[BreachExchange] IRS Data Breach Class Action Dismissed

Audrey McNeil audrey at riskbasedsecurity.com
Wed Nov 16 20:09:46 EST 2016


http://www.jdsupra.com/legalnews/irs-data-breach-
class-action-dismissed-74154/

Last week, the Internal Revenue Service successfully defeated a putative
class action related to a data breach it suffered in 2015. The D.C.
District Court’s decision dismissing the suit demonstrates the high bar
required to hold a federal agency accountable for lapses in cybersecurity.

In Welborn v. IRS (Case No. 15-1352, D.D.C.), Plaintiffs Becky Welborn,
Wendy Windrich and Beth DuPree, on behalf of a proposed class, sued the IRS
in connection with a cyberattack on the agency’s website in which over
300,000 tax-related documents were stolen.

Plaintiffs alleged that the IRS violated their rights under the Privacy
Act, 5 U.S.C. § 552a, the Administrative Procedure Act (APA), 5 U.S.C. §
701 et seq., and the Internal Revenue Code, 26 U.S.C. § 6103, by
“disclosing or failing to prevent the disclosure of their personal
identification information to third parties.”

Standing Sufficient Only Where Actual Injury and Causation Shown

As an initial matter, the court determined that only two of the three named
plaintiffs had standing to bring suit. Mses. Welborn and Wendrich, who had
suffered actual identity theft when someone filed false tax returns and
claimed fraudulent refunds in their names, had shown sufficient
injury-in-fact and causal connection to the IRS data breach to establish
standing to sue for monetary damages.

Ms. DuPree’s claims, however, were dismissed for failure to show causation.
Although Ms. DuPree alleged that (1) the IRS notified her that her personal
information may have been hacked; (2) no other entity had informed her of a
similar data breach; and, (3) she had been the victim of at least two
instances of fraudulent activity in her financial accounts following the
IRS data breach, the court ruled that there was no nexus showing that the
data obtained from the IRS breach was necessarily used to perpetrate the
fraud on her accounts. Simply alleging that the financial fraud happened
after the data breach was insufficient.

Failure to State a Claim Under the Privacy Act and the Internal Revenue Code

The court also dismissed Plaintiffs’ claims under the Privacy Act for
failure to state a claim for actual damages related to the IRS’s alleged
failure to safeguard plaintiffs’ personal information. The court ruled that
the fraudulent tax returns filed in plaintiffs’ names, the lost time and
money spent dealing with data theft and future credit monitoring, and the
heightened risk of further identity theft did not equate to actual
pecuniary or material damage related to the IRS data breach. Sovereign
immunity protects the Federal Government from liability for reputational or
emotional harm. Similarly, sovereign immunity barred Plaintiffs’ claims
under the Internal Revenue Code.

Finally, the Court ruled that Plaintiffs had no standing to sue for
equitable relief under the APA as there was no allegation of an ongoing
threat to their personal information, and that there is no private right of
action under the Federal Information Security Modernization Act (FISMA).

Needless to say, Courts will set a very high bar for plaintiffs to allege
standing to sue governmental agencies for data breaches.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161116/f707d01d/attachment.html>


More information about the BreachExchange mailing list