Illinois Court of Appeals Issues Ruling on Chicago Public Schools Data Breach
In its recent decision in Cooney v. Chicago Public Schools, 2010 WL 5481520 (Ill. App. Ct. Dec. 30, 2010), the Illinois Court of Appeals affirmed the decision of the trial court dismissing all claims against the Chicago Public Schools (“CPS”), the Board of Education of the City of Chicago (“Board”) and All Printing & Graphics, Inc. (“All Printing”) related to the disclosure of the personal information of approximately 1,750 former CPS employees. The status of the recipients as employees of CPS proved a determining factor in the court’s decision that the Board had no duty to the individuals whose personal information was disclosed.
All Printing was retained by the Board of Education of the City of Chicago to print, package and mail a “Chicago Public Schools- COBRA Open Enrollment List” to more than 1,750 former CPS employees. The mailing, sent in November 2006, informed the former employees that as COBRA participants, they could change their insurance benefit plans. The list sent to each former employee contained the names of all 1,750 former employees, along with their addresses, Social Security numbers, marital status, medical and dental insurers, and health insurance plan information. Some of the former employees filed individual and class action lawsuits, and the cases were later consolidated.
The district court dismissed all of the plaintiffs’ claims. The plaintiffs appealed the dismissal of the following claims:
- Violation of the Personal Information Protection Act, 815 ILCS 530/1, et seq.;
- Violation of the Consumer Fraud and Deceptive Business Practices Act, 815 ILCS 505/1, et seq.;
- Violation of the Health Insurance and Accountability Act (“HIPAA”), 42 U.S.C. 1320d-6;
- Violation of the common law right to privacy;
- Negligent infliction of emotional distress;
- Negligence; and
- Breach of fiduciary duty.
The Board’s Lack of a Duty
The court’s decision that there was no duty owed by the Board and All Printing to the plaintiffs proved the deciding factor in numerous claims. Claims of negligence, negligent infliction of emotional distress, and breach of fiduciary duty all require a duty owed to the plaintiff by the defendant. The plaintiffs’ negligence claim argued that HIPAA provided a statutory basis for the creation of a duty to safeguard plaintiffs’ personal information. The court, citing 45 C.F.R. §160.103, held that although HIPAA prohibits the disclosure of individual identifiable health information, “employment records held by a covered entity in its role as employer” are specifically excluded from HIPAA protection. Therefore, the court held that the Board’s role as an employer placed them outside of HIPAA’s coverage and prohibited a finding of negligence. The court also refused to accept the plaintiffs’ request for recognition of a new “common law duty” to safeguard information and rejected the argument that providing information “in confidence” creates a duty.
No Private Right of Action for HIPAA Violations
The court held that current law does not recognize a private right of action under HIPAA.
Proper Notice Can Moot Violations of the Personal Information Protection Act (“PIPA”)
The PIPA provides that “any data collector that maintains computerized data that includes personal information that the data collector does not own” must notify the owner of the security breach following discovery. 815 ILCS 530/1, et seq. Here, a breach under PIPA occurred; however, because the Board complied with the statute’s notification demands, it avoided paying any damages to plaintiffs.
Potential Harm of Identity Theft Does Not Suffice As Actual Damages
The court ruled that the Board did not fall within the meaning of a “person” under the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), and, therefore, could not be held liable for a violation of the statute. All Printing, as a domestic corporation, did qualify as a “person”; however, the ICFA requires that plaintiffs allege actual damages, and the allegation of future potential harm of identity theft and the purchase of credit monitoring services did not suffice as actual economic injury.
Illinois Does Not Recognize Social Security Numbers As “Private Information”
The plaintiffs’ final claims alleged (1) intrusion upon the seclusion of another, and (2) public disclosure of private facts. While these claims require different elements for success by a plaintiff, both require “private” matters or facts. The court noted that Illinois law does not define social security numbers as private information, and thus the court was not in a position to do so.
What It Means:
The Cooney decision demonstrates some of the protections and exceptions from statutory and tort liability available to employers in Illinois in the data breach context. Additionally, the decision demonstrates the difficulties faced by plaintiffs in obtaining recovering damages in many data breach situations, specifically those where no actual harm has occurred and where no duty is owed to the plaintiffs.