On November 2, 2016, Judge Rosemary Collyer of the U.S. District Court for the District of Columbia dismissed a class action cybersecurity lawsuit against the Internal Revenue Service (“IRS”) for lack of standing and failure to state a claim.
The lawsuit stems from a breach in the IRS’s Get Transcript system, which operated from January 2014 to May 2015. The system was designed to allow taxpayers to access their prior-year tax information online. It was shut down in May 2015 when the IRS noticed unusual activity, leading to the discovery that 330,000 records had been improperly accessed by hackers between February and May 2015. The records included a broad range of taxpayer information, including personally identifiable information (“PII”).
The plaintiffs—three individual taxpayers—brought the class action suit against the IRS in August 2015 after the agency’s disclosure. According to the complaint, two of the plaintiffs had fake tax returns filed in their name. The third plaintiff was notified by the IRS that her information was compromised by the Get Transcript system and thereafter suffered two instances of fraud on her bank accounts.
In the suit, the plaintiffs alleged that (i) the IRS’s operation of the Get Transcript system violated the federal Privacy Act, (ii) the release of their PII violated the Internal Revenue Code, and (iii) the IRS’s failure to abide by federal information security laws and regulations was “arbitrary and capricious” such that the IRS should be enjoined under the Administrative Procedure Act. The complaint referenced a report by the Treasury Inspector General for Tax Administration, which stated that certain IRS security systems did not meet federal guidelines and specifically recommended higher security for the Get Transcript system.
Relying heavily on the Supreme Court’s 2013 decision in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013), and on the 2014 D.C. District Court’s decision in In re Science Applications International Corp. Backup Tape Data Theft Litigation, 45 F. Supp. 3d 14 (D.D.C. 2014) (“SAIC”), Judge Collyer dismissed much of the suit on standing grounds, including all of the claims asserted by one of the plaintiffs.
As to one of the plaintiffs, the court specifically found that she had failed to demonstrate that the fraudulent activity in her bank accounts was caused by the breach of the Get Transcript system. The only evidence this plaintiff offered in the complaint was that the fraudulent activity occurred after the IRS data breach and that she had not received notification of any other breaches of her PII. Under SAIC, which is one of the leading cases in the data breach standing area, a plaintiff must put forward sufficient facts to show that the injuries can be traced to the specific breach incident. Thus, this temporal connection, the court found, was not enough to confer standing.
The court held that the other two plaintiffs had standing for their Privacy Act and Internal Revenue Code claims, but only as to identity theft related to the fake tax filings. Those plaintiffs’ other claimed injuries—risk of future harm, costs of credit monitoring, and diminished value of personal information—were held to be too ephemeral to confer standing. Here, the court specifically relied upon Clapper and SAIC, which held that similar speculative harms, as well as harms that a plaintiff imposes on herself to protect against such speculative harm, cannot create standing, even if the fears of such harms are rational. The court also dismissed the Administrative Procedure Act claims for lack of standing on the grounds that the plaintiffs had failed to demonstrate a risk of continuing harm justifying injunctive relief.
The court then dismissed the remaining claims for failure to state a claim. Specifically, Judge Collyer held that the Privacy Act requires claims of actual damages, and because the only harm that the plaintiffs adequately pled—duplicate tax returns—did not cause them monetary harm, the complaint could not support a claim under the Privacy Act. The court also held that the plaintiffs’ claims under the Internal Revenue Code were barred by sovereign immunity. The Internal Revenue Code only allows a suit where an IRS employee knowingly or negligently releases taxpayer information. Here, however, the plaintiffs’ claim was that the IRS failed to properly design the Get Transcript system to safeguard the information, leading to disclosure. This claim, the court found, was too attenuated to meet the sovereign immunity exception under the Internal Revenue Code.