Enforcing national data security and privacy legislation presents challenges in both scope and scale. Congress’s decision regarding who they choose to empower—be it individuals, state attorneys general, one or more federal agencies, or a combination thereof—will dictate the true shape of the law, once passed. If individuals are empowered with an enforcement role—that is, if a private right of action (PRA) is established—it is important to outline the structure, procedures and limits to craft a fair and functional law.

But reaching a consensus on whether federal data security and privacy legislation should even include a PRA has been particularly challenging. Many advocates of a PRA see it as a necessary component to a meaningful enforcement regime, as a properly drafted PRA could fulfill at least three strategic goals: empowering consumers to advocate for themselves, incentivizing the compliance of covered entities and allowing consumers to be made whole for damages—a supplement to potential Federal Trade Commission (FTC) authority to order monetary relief or impose fines. On the other hand, opponents warn that a PRA in federal data security and privacy legislation would likely result in widespread litigation, including frivolous lawsuits and overly broad legal exposure for the private sector. These skeptics believe enforcement by a federal agency or by a combination of a federal agency and state attorneys general would result in a more effective, cohesive and predictable enforcement regime.

In deciding whether to create a PRA, Congress must balance the diverse priorities and perspectives of different stakeholders. It must consider industry and consumer concerns, the adequacy of remedies, the role of states, and regulatory capability and capacity. While a PRA has its drawbacks, the consensus position that takes these issues into account has settled around a limited PRA as a backstop against shifting political winds and executive branch control over privacy enforcement. Just as in other areas, however, Congress should avoid an all-or-nothing approach in striking this balance, taking into account the role of enforcement by the FTC and state attorneys general under state laws and any new federal privacy law. In addition, if Congress chooses to create a PRA, it should empower everyday Americans to assist in the enforcement of the new law in a clear, confined and meaningful way that protects both the American consumer and innovation.

This publication—the last in a series of three main articles—explores the various considerations and options for structuring such an enforcement mechanism and then presents our key recommendations for reaching a consensus.

CONSIDERATIONS AND OPTIONS

Consideration #1: Applicability of a PRA

A PRA could either apply broadly in statute or exclusively to specific provisions. The broadest approach would allow a PRA for any individual alleging a violation of the federal law or regulation to be brought in either state or federal court. This could permit suits for violations of all provisions from a right to access to data breaches. However, a PRA could be limited to apply to specific violations of the statute like a data breach. For example, California’s privacy legislation permits a PRA only in the case of a data breach, whereas other enforcement mechanisms permit broader action (e.g., the state attorney general is empowered to address all violations of the statute).

Consideration #2: Consumer Standing

The Constitution requires that individuals have “standing” in order to bring a civil suit. This means they must have suffered a real and individualized harm to bring a successful lawsuit. Demonstrating such harm as a result of privacy violations can be challenging because the harm may not be direct or apparent and would therefore present a constitutional standing challenge. This challenge would be exacerbated by the fact that traditional legal concepts are hard to apply to the digital world.

Indeed, in Spokeo, Inc. v. Robins, the U.S. Supreme Court held that demonstrating a violation of the statute alone, without showing a real and individualized harm, is insufficient to meet the constitutional standing requirement. Of note, there is one prominent instance in privacy law in which individuals can bring suit without alleging harm beyond a violation of their rights under the statute; it is in the case of one particular type of data (biometrical) in one specific state (Illinois).

In determining whether an individual has standing, courts are required to look to traditional harms for comparisons, like those caused by defamation and theft. The Court noted in Spokeo that Congress can play a role in assisting the courts by clarifying the harm in privacy violations that may give an individual standing. Subsequently, in TransUnion LLC v. Ramirez, the Court underscored that “Congress’s creation of a statutory prohibition or obligation…does not relieve courts of their responsibility to independently decide whether a plaintiff has suffered a concrete harm…any more than, for example, Congress’s enactment of a law regulating speech relieves courts of their responsibility to independently decide whether the law violates the First Amendment.”

Concrete harm appears to be a constitutional standing requirement, and the court has continued to look to traditional harms when determining whether a harm has occurred in a particular case. The Spokeo and TransUnion holdings create uncertainty in terms of the harms that may be sufficient to give an individual standing to bring suit for privacy violations. Future court decisions to clarify this issue are necessary and likely. While this area of the law develops, Congress could articulate a harm in statute, specifically considering the violations the harm would apply to, what traditional harms would be similar, and what alternative enforcement mechanisms would exist if standing were inadequate. Thankfully, legislative bodies and academic institutions across the country have identified practical frameworks under which privacy harms can be better understood.

Some of these frameworks have attempted to articulate what harms should be legally cognizable (i.e., sufficient) to provide an individual standing to bring suit. Recent literature categorizes the harms into seven areas: physical, economic, reputational, psychological, autonomy, discrimination and relationship. Some of these have a clear basis in existing law and might help future courts consider harm in the privacy context.

Other frameworks see a duty of loyalty as being a solution to standing issues, where entities should act in the best interest of those who expose their data, and the integrity of the relationship guides the duties. A breach of a duty of loyalty is the injury itself and has long been recognized by courts as a legally cognizable harm. In contrast, a duty of care is not based solely on the relationship, and specific harm is needed.

In the Consumer Online Privacy Rights Act (COPRA), privacy harms are included under the duty of loyalty provisions, covering the definitions of deceptive data practices and harmful data practices. Under harmful data practice, five injuries are established: physical; financial; reputational; physical or other offensive intrusion upon the solitude or seclusion of the individual; and “other” substantial injury. The former acting chair of the FTC, Maureen Ohlhausen, discussed injury similarly—the five types of injury she identified through cases brought by the FTC were financial; health and safety; reputational; unwarranted intrusion; and deception injury and subverting consumer choice.

Consideration #3: Advocacy Groups as Enforcers

Groups could be designated at the state level to bring lawsuits in lieu of consumers. If groups were empowered to bring lawsuits instead of consumers, this would lower the number of potential litigants and most likely reduce litigation. Some Senate bills have included provisions permitting a protection and advocacy (P&A) organization to bring a civil action against a covered entity, allowing each state to designate one organization. Of note, there is precedent in federal law for this approach: The Developmental Disabilities Assistance and Bill of Rights Act of 1975, for example, established state P&A systems to advocate, investigate abuses and ensure enforcement. That system also permits class litigation in some cases.

Consideration #4: Sunrise and Sunset Provisions

Sunrise and sunset provisions can impact when a PRA would become effective and how long it would last. A sunrise provision allows for a portion of a law to apply to a specific period of time before the main body of the law becomes active. A sunset clause, on the other hand, provides that an entire statute or portion thereof ceases to exist after a fixed amount of time or certain statutory conditions are satisfied. These mechanisms could be a way to keep legislation in check by timing more aggressive enforcement and incentivizing lawmakers to assess the law’s effectiveness continually. The mechanics of such provisions would be important to outline, including: whether time alone triggers the provision; whether certain conditions in the statute need to be met; what other provisions in the legislation might have a sunrise and/or sunset provision; or whether additional congressional approval is needed.

Consideration #5: A Right to Cure

A right to cure, also known as an opportunity to cure, refers to an opportunity for entities to address complaints by consumers before litigation. This process can be managed by a federal agency or court and, when an individual files a complaint, the agency or court is responsible for ensuring that the complaint is addressed; if it is not sufficiently addressed, a PRA could commence. A recent report suggests this could go hand in hand with a right to recourse—an entity’s internal process through which a consumer can resolve potential violations and/or privacy concerns. For either to work, standards would need to address what is “corrected enough,” whether it should apply to all companies or just smaller ones, how much time should be allowed to resolve the issue and what entity makes and enforces these rules.

Consideration #6: Filing of Complaints with Particularity

Filing complaints “with particularity” means that a plaintiff must provide “in great detail, all the relevant facts forming the basis of her belief” with facts for any malice, intent, knowledge and other conditions of a person’s mind that may be alleged generally. Some argue that privacy claim pleadings now are not mapped to harms, and, after the passage of a federal bill, should be mapped to statutorily granted harms. This is similar to the process undertaken for Securities and Exchange Commission filings or ​​for fraud claims under the Federal Rules of Civil Procedure.

Consideration #7: Feasibility Review

Frivolous lawsuits present a challenge to a PRA. Suit under a PRA could address this concern by being subject to a screening before proceeding to the courts. A review could answer questions of legitimacy, basic adequacy and motivation. Multiple existing state and federal bodies could serve as a model for this type of board, including the Massachusetts Medical Malpractice Tribunal, federal administrative review boards and the U.S Equal Employment Opportunity Commission. Any screening model selected would need to set specifications for duration of review, impartiality, sufficiency standards and resource determinations.

Consideration #8: Injunctive Relief

Injunctive relief is mandated legal action that forces an individual or entity to stop or start a behavior or to carry out a certain action. Injunctive relief could mandate that behavior that is causing harm to an individual or group of individuals be stopped. If enforcement encompasses injunctive relief, it could help reduce lawsuits motivated by financial reasons. However, despite injunctive relief’s potential usefulness as an enforcement tool, its effectiveness depends on the specific harm in question. For example, injunctive relief could be granted to require a company to improve its security controls to prevent future similar attacks, but it would not offer other remedies available to litigants in traditional litigation.

Consideration #9: Tiered Rights and Damages

Damages could be structured in several ways to account for the potentially competing variables at play, which include how to make harmed individuals whole, ensure that punishments are appropriate for specific violations and prevent excessive judgments. One proposed concept suggests that dynamic standards be tied to the different provisions in legislation. It would require harms be recognized as invasions of privacy, discrimination or financial loss in one way; violations that affect privacy be recognized in another way; and that all other types of violations be recognized a third way, with a different level of knowledge or intention to be subject to different degrees of liability.

Other considerations related to tiered rights and damages include capping damages to limit exposure; escalating enforcement for willful and repeated violations; determining the types of damages to be awarded like statutory damages and/or punitive damages; and covering other expenses like attorney fees and litigation costs.

Consideration #10: Limiting Legal Exposure

Measures could be implemented to help covered entities limit their legal exposure. There are two common ways of approaching this issue: establishing a safe harbor and making a breach by a nation-state actor an affirmative defense.

A safe harbor, or an affirmative defense, can provide legal protection for a covered entity against a data breach claim if certain steps are taken. By following an established data protection and security framework, such as the standards set out by the National Institute of Standards and Technology, covered entities can be shielded entirely or have their liability limited in precise and predictable ways. A safe harbor serves as an incentive for covered entities to implement data protection measures in favor of incurring litigation expenses and damages. Some states, like Ohio and New Jersey, have already begun the process of framing safe harbors in their respective state laws. To ensure adherence, covered entities can make a certification that is subject to penalties if later proven to be false and/or be subject to independent assessment by a government agency.

A breach caused by a nation-state actor could also be an affirmative defense to prevent companies from being liable. For example, if a company is breached by a Russian advanced persistent threat, lawsuits arising out of that breach would be reserved for governmental prosecution. This could be useful, as some insurance companies are already excluding coverage for hacks and breaches from nation-state actors. Of note, a safe harbor established under similar motivation was enacted after the September 11 attacks with the Terrorism Risk Insurance Act and has been proposed by the Cyberspace Solarium Commission for systemically important critical infrastructure entities.

Consideration #11: Arbitration

An alternative method of resolving disputes is using an arbitrator or a panel of arbitrators instead of litigating in court—a process that would require most cases to be settled outside of court. There is ongoing debate, however, as to whether arbitration should be considered within the confines of a data security and privacy law.

RECOMMENDATIONS

If Congress decides to include a PRA in federal legislation, it must balance an individual’s right to be made whole for a privacy violation with a covered entity’s concern over excessive lawsuits. If included, it must also strive to create more consistency in enforcement and avoid disparities between courts.

Opponents to a PRA cite drawbacks such as frivolous class-action lawsuits and high costs to businesses, which are concerns we share. Therefore, to achieve a consensus on this issue, we believe a more limited PRA is the solution for addressing these concerns and breaking the deadlock of an all-or-nothing approach. A limited PRA can be viewed as a backstop against the politicization of federal and state enforcement of individual damages, especially for marginalized communities that may be underserved by enforcement agencies. Below, we present our three key recommendations for balancing these objectives and finding a path forward.

Recommendation #1: The structure of a PRA needs to be carefully crafted to ensure it is workable. 

If Congress decides to include a PRA in legislation, it should address the mechanics for how a PRA will operate, including specific methods to address standing uncertainty, a delayed start and automatic termination.

Recommendation #2: Procedural steps should be implemented before a PRA can be exercised. 

This approach will help reduce the number of lawsuits and allows for fixes to be made before litigation. Important aspects of this approach include:

Recommendation #3: Limits should be established for a PRA. 

A PRA needs to be restricted with the goal of limiting lawsuits with inconsistent and excessive monetary awards while still providing relief to consumers. Specific ways to limit a PRA include:

About this series: This is part of a series considering the major stumbling blocks of federal data security and data privacy efforts. It draws upon existing research and interview data to identify the most salient issues within data security and data privacy and recommend the most appropriate courses of action in an effort to find compromise on federal legislation.

INTRODUCTION – The Path to Reaching Consensus for Federal Data Security and Privacy Legislation

PART 1 – Preemption in Federal Data Security and Privacy Legislation

PART 2 – The Role of the Federal Trade Commission in Federal Data Security and Privacy Legislation

EXPLAINER – Answer to Tough Questions: The Framework of a Federal Data Security and Privacy Law

Image:  fizkes

Featured Publications