Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
49 XII. REMEDIES AT COMMON LAW FOR INVASION OF PRIVACY A. States that Recognize an Invasion of Privacy at Common Law There is an issue as to whether transit agencies in some states may be held liable in tort for an invasion of privacy for mishandling a customerâs personal data. As discussed in Section VI.B, even if an indi- vidual alleges a privacy claim at common law against a transit agency, in some states, government-owned agencies may have sovereign immunity. In their responses to the survey, five transit agencies did report that they have sovereign immunity for claims alleging a violation of a customerâs privacy rights. At least 14 states and the District of Columbia recognize a right to privacy at common law. Although New York649 and Virginia650 do not recognize a common- law right to privacy, Arkansas, Alabama, California, Delaware, the District of Columbia, Indiana, Iowa, Michigan, Minnesota, Missouri, New Jersey, South Carolina, Texas, Vermont, and Washington are among the jurisdictions that do recognize a right to privacy at common law.651 Subsection (B) grants the attorney general or a district attorney exclusive authority to bring an action either for actual damages for a violation of the act or for a civil penalty not to exceed $150,000.00 âper breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation.â642 Vermontâs statute on Protection of Personal Information that applies to all data collectors grants the attorney general, with some exceptions, âsole and full authority to investigate potential violations of this subchapter and to enforce, prose- cute, obtain, and impose remedies for a violation of this subchapterâ¦.â643 In Virginia, the attorney general âmay impose a civil penalty not to exceed $150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single inves- tigation.â644 As stated, however, the section does not âlimit an individual from recovering direct economic damages from a violationâ¦.â645 The West Virginia Breach of Security of Consumer Information law provides that the attorney general has exclusive authority to bring an action, no civil penalty may be assessed unless the court finds that the defendant has engaged in a course of repeated and willful violations of article 2A, and no civil penalty may exceed $150,000 âper breach of security of the system or series of breaches of a similar nature that are discovered in a single investigation.â646 F. Miscellaneous Provisions Nevadaâs statute on the Security of Personal Information provides for a right of action by the data collector, rather than for a right of action against the data collector.647 The Wisconsin statute provides only that when there is an unauthorized acquisition of personal information, the â[f]ailure to comply with this section is not negligence or a breach of any duty, but may be evidence of negligence or a breach of a legal duty.â648 642 okla. stat. § 24-165(B) (2016). 643 vt. stat. tit. 9, § 2435(g)(1) (2016). 644 va. coDe § 18.2-186.6(I) (2016). 645 Id. 646 W. va. coDe § 46A-2A-104(b) (2016) (emphasis supplied). 647 nev. rev. stat. § 603A.900 (2016) (stating that â[a] data collector that provides the notification required pursu- ant to nev. rev. stat. § 603A.220 may commence an action for damages against a person that unlawfully obtained or benefited from personal information obtained from records maintained by the data collectorâ and recover damages, reasonable costs of notification, reasonable attorneyâs fees and costs, and punitive damages when appropriateâ). 648 wis. stat. § 134.98(4) (2016). 649 See Burck v. Mars, Inc., 571 F. Supp. 2d 446, 450 (S.D.N.Y. 2008). Although New York does not have a common-law right to privacy, there is a statutory right to privacy against commercial appropriation. See also Lohan v. Perez, 924 F. Supp. 2d 447, 453 (E.D.N.Y. 2013); Allison v. Clos-Ette Too, 2014 U.S. Dist. LEXIS 143517, at *1 (S.D.N.Y. Sept. 15, 2014), report and recommendation adopted sub nom., 2014 U.S. Dist. LEXIS 143066, at *1 (S.D.N.Y. Oct. 7, 2014); and Hunt v. Conroy, 2014 U.S. Dist. LEXIS 52305, at *1 (N.D.N.Y. Apr. 16, 2014). 650 Wiest v. E-Fense, Inc., 35 F. Supp. 2d 604, 612 (E.D. Va. 2005). 651 See Phillips v. Smalley Maintenance Services, Inc., 711 F.2d 1524, 1533 (1983) (âSince 1948, beginning with the case of Smith v. Doss, 251 Ala. 250, 37 So. 2d 118 (1948), Alabama has recognized the tort of âinvasion of the right to privacy.ââ); Milam v. Bank of Cabot, 327 Ark. 256, 937 S.W.2d 653 (Ark. 1997); Metter v. L.A. Examiner, 35 Cal. App. 2d 304, 95 P.2d 491 (Cal. App. 1939); Peay v. Curtis Publishing Co., 78 F. Supp. 305 (D.D.C. 1948); State v. Holden, 54 A.3d 1123 (Del. Super. Ct. 2010); Davis v. General Finance & Thrift Corp., 80 Ga. App. 708, 57 S.E.2d 225 (Ga. App. 1950); Continental Optical Co. v. Reed, 119 Ind. App. 643, 86 N.E.2d 306 (Ind. App. 1949); Bremmer v. Journal-Tribune Publishing Co., 247 Iowa 817, 76 N.W.2d 762 (1956); Tate v. Womanâs Hops. Found., 56 So. 3d 194 (La. 2011); Dalley v. Dykema Gossett, PLLC, 287 Mich. App. 296, 788 N.W.2d 679, 686 (Mich. Ct. App. 2010) (quoting Lewis v. LeGrow, 258 Mich. App. 175, 670 N.W.2d 675 (2003)); Meyerkord v. Zipantoni Co., 276 S.W.3d 319 (Mo. App. 2008); Frey v. Dixon, 141 N.J. Eq. 481, 58 A.2d 86 (N.J. Ch. 1948); Holloman v. Life Ins. Co., 192 S.C. 454, 7 S.E.2d 169 (1940); Russell v. Am. Real Estate Corp., 89 S.W.3d 204 (Tex. App. 2002); Pion v. Bean, 2003 VT 79, 833 A.2d 1248 (Vt. 2003); and Mayer v. Huesner, 126 Wash. App. 114, 107 P.3d 152 (2005).
50 all states that allow a claim for invasion of privacy recognize all four types of claims. B. Public Disclosure of Private Facts The disclosure of private facts when a disclosure would be offensive and objectionable to a reasonable person may give rise to an action in tort for an invasion of privacy.657 Although a violation of the right to privacy may create a cause of action, a plaintiff must satisfy the required elements of the tort to maintain a claim.658 Although some states recognize âthe tort of invasion of privacy based on [an] unreasonable public disclosure of private facts,â659 it appears that most jurisdictions require that a disclosure of personal information must have been made to the general public, âusually through the media.â660 For a claim to be actionable, the disclo- sure has to have revealed, for instance, ââunpleasant or disgraceful or humiliating illnessesâ or âhidden physical or psychiatric problems.ââ661 In Yunker, supra, the court also dismissed the plaintiffâs claims for public disclo- sure of private facts and intrusion upon seclusion, discussed in the following section, because Pandoraâs disclosure or use of his PII was not âoffensive or objec- tionable to a reasonable person or highly offensive.â662 In Lake v. Wal-Mart Stores, Inc.,663 which concerned the publication of nude photos by Wal-Mart employ- ees, the court stated: Lake and Weber allege in their complaint that a photograph of their nude bodies has been publicized. Oneâs naked body is a very private part of oneâs person and generally known to others only by choice. This is a type of privacy interest worthy of protection. Therefore, without consideration of the merits of Lake and Weberâs claims, we recognize the torts of intrusion upon seclusion, appropriation, and Some courts have adopted the Restatement (Second) of Torts as the basis for an action for an invasion of privacy.652 Michigan courts, which have âlong recognized the common law tort of invasion of privacy,â653 have relied on William Prosserâs four bases on which a claim in tort may be made for an invasion of privacy: (1) the intrusion upon anotherâs seclusion or solitude, or into anotherâs private affairs; (2) a public disclosure of private facts about the individual; (3) publicity that places someone in a false light in the public eye; and (4) the appropriation of anotherâs likeness for the defendantâs advantage.654 For a common-law privacy claim, the defendantâs conduct must have been intentional, as mere negli- gence ordinarily will not suffice. Moreover, in some states a violation of privacy must have been the result of âwillful or outrageousâ conduct. For example, a federal court in California dismissed a plaintiffâs privacy claim in part because there was no showing that the defendantâs disclosure of the plaintiffâs data was ââsufficiently serious in its nature, scope, and actual or potential impact to constitute an egregious breach of the social norms underlying the privacy right.ââ655 There are four potential bases for a claim in tort for an invasion of privacy that may apply to an unauthorized use or disclosure of personal data: public disclosure of private facts, intrusion upon seclusion, misappropriation, and false light.656 Not 652 Eric S. Pasternack, HIPAA in the Age of Electronic Health Records, 41 rutgers L.J. 817, 831 (2010), hereinaf- ter referred to as âPasternackâ (citing Thomas J. Smeding- hoff, The Emerging Law of Data Security: A Focus on the Key Legal Trends, 934 Practising law institute 13, 22 (2008)). See Dwyer v. Am. Express Co., 273 Ill. App. 3d 742, 652 N.E.2d 1351 (Ill. App. 1995) (holding that based on the Restatement (Second), a credit card issuerâs compilation of a customerâs personal information and dissemination of customer lists to third parties was not a breach of pri- vacy), appeal denied, 165 Ill. 2d 549, 165 Ill. 549, 662 N.E.2d 423 (1996)), and Lewis v. LeGrow, 258 Mich. App. 175, 188, 670 N.W.2d 675, 685 (Mich. Ct. App. 2003) (stat- ing that â[t]he Legislature has not defined what consti- tutes an invasion of privacy, but when interpreted in light of the common-law right to privacy, it is clear that it includes keeping sexual relations privateâ). 653 Dalley v. Dykema Gossett, PLLC, 287 Mich. App. 296, 788 N.W.2d 679, 686 (Mich. Ct. App. 2010) (citing Lewis v. LeGrow, 258 Mich. App. 175, 670 N.W.2d 675 (2003)). 654 Lewis v. LeGrow, 258 Mich. App. at 193, 670 N.W.2d at 687 (citing William Prosser, Privacy, 48 cal. l. rev. 383, 389 (1960)). See also Ross v. Trumbull County, 2001 Ohio App. LEXIS 495, at *1 (Ohio Ct. App. 2001). 655 Yunker, 2013 U.S. Dist. LEXIS 42691, at *40â41 (cita- tion omitted). 656 Restatement (3d) of Torts. See Martha Tucker Ayres, Confidentiality and Disclosure of Health Information in Arkansas, 64 ark. l. rev. 969, 994 (2011) (footnote omit- ted), hereinafter referred to as âAyres.â 657 Opperman v. Path, 2014 U.S. Dist. LEXIS 67225, at *98 (N.D. Cal. 2014). 658 Ruffin-Steinback v. De Passe, 82 F. Supp. 2d 723, 734 (E.D. Mich. 2000), and Rycroft v. Gaddy, 281 S.C. 119, 124, 314 S. E.2d 39, 43 (S.C. App. 1984). 659 Joy L. Pritts, Altered States: State Health Privacy Laws and the Impact of the Federal Health Privacy Rule, 2 yale J. health Polây l. & ethics 327, 331 (2002), hereinaf- ter referred to as âPrittsâ (citing, e.g., Ozer v. Borquez, 940 P.2d 371, 377 (Colo. 1997) (stating that â[t]he requirement of public disclosure connotes publicity, which requires com- munication to the public in general or to a large number of persons, as distinguished from one individual or a fewâ), and Lake v. Wal-Mart Stores Inc., 582 N.W.2d 231, 235 (Minn. 1998) (establishing the common-law right to pri- vacy in Minnesota, including the torts of âintrusion upon seclusion, appropriation, and publication of private factsâ). 660 Ayres, supra note 656, at 995 (stating that a recovery in tort for an invasion of privacy is limited as the disclo- sure or communication must be âto the public at largeâ); see Pritts, supra note 659, at 331. 661 Pasternack, supra note 652, at 833 (citation omitted). 662 Yunker, 2013 U.S. Dist. LEXIS 42691, at *45. 663 582 N.W.2d 231, 235 (Minn. 1998).
51 intrusion claim cannot exist when âa defendant legitimately obtains information from a plaintiff.â672 An intentional disclosure of a customerâs personal data may state a claim in those states that recognize the common law tort of intrusion into seclusion. There is authority, however, that the disclosure of personal information, such as SSNs and similar PII, does not state a claim because the data are not embarrassing or highly offensive. For example, a New York case involved Section 202(4)(a) of the New York Vehicle and Traffic Law, pursuant to which the commissioner has the âdiscretion to contract with the highest respon- sible bidder or bidders to furnishâ certain registration information for the period specified in the statute.673 Subsection (4)(b) required the commissioner to ânotify each vehicle registrant that the registration informa- tion specified in paragraph (a) of this subdivision has been or will be furnished to the contracting party.â674 In Lamont v. Commissioner,675 decided prior to Congressâs enactment of the DPPA, supra, a federal court in New York held that the Stateâs sale of vehicle registration lists to a contractor that used the infor- mation to compile directories was not an invasion of privacy because the information was not âvital or inti- mate.â676 According to the court, as of the date of the Lamont case, 18 other states had similar statutes.677 One issue for an intrusion claim is whether a disclosure is sufficiently offensive. In Cooney v. Chicago Public Schools, involving a firmâs disclosure of personal information on former Chicago Public School employees, the court, in ruling that there were no actionable claims, drew a distinction between personal information and private informa- tion. Names and SSNs are personal information, but the court held that their disclosure was not âfacially embarrassing and highly offensiveâ¦.â678 One case was located for the digest in which the court held that the complaint stated a claim against the Secretary of NCDOT for intrusion into seclusion, a tort that North Carolina recognizes. In Toomer v. Garrett,679 supra, the plaintiff alleged that the secre- tary disclosed and distributed the contents of Toomerâs publication of private facts. Accordingly, we reverse the court of appeals and the district court and hold that Lake and Weber have stated a claim upon which relief may be granted and their lawsuit may proceed.664 A tort action for public disclosure of private facts is unlikely to succeed, however, if any injury from a disclosure is minimal.665 C. Intrusion Upon Seclusion A second cause of action for an invasion of privacy for disclosing personal data is for intrusion upon seclusion. The tort of intrusion upon seclusion does not require a showing that a disclosure was made to the general public.666 In an Arkansas case, the court observed that the tort of intrusion requires âspecific intrusive action as opposed to disclosing private information.â667 In California, there must be proof of an âintrusion into a private place, conversation or matterâ¦in a manner highly offensive to a reason- able person.â668 In Rhoades v. PennâHarrisâMadison School Corporation,669 a federal court in Indiana held that an intrusion claim requires physical contact or an invasion of a plaintiff âs physical space.670 In Watkins v. Cornell Companies, Inc., a case in which the plaintiffs sued for intrusion upon seclu- sion but knew they were being filmed, a federal court in Texas held that [i]ntrusion on seclusion requires proof of (1) an intentional intrusion, physically or otherwise, upon anotherâs solitude, seclusion, or private affairs or concerns, which (2) would be highly offensive to a reasonable person. â¦Liability does not turn on publication of any kind. The core of the tort of invasion of privacy is the offense of prying into the private domain of another, not the publicity that may result from such prying.671 As discussed in Section II, transit customers have expressly or impliedly agreed to the collection of their personal data and/or have been informed of a transit agencyâs practices in the agencyâs notice of privacy practices. Under Pennsylvania law, an 664 Id. 665 Pasternack, supra note 652, at 833 (footnote omitted). 666 See Restatement (Second) § 652(B). See also Reid v. Pierce County, 136 Wash. 2d 195, 206, 961 P.2d 333, 339â 40 (1998). 667 Dunbar v. Cox Health Alliance, LLC, 446 B.R. 306, 313â314, 2011 Bankr. LEXIS 812 (E.D. Ark. 2011). 668 Grant v. United States, 2011 U.S. Dist. LEXIS 61833, at *1, 20 (E.D. Cal. 2011) (citing cal. civ. coDe § 47(b)), adopted by, claim dismissed, 2011 U.S. Dist. LEXIS 78119, at *1 (E.D. Cal. 2011)). 669 574 F. Supp. 2d 888 (N.D. Ind. 2008). 670 Rhoades, 574 F. Supp. 2d at 907â908 N 3. 671 2013 U.S. Dist. LEXIS 66376, at *1, 21â22 (N.D. Tex. 2013) (citations omitted) (internal quotation marks omitted) (emphasis supplied), adopted by, summary judgment granted, 2013 U.S. Dist. LEXIS 65969, at *1 (N.D. Tex. 2013). 672 Steinberg v. CVS Caremark Corp., 899 F. Supp. 2d 331, 342â343 (E.D. Pa. 2012). 673 N.Y. veh. & traf. law § 202(4)(a)). 674 N.Y. veh. & traf. law § 202(4)(b)). 675 269 F. Supp. 880 (S.D.N.Y. 1967), affâd, 386 F.2d 449 (2d Cir. 1967), cert. denied, 391 U.S. 915, 20 L. Ed. 2d 654, 88 S. Ct. 1811 (1968). 676 Lamont, 269 F. Supp. at 883. 677 Id. (citations omitted). 678 Cooney v. Chicago Pub. Schs., 407 Ill. App. 3d 358, 367, 943 N.E.2d 23, 32 (2010), appeal denied, 2011 Ill. LEXIS 628, at *1 (Ill. 2011). 679 155 N.C. App. 462, 574 S.E.2d 76 (N.C. App. 2002), review denied, appeal dismissed, 2003 N.C. LEXIS 402, at *1 (N.C., Mar. 27, 2003).
