve as a defense against privacy claims by non-employees who communicated with the employee.
