Limiting a Private Right of Action in Federal Data Security and Privacy Legislation

Enforcing national data security and privacy legislation presents challenges in both scope and scale. Congress’s decision regarding who they choose to empower—be it individuals, state attorneys general, one or more federal agencies, or a combination thereof—will dictate the true shape of the law, once passed. If individuals are empowered with an enforcement role—that is, if a private right of action (PRA) is established—it is important to outline the structure, procedures and limits to craft a fair and functional law.

But reaching a consensus on whether federal data security and privacy legislation should even include a PRA has been particularly challenging. Many advocates of a PRA see it as a necessary component to a meaningful enforcement regime, as a properly drafted PRA could fulfill at least three strategic goals: empowering consumers to advocate for themselves, incentivizing the compliance of covered entities and allowing consumers to be made whole for damages—a supplement to potential Federal Trade Commission (FTC) authority to order monetary relief or impose fines. On the other hand, opponents warn that a PRA in federal data security and privacy legislation would likely result in widespread litigation, including frivolous lawsuits and overly broad legal exposure for the private sector. These skeptics believe enforcement by a federal agency or by a combination of a federal agency and state attorneys general would result in a more effective, cohesive and predictable enforcement regime.

In deciding whether to create a PRA, Congress must balance the diverse priorities and perspectives of different stakeholders. It must consider industry and consumer concerns, the adequacy of remedies, the role of states, and regulatory capability and capacity. While a PRA has its drawbacks, the consensus position that takes these issues into account has settled around a limited PRA as a backstop against shifting political winds and executive branch control over privacy enforcement. Just as in other areas, however, Congress should avoid an all-or-nothing approach in striking this balance, taking into account the role of enforcement by the FTC and state attorneys general under state laws and any new federal privacy law. In addition, if Congress chooses to create a PRA, it should empower everyday Americans to assist in the enforcement of the new law in a clear, confined and meaningful way that protects both the American consumer and innovation.

This publication—the last in a series of three main articles—explores the various considerations and options for structuring such an enforcement mechanism and then presents our key recommendations for reaching a consensus.

CONSIDERATIONS AND OPTIONS

Consideration #1: Applicability of a PRA

A PRA could either apply broadly in statute or exclusively to specific provisions. The broadest approach would allow a PRA for any individual alleging a violation of the federal law or regulation to be brought in either state or federal court. This could permit suits for violations of all provisions from a right to access to data breaches. However, a PRA could be limited to apply to specific violations of the statute like a data breach. For example, California’s privacy legislation permits a PRA only in the case of a data breach, whereas other enforcement mechanisms permit broader action (e.g., the state attorney general is empowered to address all violations of the statute).

Consideration #2: Consumer Standing

The Constitution requires that individuals have “standing” in order to bring a civil suit. This means they must have suffered a real and individualized harm to bring a successful lawsuit. Demonstrating such harm as a result of privacy violations can be challenging because the harm may not be direct or apparent and would therefore present a constitutional standing challenge. This challenge would be exacerbated by the fact that traditional legal concepts are hard to apply to the digital world.

Indeed, in Spokeo, Inc. v. Robins, the U.S. Supreme Court held that demonstrating a violation of the statute alone, without showing a real and individualized harm, is insufficient to meet the constitutional standing requirement. Of note, there is one prominent instance in privacy law in which individuals can bring suit without alleging harm beyond a violation of their rights under the statute; it is in the case of one particular type of data (biometrical) in one specific state (Illinois).

In determining whether an individual has standing, courts are required to look to traditional harms for comparisons, like those caused by defamation and theft. The Court noted in Spokeo that Congress can play a role in assisting the courts by clarifying the harm in privacy violations that may give an individual standing. Subsequently, in TransUnion LLC v. Ramirez, the Court underscored that “Congress’s creation of a statutory prohibition or obligation…does not relieve courts of their responsibility to independently decide whether a plaintiff has suffered a concrete harm…any more than, for example, Congress’s enactment of a law regulating speech relieves courts of their responsibility to independently decide whether the law violates the First Amendment.”

Concrete harm appears to be a constitutional standing requirement, and the court has continued to look to traditional harms when determining whether a harm has occurred in a particular case. The Spokeo and TransUnion holdings create uncertainty in terms of the harms that may be sufficient to give an individual standing to bring suit for privacy violations. Future court decisions to clarify this issue are necessary and likely. While this area of the law develops, Congress could articulate a harm in statute, specifically considering the violations the harm would apply to, what traditional harms would be similar, and what alternative enforcement mechanisms would exist if standing were inadequate. Thankfully, legislative bodies and academic institutions across the country have identified practical frameworks under which privacy harms can be better understood.

Some of these frameworks have attempted to articulate what harms should be legally cognizable (i.e., sufficient) to provide an individual standing to bring suit. Recent literaturecategorizes the harms into seven areas: physical, economic, reputational, psychological, autonomy, discrimination and relationship. Some of these have a clear basis in existing law and might help future courts consider harm in the privacy context.

Other frameworks see a duty of loyalty as being a solution to standing issues, where entities should act in the best interest of those who expose their data, and the integrity of the relationship guides the duties. A breach of a duty of loyalty is the injury itself and has long been recognized by courts as a legally cognizable harm. In contrast, a duty of care is not based solely on the relationship, and specific harm is needed.

In the Consumer Online Privacy Rights Act (COPRA), privacy harms are included under the duty of loyalty provisions, covering the definitions of deceptive data practices and harmful data practices. Under harmful data practice, five injuries are established: physical; financial; reputational; physical or other offensive intrusion upon the solitude or seclusion of the individual; and “other” substantial injury. The former acting chair of the FTC, Maureen Ohlhausen, discussed injury similarly—the five types of injury she identified through cases brought by the FTC were financial; health and safety; reputational; unwarranted intrusion; and deception injury and subverting consumer choice.

Consideration #3: Advocacy Groups as Enforcers

Groups could be designated at the state level to bring lawsuits in lieu of consumers. If groups were empowered to bring lawsuits instead of consumers, this would lower the number of potential litigants and most likely reduce litigation. Some Senate bills have included provisions permitting a protection and advocacy (P&A) organization to bring a civil action against a covered entity, allowing each state to designate one organization. Of note, there is precedent in federal law for this approach: The Developmental Disabilities Assistance and Bill of Rights Act of 1975, for example, established state P&A systems to advocate, investigate abuses and ensure enforcement. That system also permits class litigation in some cases.

Consideration #4: Sunrise and Sunset Provisions

Sunrise and sunset provisions can impact when a PRA would become effective and how long it would last. A sunrise provision allows for a portion of a law to apply to a specific period of time before the main body of the law becomes active. A sunset clause, on the other hand, provides that an entire statute or portion thereof ceases to exist after a fixed amount of time or certain statutory conditions are satisfied. These mechanisms could be a way to keep legislation in check by timing more aggressive enforcement and incentivizing lawmakers to assess the law’s effectiveness continually. The mechanics of such provisions would be important to outline, including: whether time alone triggers the provision; whether certain conditions in the statute need to be met; what other provisions in the legislation might have a sunrise and/or sunset provision; or whether additional congressional approval is needed.

Consideration #5: A Right to Cure

A right to cure, also known as an opportunity to cure, refers to an opportunity for entities to address complaints by consumers before litigation. This process can be managed by a federal agency or court and, when an individual files a complaint, the agency or court is responsible for ensuring that the complaint is addressed; if it is not sufficiently addressed, a PRA could commence. A recent report suggests this could go hand in hand with a right to recourse—an entity’s internal process through which a consumer can resolve potential violations and/or privacy concerns. For either to work, standards would need to address what is “corrected enough,” whether it should apply to all companies or just smaller ones, how much time should be allowed to resolve the issue and what entity makes and enforces these rules.

Consideration #6: Filing of Complaints with Particularity

Filing complaints “with particularity” means that a plaintiff must provide “in great detail, all the relevant facts forming the basis of her belief” with facts for any malice, intent, knowledge and other conditions of a person’s mind that may be alleged generally. Some argue that privacy claim pleadings now are not mapped to harms, and, after the passage of a federal bill, should be mapped to statutorily granted harms. This is similar to the process undertaken for Securities and Exchange Commission filings or ​​for fraud claims under the Federal Rules of Civil Procedure.

Consideration #7: Feasibility Review

Frivolous lawsuits present a challenge to a PRA. Suit under a PRA could address this concern by being subject to a screening before proceeding to the courts. A review could answer questions of legitimacy, basic adequacy and motivation. Multiple existing state and federal bodies could serve as a model for this type of board, including the Massachusetts Medical Malpractice Tribunal, federal administrative review boards and the U.S Equal Employment Opportunity Commission. Any screening model selected would need to set specifications for duration of review, impartiality, sufficiency standards and resource determinations.

Consideration #8: Injunctive Relief

Injunctive relief is mandated legal action that forces an individual or entity to stop or start a behavior or to carry out a certain action. Injunctive relief could mandate that behavior that is causing harm to an individual or group of individuals be stopped. If enforcement encompasses injunctive relief, it could help reduce lawsuits motivated by financial reasons. However, despite injunctive relief’s potential usefulness as an enforcement tool, its effectiveness depends on the specific harm in question. For example, injunctive relief could be granted to require a company to improve its security controls to prevent future similar attacks, but it would not offer other remedies available to litigants in traditional litigation.

Consideration #9: Tiered Rights and Damages

Damages could be structured in several ways to account for the potentially competing variables at play, which include how to make harmed individuals whole, ensure that punishments are appropriate for specific violations and prevent excessive judgments. One proposed concept suggests that dynamic standards be tied to the different provisions in legislation. It would require harms be recognized as invasions of privacy, discrimination or financial loss in one way; violations that affect privacy be recognized in another way; and that all other types of violations be recognized a third way, with a different level of knowledge or intention to be subject to different degrees of liability.

Other considerations related to tiered rights and damages include capping damages to limit exposure; escalating enforcement for willful and repeated violations; determining the types of damages to be awarded like statutory damages and/or punitive damages; and covering other expenses like attorney fees and litigation costs.

Consideration #10: Limiting Legal Exposure

Measures could be implemented to help covered entities limit their legal exposure. There are two common ways of approaching this issue: establishing a safe harbor and making a breach by a nation-state actor an affirmative defense.

A safe harbor, or an affirmative defense, can provide legal protection for a covered entity against a data breach claim if certain steps are taken. By following an established data protection and security framework, such as the standards set out by the National Institute of Standards and Technology, covered entities can be shielded entirely or have their liability limited in precise and predictable ways. A safe harbor serves as an incentive for covered entities to implement data protection measures in favor of incurring litigation expenses and damages. Some states, like Ohio and New Jersey, have already begun the process of framing safe harbors in their respective state laws. To ensure adherence, covered entities can make a certification that is subject to penalties if later proven to be false and/or be subject to independent assessment by a government agency.

A breach caused by a nation-state actor could also be an affirmative defense to prevent companies from being liable. For example, if a company is breached by a Russian advanced persistent threat, lawsuits arising out of that breach would be reserved for governmental prosecution. This could be useful, as some insurance companies are already excluding coverage for hacks and breaches from nation-state actors. Of note, a safe harbor established under similar motivation was enacted after the September 11 attacks with the Terrorism Risk Insurance Act and has been proposed by the Cyberspace Solarium Commission for systemically important critical infrastructure entities.

Consideration #11: Arbitration

An alternative method of resolving disputes is using an arbitrator or a panel of arbitrators instead of litigating in court—a process that would require most cases to be settled outside of court. There is ongoing debate, however, as to whether arbitration should be considered within the confines of a data security and privacy law.

RECOMMENDATIONS

If Congress decides to include a PRA in federal legislation, it must balance an individual’s right to be made whole for a privacy violation with a covered entity’s concern over excessive lawsuits. If included, it must also strive to create more consistency in enforcement and avoid disparities between courts.

Opponents to a PRA cite drawbacks such as frivolous class-action lawsuits and high costs to businesses, which are concerns we share. Therefore, to achieve a consensus on this issue, we believe a more limited PRA is the solution for addressing these concerns and breaking the deadlock of an all-or-nothing approach. A limited PRA can be viewed as a backstop against the politicization of federal and state enforcement of individual damages, especially for marginalized communities that may be underserved by enforcement agencies. Below, we present our three key recommendations for balancing these objectives and finding a path forward.

Recommendation #1: The structure of a PRA needs to be carefully crafted to ensure it is workable. 

If Congress decides to include a PRA in legislation, it should address the mechanics for how a PRA will operate, including specific methods to address standing uncertainty, a delayed start and automatic termination.

• Specify a right to bring suit in statute, but vary outcomes based on the type of harm—Demonstrating harm has been a challenge in privacy cases, and recent Supreme Court cases create even more uncertainty as to what level and type of harm is sufficient to bring suit. Congress has a role in defining injuries that can help form the basis of a case, although that does not automatically satisfy standing requirements. Still, Congress could create statutory procedures to allow an individual to sue if, for example, their individual data was unlawfully disclosed—with a one-year statute of limitations from the period the individual knew or should have known about the breach. Congress could also specify the type of data that could constitute sufficient harm. For example, it could be all data covered by the definition of data, or it could be narrowed to a smaller subset.

  In addition, individuals should be permitted to exercise a PRA in cases where actual harm can be demonstrated. This accounts for scenarios in which data was shared or disclosed in violation of the statute outside of a data breach and resulted in a measurable harm.

  Permitting a PRA for other violations covered by federal legislation may present standing issues, including for a right to opt-in or access data. Congress should include statutory procedures to allow for a suit for these violations, but injunctive relief—after a statutorily required compliance period—should be the default instead of monetary damages. This would help reduce the risk of future harm.

  There are at least two exceptions to this recommendation: FTC fines and civil rights litigation. The FTC should maintain its right to levy fines in cases it deems necessary. Likewise, in civil rights litigation, individuals should maintain their rights to file suit under civil rights statutes.

• Privacy harms should be specific, substantive, measurable and enforceable—As Ohlhausen said in her speech on consumer injury, “Government does the most good with the fewest unintended side effects when it focuses on stopping substantial consumer injury instead of expanding resources to prevent hypothetical injuries.” The seven harms identified in recent literature (physical, economic, reputational, psychological, autonomy, discrimination and relationship)—while informative—are too expansive and are not ready to be used as the framework for privacy legislation. Because this list of harms does not have clear recognition and support by courts or consensus policy support, a narrower list of eligible harms should be enumerated by Congress.

  Based on the position taken by the FTC and the definition of harms in COPRA, consensus exists around at least five harms: physical, financial, reputational, deception and unwarranted intrusion. These should form the basis of the data security and data privacy law harm provisions.

  Congress should also consider the implications of injury constraint provisions and ensure that decisions on privacy harms in this bill do not negatively impact common law understandings of harms in areas such as property and contracts. Moreover, Congress should make these determinations with the understanding that any standards established for harms are bound by the inherent checks on the ability to use a PRA in the First Amendment, Section 230 and the rules of standing.

• Do not allow sunrise or sunset provisions—A sunrise provision would create a window for covered entities to revisit internal compliance structures ahead of enforcement and allow courts the necessary preparation time. However, this also means that consumers would have limited recourse for addressing violations because agency enforcement will initially be slow, given the need to hire additional staff and establish procedures. This makes PRA even more essential at the outset of a federal law.

  A sunset provision would provide covered entities with security that a PRA would be revisited after a certain period or it would end. However, if the PRA were to end abruptly, it could harm consumer recourse, and there is no guarantee that Congress would again revisit the statute to pass updates to the legislation. Congress should instead revisit the legislation holistically after a period of time and revise the PRA as needed.

Recommendation #2: Procedural steps should be implemented before a PRA can be exercised. 

This approach will help reduce the number of lawsuits and allows for fixes to be made before litigation. Important aspects of this approach include:

• Establish a right to cure as a step to solve issues before litigation—Consumers and covered entities should have a way to address privacy concerns and make complaints before exercising a PRA. As some argued was the case after the passage of the American with Disabilities Act of 1990, initial compliance can create crushing and antagonistic suits without doing much in the way of improving compliance. It can also threaten to put some companies out of business.” Addressing initial compliance and creating a cure period can help achieve the aims of consumers (who want to ensure the security and privacy of their data) and of covered entities (who need to use data as a function of their business). There are, however, limits to the usefulness of a right to cure. In cases where the harm was done already, such as a data breach or publication of private images, a right to cure would offer little utility. The focus should therefore remain on the majority of instances where a right to cure is both feasible and useful.

  The ultimate end goal of any enforcement approach is to ensure compliance. A right to cure paired with injunctive relief would likely result in that goal, as the cure period would require a company to implement data protection and privacy safeguards with some immediacy. This has an overall broader beneficial effect on individual consumers as a whole, with faster action and compliance, rather than the limited effect of relief for individual litigants that may come before the court.

  Specifically, for a five-year period after enactment, companies should be given a 30-day window to fix violations before a lawsuit should proceed to allow for a transition period. Courts should be the arbiters in cases of whether a company cured a violation (i.e., instead of federal agencies), and companies should be encouraged to develop an internal process to address violations by working with consumers. This is advantageous because informal resolution may be possible before escalating the issue.

• Privacy complaints should be filed with particularity—Filing with particularity is a common-sense solution to address the concern that privacy claims could be overly broad. More specifically, in privacy legislation, Congress should include language that specifies that in any private action, the complainant should be required to specify allegations, each violation alleged, and the reasons they believe that to be the case. In cases in which the plaintiff makes allegations against a company (i.e., that it violated the act, made an untrue statement of a material fact, committed a harmful data practice, conducted a deceptive data practice or violated the rights set forth in the act), the complaint should specify each violation alleged and the reason why the claimant believes it to be a violation. In addition, if an allegation regarding the behavior is made on information and belief, the complaint shall state with particularity all facts on which that belief is formed.

  Moreover, in any private action in which the plaintiff may recover monetary damages only on proof that the defendant acted with a particular state of mind, the complaint should state with particularity facts giving rise to a strong inference that the defendant acted with that state of mind.

• A review process should be a future consideration—Having a process in place for a federal agency or state attorney general to screen potential lawsuits would be a way to prevent those without merit from proceeding. Of course, specific safeguards would be necessary to ensure that consumers have access to courts in appropriate situations without being limited by a federal or state entity. This is not recommended at the present time because there are inadequate resources at the federal level to accomplish it. If such a federal screen were to be conducted by the FTC, additional resources would be needed. In the case of the passage of federal privacy legislation, the FTC’s resources would all go to establishing the privacy bureau and would not be available to establish another new process.

Recommendation #3: Limits should be established for a PRA. 

A PRA needs to be restricted with the goal of limiting lawsuits with inconsistent and excessive monetary awards while still providing relief to consumers. Specific ways to limit a PRA include:

• Incorporate injunctive relief to avoid or mitigate further harm—The specifics of injunctive relief will depend on the final provisions of a federal privacy bill. Injunctive relief is especially warranted when a consumer alleges that their rights under federal legislation were violated, but a breach has not occurred.

  A challenge is that injunctive relief is not always effective after a breach has occurred and works most effectively in situations where immediate remedy is necessary. After a breach, an individual’s data has already been disclosed. In such cases, injunctive relief could serve to prevent greater disclosure, but it would not correct what has already transpired in the same way that monetary damages could.

• Place limitations on damages—Having constraints on damages would prevent uncapped legal exposure for companies, create more consistent results and interpretation across the courts, and help reduce financially motivated lawsuits. For data breaches and cases where actual harm is demonstrated, individuals should be entitled to actual damages without statutory damages. If the harm is caused by willful behavior, punitive damages should be permitted up to a cap. As has been typical in recent years, courts should also have the authority to order a company to pay for credit monitoring for those who have been affected. For all other violations of federal privacy law, the actions of the company should be willful or repeated to be recoverable. Those cases should be eligible for actual damages and discretionary punitive damages up to a capped amount.

• Establish a safe harbor—Entities that take proactive steps or experience a breach from exceptional circumstances should not face the same liability as those who have failed to take affirmative measures to comply with statutory requirements, remain susceptible to known attacks or fail to address longstanding and known vulnerabilities. First, there should be a safe harbor for entities that voluntarily conform to a stated security framework. This would incentivize stronger cybersecurity programs by potentially limiting legal costs. The challenge will be assessing compliance beyond certifications by industry actors. A federal agency should evaluate compliance if a company seeks a proactive evaluation, which would serve as evidence for review by a court. However, a court needs to be able to reject that evaluation and independently evaluate it should an entity not go through agency review first.

  In addition, liability for data breaches caused by nation-state actors should not be the responsibility of covered entities. Safe harbor for covered entities does not preclude those entities from their responsibilities to protect their networks, but it does acknowledge that nation-state, adversary-caused incidents are beyond the normal scope of network defense and liability. In such situations, proof should be required that the breach was caused by a nation-state. With such proof, the company should be able to have an affirmative defense and should not be subjected to monetary penalties.

About this series: This is part of a series considering the major stumbling blocks of federal data security and data privacy efforts. It draws upon existing research and interview data to identify the most salient issues within data security and data privacy and recommend the most appropriate courses of action in an effort to find compromise on federal legislation.