Wave Systems Corp. (fka WAVXQ)

[Fullmoon]

anvil.........

[FDE] Privacy Act's "actual damages" clause DOES NOT require actual monetary damages

In the recent American Federation Of Government Employees (plaintiff)
v.s. Kip Hawley, in his official capacity as Administrator for TSA,
the plaintiffs alleged that defendants violated the Aviation and
Transportation Security Act ("ATSA") and the Privacy Act by failing to
establish appropriate safeguards to insure the security and
confidentiality of personnel records which resulted in unintended
disclosure of Personally Identifiable Information (PII) of 100,000 TSA
employees.
The defendants argued that "that the individual plaintiffs should be
dismissed for lack of standing for failing to demonstrate an
injury-in-fact. Mot. Dismiss at 13.11 According to defendants,
plaintiffs' concerns about future harm are speculative and dependent
upon the criminal actions of third parties. Mot. Dismiss at 13–15"
The court, however, disagrees:
"Plaintiffs allege that because TSA violated § 552a(e)(10) by failing
to establish safeguards to secure the missing hard drive, they have
suffered an injury in the form of embarrassment, inconvenience, mental
distress, concern for identity theft, concern for damage to credit
report, concern for damage to financial suitability requirements in
employment, and future substantial financial harm, [and] mental
distress due to the possibility of security breach at airports."
Compl. 41–42. As such, plaintiffs' alleged injury is not speculative
nor dependent on any future event, such as a third party's misuse of
the data.12 The court finds that plaintiffs have standing to bring
their Privacy Act claim."
For details see:
https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2007cv0855-6
http://cyberlaw.stanford.edu/node/5734
The outcome of this could have far-reaching implications for the
future data leaks.