Last week, the Internal Revenue Service successfully defeated a putative class action related to a data breach it suffered in 2015. The D.C. District Court’s decision dismissing the suit demonstrates the high bar required to hold a federal agency accountable for lapses in cybersecurity.
In Welborn v. IRS (Case No. 15-1352, D.D.C.), Plaintiffs Becky Welborn, Wendy Windrich and Beth DuPree, on behalf of a proposed class, sued the IRS in connection with a cyberattack on the agency’s website in which over 300,000 tax-related documents were stolen.
Plaintiffs alleged that the IRS violated their rights under the Privacy Act, 5 U.S.C. § 552a, the Administrative Procedure Act (APA), 5 U.S.C. § 701 et seq., and the Internal Revenue Code, 26 U.S.C. § 6103, by “disclosing or failing to prevent the disclosure of their personal identification information to third parties.”
Standing Sufficient Only Where Actual Injury and Causation Shown
As an initial matter, the court determined that only two of the three named plaintiffs had standing to bring suit. Mses. Welborn and Wendrich, who had suffered actual identity theft when someone filed false tax returns and claimed fraudulent refunds in their names, had shown sufficient injury-in-fact and causal connection to the IRS data breach to establish standing to sue for monetary damages.
Ms. DuPree’s claims, however, were dismissed for failure to show causation. Although Ms. DuPree alleged that (1) the IRS notified her that her personal information may have been hacked; (2) no other entity had informed her of a similar data breach; and, (3) she had been the victim of at least two instances of fraudulent activity in her financial accounts following the IRS data breach, the court ruled that there was no nexus showing that the data obtained from the IRS breach was necessarily used to perpetrate the fraud on her accounts. Simply alleging that the financial fraud happened after the data breach was insufficient.
Failure to State a Claim Under the Privacy Act and the Internal Revenue Code
The court also dismissed Plaintiffs’ claims under the Privacy Act for failure to state a claim for actual damages related to the IRS’s alleged failure to safeguard plaintiffs’ personal information. The court ruled that the fraudulent tax returns filed in plaintiffs’ names, the lost time and money spent dealing with data theft and future credit monitoring, and the heightened risk of further identity theft did not equate to actual pecuniary or material damage related to the IRS data breach. Sovereign immunity protects the Federal Government from liability for reputational or emotional harm. Similarly, sovereign immunity barred Plaintiffs’ claims under the Internal Revenue Code.
Finally, the Court ruled that Plaintiffs had no standing to sue for equitable relief under the APA as there was no allegation of an ongoing threat to their personal information, and that there is no private right of action under the Federal Information Security Modernization Act (FISMA).
Needless to say, Courts will set a very high bar for plaintiffs to allege standing to sue governmental agencies for data breaches.