As highlighted in the Data Security Incident Response Report, government entities such as universities, medical centers, public utilities and transportation services companies have become highly sought-after targets of cyber litigation, as they increasingly rely on technology to provide essential services to millions of citizens. Yet whether enshrined in a state’s constitution or statute or a concept of judicial creation, the general principles of sovereign immunity can potentially shield the government and its agencies from civil liability, for most claims, in the wake of a data breach.

We have seen a recent trend in which plaintiffs are attempting to creatively expand a government’s cyber liability by arguing that personal identifiable information (PII) is a property right, and thereby attempting to capitalize on the waiver of sovereign immunity involving individuals’ property rights. See, e.g., N.M. Stat. § 41-4-6 (waiving sovereign immunity for property damages resulting from a public employee’s negligence); Minn. St. Ann. § 3.736 (waiving sovereign immunity for property damage under certain conditions). Plaintiffs are also attempting to expand a government’s cyber liability by arguing that government entities, in particular medical centers, have voluntary contractual obligations under the Health Insurance Portability and Accountability Act (HIPAA) when personal health information (PHI) is involved.

Despite plaintiffs’ best efforts, government entities still have many options to defend against these creative attempts. First, a privacy interest in one’s PII does not automatically equate to a property interest in that information. In fact, courts have repeatedly concluded that although there is a privacy interest in a person’s driver’s license number, Social Security number, address, etc., the law has not framed these protections as property rights. See, e.g., Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 695 (7th Cir. 2015) (refraining from taking a position on the plaintiffs’ property right theory); Quintero Cmty. Ass’n, Inc. v. Hillcrest Bank, 2014 WL 1764791, at *5 (W.D. Mo. May 2, 2014) (“Having a privacy interest in personal information, however, does not necessarily mean that [plaintiff] has a present property interest in that same information.”), aff’d sub nom. Quintero Cmty. Ass’n Inc. v. F.D.I.C., 792 F.3d 1002 (8th Cir. 2015).

Second, some states have already rejected plaintiffs’ attempts to expand an individual’s intangible PII or PHI “property right” to the same protections as for tangible property. This is because these states have expressly limited waivers of sovereign immunity to tangible property interests only. See, e.g., McConnell v. Dep’t of Labor, 345 Ga. App. 669, 671 (Ct. App. 2018) (defining “loss” as “damage to tangible property”); Univ. of Tex Health Science Ctr. at Houston v. DeSoto, 401 S.W.3d 319, 325 (Tex. Ct. App. 2013) (concluding that sovereign immunity is waived when the injury is “proximately caused by the condition or use of tangible property.”); Bufford v. Pa Dep’t of Transp., 670 A.2d 751, 753 (Pa. Comm. Ct. 1996) (concluding that sovereign immunity is waived when “the personal property itself causes the plaintiff’s injury.”) (emphasis in original).

Thus, although we expect plaintiffs to continue to try to erode sovereign immunity, governmental and quasi-governmental entities should not give up on these protections without a fight.

[View source.]