WikiLeaks Document Release http://wikileaks.org/wiki/CRS-RS21229 February 2, 2009 Congressional Research Service Report RS21229 Remedies for the Improper Disclosure of Personal Information Alison M. Smith, American Law Division Updated July 8, 2002 Abstract. This report provides an overview of the available remedies in selected federal privacy laws. Order Code RS21229 Updated July 8, 2002 CRS Report for Congress Received through the CRS Web Remedies for the Improper Disclosure of Personal Information Alison M. Smith Legislative Attorney American Law Division Summary http://wikileaks.org/wiki/CRS-RS21229 This report provides an overview of the available remedies in selected federal privacy laws. This report will be updated as events warrant. Applicable federal statutes provide a wide array of remedies for improper disclosure of certain personal information. Some provide criminal penalties including fines ranging from $5,000 to $250,000 and/or imprisonment from 6 months to 10 years depending on whether the violation was committed under false pretenses or for commercial advantage, personal gain or malicious harm. Other statutes provide private rights of action for aggrieved individuals and award actual damages, compensatory damages and punitive damages for willful, intentional or knowing violations. Other statutes provide that State attorneys general may bring civil actions on behalf of the residents of a state. A few of the privacy statutes do not provide for private or state rights of action. Instead, other agencies, such as the Federal Trade Commission (FTC) are charged with enforcement. In these instances, the FTC is authorized to bring enforcement actions and impose civil penalties for violations as unfair and deceptive trade acts or practices under the Federal Trade Commission Act.1 1 15 U.S.C. §§ 41 et seq. Congressional Research Service ~ The Library of Congress CRS-2 Title Applies To Records Private Right of Action Civil Penalty Criminal Penalty Covered Fair Credit Reporting Consumer Consumer An aggrieved consumer may Actual damages of not less than $100 and Under false pretenses, a Act of 1970 - 15 U.S.C. reporting credit reports. file suit within two years from not more than $1,000, punitive damages for defendant is subject to a fine, §§ 1681 et seq. agencies. the date on which liability willful noncompliance, litigation costs and imprisonment for not more arises for impermissible attorney fees. For negligent noncompliance, than 2 years, or both. disclosure, use or receipt of a actual damages and litigation costs and consumer credit report.2 attorney fees. Under false pretenses, defendant shall be liable to the consumer http://wikileaks.org/wiki/CRS-RS21229 reporting agency for the greater of actual damages or $1,000. Video Privacy Videotape Video rental An aggrieved person may bring Actual damages (not less than $2,500), None. Protection Act of 1988 - service records. suit within two years from the punitive damages, litigation costs and 18 U.S.C. § 2710. providers. discovery of the alleged attorney fees. violations for impermissible disclosure of personally identifiable information. Right to Financial Financial Financial An aggrieved customer may Actual damages, punitive damages for None. Privacy Act of 1978 - Institutions. records. bring suit within three years willful or intentional disclosure, litigation 12 U.S.C. §§ 3401 et after discovery of costs and attorney fees. seq. impermissible disclosure to a government authority. Telephone Consumer Tele- Unsolicited An aggrieved person or entity The greater of actual damages or $500 for None. Protection Act - 47 marketers. telephone may bring suit. State attorneys each violation. For willful or knowing U.S.C. § 227. calls. general may bring civil action. violations, the court may award up to treble damages. 2 See TRW v. Andrews, 122 S. Ct. 441 (2001) (holding that the statute of limitations begins to run when inaccurate disclosures occur, and not when the victim learns of the disclosures). CRS-3 Title Applies To Records Private Right of Action Civil Penalty Criminal Penalty Covered Privacy Act of 1974- Federal Individually An aggrieved individual must Actual damages (not less than $1,000), For willful disclosure, 5 U.S.C. § 552a. agencies. identifiable bring suit within two years litigation costs and attorney fees. misdemeanor offense and fine federal agency after discovery of of not more than $5,000. records. impermissible disclosure. Family Educational Educational Student No.3 None. An institution with a policy or None. Rights and Privacy Act institutions records. practice of improper disclosure shall lose - 20 U.S.C. § 1232g. receiving federal funds. federal http://wikileaks.org/wiki/CRS-RS21229 funds. Health Insurance Health Individually No. Individuals have the right None. For simple violations, fine up Portability & plans, identifiable to file a formal complaint with to $50,000 and/or Accountability Act - 42 health care health a covered provider or health imprisonment of up to one U.S.C. §§ 1320d et seq. providers information. plan, or with the Department of year. For violations committed and Health and Human Services. under false pretenses, fine up clearing- to $100,000 and/or houses. imprisonment up to 5 years. For offenses committed for commercial advantage, personal gain, or malicious harm, fine up to $250,000 and/or imprisonment up to 10 years. Cable Communication Cable Cable Any person aggrieved may Actual damages (but not less than liquidated None. Policy Act of 1984 - 47 television television bring a civil action for damages computed at the rate of $100 a day U.S.C. § 551. service subscriber improper disclosure of or $1,000, whichever is higher), punitive providers. records. personally identifiable damages, litigation costs and attorney fees. information. 3 In Gonzaga v. Doe, the United States Supreme Court held that FERPA provisions create no personal rights to enforce under 42 U.S.C.§ 1983. No. 01-679, slip op. at 3-15 (June 20, 2002). CRS-4 Title Applies To Records Private Right of Action Civil Penalty Criminal Penalty Covered Telecommunications Telecomm- Consumer No express private right of FTC authorized to bring enforcement actions None. Act of 1996 - 47 U.S.C. unications proprietary action.4 and impose civil penalties for violations as § 222. carriers. network infor- unfair and deceptive trade acts or practices mation. under the Federal Trade Commission Act. Electronic Providers Telecomm- An aggrieved individual may Actual damages (not less than $1,000), Fine up to $250,000 for Communications of unications, e- bring a civil action within two punitive damages for knowing or intentional individuals and $500,000 for Privacy Act of 1986 - electronic mails and years of discovery of improper noncompliance, litigation costs and attorney organizations, imprisonment of 18 U.S.C. §§ 2510-2522. comm- stored interception or disclosure of fees. not more than five years or http://wikileaks.org/wiki/CRS-RS21229 unications computer data. wire, oral, or electronic both. service. communications. Computer Fraud and Anyone. Computers in An aggrieved person may bring Compensatory damages and injunctive For simple violations , Abuse Act - 18 U.S.C. § which there is suit within two years after relief. Damages are limited to economic imprisonment up to one year 1030 a federal violation occurs or discovery damages. and/or fine. For violations for interest. of the damage. gain or involving more than $5,000, imprisonment up to five years and/or fine. For repeat offenders, imprisonment up to 10 years and/or fine. Gramm-Leach-Bliley Financial Non-public No. Consumers can complain FTC authorized to bring enforcement actions Fine, imprisonment for not Act - 15 U.S.C. §§ 6801- institutions personal to one of the seven federal and impose civil penalties for violations as more than 5 years, or both. 6809. financial agencies that have jurisdiction unfair and deceptive trade acts or practices Enhanced penalties for records. and enforcement authority over under the Federal Trade Commission Act. aggravated cases. financial institutions.5 4 See, Conboy v. AT&T Corp., 241 F.3d 242,251 (2d Cir. 2001)(finding that Section 222 of the Act did not provide for the recovery of presumed , or "statutory," damages). 5 The seven federal agencies which enforce the privacy provisions are: (1) the Federal Deposit Insurance Corporation; (2) the Federal Reserve; (3) the Office of Thrift Supervision; (4) the Office of the Comptroller of the Currency; (5) the National Credit Union Administration; (6) the Securities and Exchange Commission; and (7) the Federal Trade Commission. CRS-5 Title Applies To Records Private Right of Action Civil Penalty Criminal Penalty Covered Driver's Privacy State Department of An aggrieved person may bring Actual damages (not less than $2,500), Fine for a person who Protection Act - 18 department motor vehicle a civil action for improper use, punitive damages for willful or reckless knowingly violates the law. U.S.C. § 2721. of motor records. disclosure or receipt of disregard of the law, and reasonable vehicles personal information. attorneys' fees and other litigation costs. The Attorney General may impose a civil penalty of not more than $5,000 a day for substantial noncompliance. Federal Trade Persons, Deceptive No. If the FTC finds that a practice violates the None. http://wikileaks.org/wiki/CRS-RS21229 Commission Act - 15 partner- practices and Act it may issue a cease and desist order. U.S.C. §§ 41 et seq. ships, and unfair Judicial review available. corpor- methods. Injunctive relief or penalty up to $10,000 for ations. each violation. Children's Online Commer- Personally No - State attorneys general The FTC is authorized to bring enforcement None. Privacy Protection Act cial identifiable may bring civil action on actions and impose civil penalties for - 15 U.S.C. §§ 6501et websites or information of behalf of the residents to: violations as unfair and deceptive trade acts seq. online minors. - enjoin practice or practices under the Federal Trade services - enforce compliance Commission Act. targeted at - obtain damage, restitution, children. or other compensation. Stored Wire and Elec- Anyone. Stored An aggrieved person may bring Damages equal to the loss and gain For violations committed for tronic Communications electronic suit. associated with the offense but not less than malicious and mercenary and Transactional comm- $1,000 purposes, imprisonment up to Records Access Act - 18 unications. one year and/or fine up to U.S.C. § 2701 et seq. $250,000. For lesser offenses, imprisonment of not more than six months and/or fine of not more than $5,000.