Most legal academics are happy to be cited by courts–it’s at least proof of relevance. But it’s better if the Judge agrees with you, and that’s not what happened this week when Judge Amy Berman Jackson of the District Court of the District of Columbia, discussed my article Government Data Breaches, 24 Berkley Tech. L. J. 1019, 1049 (2009).
My article argues, correctly I still believe, that if the government takes your personal data, and then mishandles it so that it leaks to your detriment, the government has committed an actionable harm:
The key case in establishing the contours of the Due Process right to compensation for certain government data breaches is Chief Justice Rehnquist’s opinion in DeShaney [v. Winnebago Cty. DSS, 489 U.S. 189 (1989)]. Chief Justice Rehnquist is an unexpected source for a major information privacy right, and DeShaney is a particularly unexpected locus for its elucidation. DeShaney is notorious as an opinion in which the Supreme Court held that the state of Wisconsin had no duty under the Constitution to protect a boy, the infamous “poor Joshua” of Justice Blackmun’s dissent, from a permanently disabling beating by his father. The absence of a duty was controversial because the state social services were on actual notice that Joshua had been repeatedly injured and was at risk. In finding that the Due Process clause imposed no duty of care on state social services regarding children residing with a parent, at least absent a statutory or regulatory undertaking to protect children from their parents, Chief Justice Rehnquist distinguished Joshua’s case from one where a duty would have existed. Mere notice was not enough; the state would have had a duty only if it had placed Joshua in circumstances where it “renders him unable to care for himself, and at the same time fails to provide for his basic human needs ….” The duty arises “from the limitation which it has imposed on his freedom to act on his own behalf’ not “its failure to act to protect his liberty interests against harms inflicted by other means.’ Chief Justice Rehnquist immediately added in a footnote that, “[e]ven in this situation, we have recognized that the State ‘has considerable discretion in determining the nature and scope of its responsibilities.'”
When the State takes a person’s data and holds it in a fashion outside the person’s control, the State has done to that data exactly what Chief Justice Rehnquist said was necessary to trigger Due Process Clause protection: it has “by the affirmative exercise of its power” taken the data and “so restrain[ed]” it that the original owner is unable to exert any control whatsoever over how the government stores or secures it. The government’s “affirmative duty to protect” the data “arises … from the limitation which it has imposed on his freedom to act on his own behalf’ to keep the data secure.’ Again, “it is the State’s affirmative act of restraining the individual’s freedom to act on his own behalf” which creates a duty on the government to keep the data secure. The State created the danger, and thus the State is responsible for the outcome.
The plaintiffs in In Re: U.S. Office Of Personnel Management Data Security Breach Litigation, — F.Supp.3d —-, 2017 WL 4129193, MC 15-1394 (ABJ), MDL 2664 (D.D.C. Sept. 19, 2017), sought to apply this theory to the massive data breach by the Office of Personnel Management, AKA the OPM hack. Plaintiffs claimed the government breached an actionable duty by failing to protect (or, as plaintiffs put it, being grossly negligent in failing to protect) their personal data.
Unfortunately, Judge Jackson did not agree (footnotes omitted):
Given … the absence of binding precedent one way or the other, this Court also finds it prudent to avoid wading into the legal waters surrounding the existence or scope of any constitutional right to informational privacy in general when it is not necessary to do so. And it is not necessary here because the NTEU claim is asking the Court to recognize a constitutional violation that no court has even hinted might exist: that the assumed constitutional right to informational privacy would be violated not only when information is disclosed, but when a third party steals it. See NTEU Compl. ¶¶ 96-98; NTEU’s Opp. at 25-44 (arguing that the government has an affirmative duty “grounded in the constitutional right to informational privacy” to safeguard plaintiffs’ private data). In other words, even if an individual who completes an SF 85 or SF 86 has a constitutional right to privacy in the information he or she is being asked to provide, it is well-established that the government has the right to gather that information. And even if it might violate the Constitution for the government to then deliberately disclose the information, there is no authority for the proposition that the Constitution gives rise to an affirmative duty — separate and apart from the statutory requirements enacted by Congress — to protect the information in any particular manner from the criminal acts of third parties. See, e.g., Harris v. McRae, 448 U.S. 297, 317-318 (1980) (discussing the Due Process Clause of Fifth Amendment and declining to “translate the limitation on governmental power implicit in the Due Process Clause” into an affirmative obligation on the government).
The sole source plaintiffs identify for the existence of the affirmative duty they would have this Court enforce is a law review article. NTEU’s Opp. at 37, citing A. Michael Froomkin, Government Data Breaches, 24 Berkley Tech. L. J. 1019, 1049 (2009) (“When the State takes a person’s data and holds it in a fashion outside the person’s control, the State has done to that data exactly what Chief Justice Rehnquist said was necessary to trigger Due Process Clause protection: it has `by the affirmative exercise of its power’ taken the data and `so restrain[ed]’ it that the original owner is unable to exert any control whatsoever over how the government stores or secures it. The government’s `affirmative duty to protect’ the data `arises . . . from the limitation which it has imposed on his freedom to act on his own behalf’ to keep the data secure.”). Given the absence of any binding precedent — or even any persuasive writing from other courts — that recognizes a constitutionally based duty to safeguard personal information, and the D.C. Circuit’s expressed skepticism about the existence of a right to informational privacy in the first place, this Court is compelled to hold that plaintiffs have failed to state a constitutional claim.
The thing is, my article anticipates Judge Jackson’s rejoinder:
One might object that the DeShaney holding stands for the proposition that when the government stands by and lets another do harm to a person, that person has no recourse unless the government has taken on an affirmative duty to protect. In this view, exposing private data on the web or losing an unencrypted database is not the harm. Rather, the harm comes from a third party’s use of the data, something for which this reading of DeShany says the government should not be blamed. But this is a misreading of De- Shaney because the analogy is incorrect. In DeShany, the State had no duty because it had never taken Joshua into care. The harms he suffered at his father’s hands were private wrongs, a direct transaction in which the government had no part. […]
Indeed, it was the claim that the government had a duty to intervene which was the heart of the plaintiffs case, and which the majority rejected.
Contrast this to a hypothetical lost database: there is no question that the government had taken full control of the data before it lost them. Once the government takes that control, the subject of the data is completely disempowered with regards to how the data will be protected. Therefore, it is nonsensical to suggest that when the government negligently allows a third party to access the data, that third party is the only relevant actor for Due Process purposes. The government remains the critical intermediary, the one actually responsible for allowing the loss. In the case of information controlled by the government, it is not a bystander, but rather a direct agent. The government’s active role in controlling the data, one that displaces the subject or owner of the data, is what creates the duty of care. Or as the Seventh Circuit stated, “The state must protect those it throws into snake pits, but the state need not guarantee that the volunteer snake charmer will not be bitten.” [Walker v. Rowe, 791 F.2d 507, 511 (7th Cir. 1986).]
In short, Judge Jackson links two issues that I think ought to be seen as separate. One issue is whether the Constitution creates a a generalized right to information privacy. Judge Jackson notes, fairly enough, that currently there is no judicial recognition of such a right. But that’s not the only question at issue here. Even in the absence of a general substantive constitutional duty to protect information privacy, I believe that the rule in Chief Justice Rehnquist’s DeShaney opinion compels the conclusion that when the government demands your data, takes it, and fails to care for it, that creates a valid claim.
Judge Jackson may be right that the D.C. Circuit is not ready to find a general constitutional right to information privacy, a right that likely would extend far beyond data breaches and into, for example, data collection practices. But why, even if we stipulate that Judge Jackson correctly reads the DC Circuit tea leaves on information privacy rights generally, does this tell us anything about the much narrower Due Process claim at issue in the OPM case?
One need not find a generalized right to information privacy to hold, following the logic of DeShaney, that the government has a duty of care when it creates the circumstances which both make the data vulnerable and makes self-help by the data subject impossible. What exactly that duty of care requires could certainly be debated, but whatever the level of care turns out to be, it surely must exceed the gross negligence alleged by the plaintiffs in the OPM case.
I should note that Judge Jackson cites one case in support of her assertion that the Due Process clause cannot create a governmental duty “to protect the information in any particular manner from the criminal acts of third parties. See, e.g., Harris v. McRae, 448 U.S. 297, 317-318 (1980) (discussing the Due Process Clause of Fifth Amendment and declining to “translate the limitation on governmental power implicit in the Due Process Clause” into an affirmative obligation on the government).” I think the citation to Harris is misplaced. Harris is a 1980 case; DeShaney was decided in 1989, and in case of conflict the later case ought to prevail. But in fact there is no conflict: Harris was a challenge to the Hyde Amendment, and in rejecting the challenge the Supreme Court stated that the Due Process Clause could not be invoked to create a requirement that Congress providing funding for something. Given the bedrock principle that “No Money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law,” U.S. Const. Article I, § 9, Cl. 7, the Harris holding on this point seems clearly correct — but also irrelevant to the OPM case which is not about legislation or funding.
I think it’s only a matter of time before US law recognizes a right to have the government apply at least reasonable safeguards to personal information it holds. This case shows why that rule is necessary. I wonder if the plaintiffs will appeal?