A recent federal court decision offers a detailed analysis of several theories of liability for violations of a privacy policy.  Pinero v. Jackson Hewitt Tax Service Inc., No. 08-3535, 2009 WL 43098 (E.D. La. January 7, 2009). 

Plaintiff Pinero visited Jackson Hewitt Tax Service in Louisiana to have her tax returns prepared.  During her visit, she provided Jackson Hewitt with confidential information such as her Social Security number, date of birth and driver’s license number.  Pinero signed Jackson Hewitt’s privacy policy, which stated that Jackson Hewitt had policies and procedures in place, including physical, electronic, and procedural safeguards, to protect customers’ private information.  Pinero alleged that she relied on this statement in her decision to turn over her information.

Pinero contended that sometime in early 2008, defendants disposed of her 2005 federal and state tax returns intact in a public dumpster.  An unrelated individual found Pinero’s tax returns, as well as those of over 100 other people, and alerted a local television news station.

Pinero brought a putative class action, asserting state law claims of fraud, breach of contract, negligence, invasion of privacy, violation of the Louisiana Database Security Breach Notification Law ("LDSBNA") and violation of the Louisiana Unfair Trade Practices Act (LUTPA).  She also alleged that Jackson Hewitt violated 26 U.S.C. § 6103, which restricts certain disclosures of tax returns.  Pinero sought general damages for fear, panic, anxiety, sleeplessness, nightmares, embarrassment, hassle, anger, lost time, loss of consortium, and other emotional and physical distress, as well as special damages for credit monitoring, credit insurance, reimbursement for all out-of-pocket expenses related to notifying creditors of the improper disclosure, and reimbursement for all out-of-pocket expenses related to identity theft.

Jackson Hewitt moved to dismiss all claims.  Highlights of the court’s decision include:

  • Dismissal of the negligence claim because the increased risk of identity theft is too speculative to qualify as actual damage;
  • dismissal of the LDSBNA claim, in part because it only applies to breaches of computerized data;
  • dismissal of the contract claim, in part because expenses related to credit monitoring to guard against future identity theft are not compensable damages;
  • dismissal of the fraud and LUTPA claims (with leave to re-plead) for failure to explain why the representations in the privacy policy were misleading, since the mere breach of those promises does not alone establish that they were fraudulent;
  • dismissal of the claim under 26 U.S.C. § 6103, since that statute only prohibits disclosure of tax returns by persons to whom access to tax returns was granted by the IRS; and
  • denial of the motion to dismiss the invasion of privacy claim, since the alleged facts supported a claim for unreasonable public disclosure of private facts.

In response to this decision, Pinero filed an amended class-action complaint, re-pleading the fraud and LUPTA claims and maintaining the invasion of privacy claim.