Harm in the privacy litigation context is a difficult concept for plaintiffs to prove. There have been a number of cases that have ruled that plaintiffs cannot meet their burden and prove damages sufficient to state a claim. Courts have consistently ruled that plaintiffs cannot easily meet their burden of showing damage to support tort or contract claims.
In one of the first cases to reject a privacy claim due to a lack of damages, the court damages, the Eastern District of New York in Trikas v. Universal Card Services Corp., 351 F. Supp. 2d 37 (E.D. N.Y. 2005), rejected a plaintiff’s claim for violation of FCRA. In Trikas, the plaintiff brought an action based upon the assertion that an account erroneously remained open on his credit report. The plaintiff claimed that he suffered emotional distress because of this, even though it was admitted that no creditor actually, saw or relied upon, the erroneous information.
Here too, however, Plaintiff has not presented sufficient evidence of damages to survive summary judgment. Plaintiff testified that he was never turned down for any credit because of the Bank’s actions, and that he never even applied for any credit during the time his account remained erroneously open. Plaintiff admits that he has not suffered monetary damages: ‘It’s not a value that I suffered monetarily, as you could say it, a dollar value, because this is, like I said, it’s emotional, it’s stress, it’s burden.
Ultimately, the court dismissed the claim because the plaintiff could not prove damages that were caused by the alleged violation.
The court in Forbes v. Wells Fargo Bank, N.A. reached a similar conclusion.In this case, the plaintiffs’ personal information was obtained due to a theft of computers that contained unencrypted customer information including names, addresses, social security numbers and account numbers. It again was undisputed that plaintiffs had expended time and money to monitor credit, but there was no indication that the information had been accessed or misused. The court rejected the plaintiffs’ claim that they had suffered damage due to the time and money they had spent because the plaintiffs could only recover for loss of time in terms of earning capacity or wages. The court therefore rejected both the breach of contract and negligence claim.
The Hannaford Bros. Co. issues have also lead to litigation and the Supreme Court of Maine addressed the role of harm in privacy litigation. In this case the plaintiffs alleged that they had suffered fraudulent charges on their credit cards as a result of a breach and the issues before the Supreme Court were:
(1) “In the absence of physical harm or economic loss or identitytheft, do time and effort alone, spent in a reasonable effort toavoid or remediate reasonably foreseeable harm, constitute acognizable injury for which damages may be recovered underMaine law of negligence and/or implied contract?”
(2) “If the answer to question #1 is yes under a negligence claimand no under an implied contract claim, can a plaintiff suing for negligence recover damages under Maine law for purelyeconomic harm absent personal injury, physical harm toproperty, or misrepresentation?”
The Supreme Court of Maine addressed these issues in the context of certified questions from the United States District Court of Maine, which had dismissed the case due to a lack of damages. The Court concluded that given that no fraudulent charges remained unreimbursed, the only “harm” was a loss of time spent to mitigate the effects of the breach by the plaintiffs. This was insufficient to support a negligence claim.
Our case law, therefore, does not recognize the expenditure of timeand effort alone as a harm. The plaintiffs contend that because their time and effort represented reasonable efforts to avoid reasonably foreseeable harm, it is compensable. However, we do not attach such significance to mitigation efforts.
The Court also concluded that the expenditure of time, by itself was insufficient to support a claim for breach of contract.
Virtually every case supports the view that most privacy breaches will not support civil liability because harm typically does not exist. This case is not notable for its conclusion, but rather that another court has adopted this line of reasoning. These issues are discussed more completely in my law review article, POISED ON THE PRECIPICE: A CRITICAL EXAMINATION OF PRIVACY LITIGATION, 25 Santa Clara Computer & High Tech. L.J. 883 (2009), and Chapter 34 of my domestic privacy book, Information Security and Privacy: A Guide to Federal and State Law and Compliance.