Remedies for the Improper Disclosure of Personal Information

This report provides an overview of the available remedies in selected federal privacy laws. This report will be updated as events warrant.

Order Code RS21229 Updated July 8, 2002 CRS Report for Congress Received through the CRS Web Remedies for the Improper Disclosure of Personal Information name redacted Legislative Attorney American Law Division Summary This report provides an overview of the available remedies in selected federal privacy laws. This report will be updated as events warrant. Applicable federal statutes provide a wide array of remedies for improper disclosure of certain personal information. Some provide criminal penalties including fines ranging from $5,000 to $250,000 and/or imprisonment from 6 months to 10 years depending on whether the violation was committed under false pretenses or for commercial advantage, personal gain or malicious harm. Other statutes provide private rights of action for aggrieved individuals and award actual damages, compensatory damages and punitive damages for willful, intentional or knowing violations. Other statutes provide that State attorneys general may bring civil actions on behalf of the residents of a state. A few of the privacy statutes do not provide for private or state rights of action. Instead, other agencies, such as the Federal Trade Commission (FTC) are charged with enforcement. In these instances, the FTC is authorized to bring enforcement actions and impose civil penalties for violations as unfair and deceptive trade acts or practices under the Federal Trade Commission Act.1 1 15 U.S.C. §§ 41 et seq. Congressional Research Service ˜ The Library of Congress CRS-2 Title Applies To Records Covered Private Right of Action Civil Penalty Criminal Penalty Fair Credit Reporting Act of 1970 - 15 U.S.C. §§ 1681 et seq. Consumer reporting agencies. Consumer credit reports. An aggrieved consumer may file suit within two years from the date on which liability arises for impermissible disclosure, use or receipt of a consumer credit report.2 Actual damages of not less than $100 and not more than $1,000, punitive damages for willful noncompliance, litigation costs and attorney fees. For negligent noncompliance, actual damages and litigation costs and attorney fees. Under false pretenses, defendant shall be liable to the consumer reporting agency for the greater of actual damages or $1,000. Under false pretenses, a defendant is subject to a fine, imprisonment for not more than 2 years, or both. Video Privacy Protection Act of 1988 18 U.S.C. § 2710. Videotape service providers. Video rental records. An aggrieved person may bring suit within two years from the discovery of the alleged violations for impermissible disclosure of personally identifiable information. Actual damages (not less than $2,500), punitive damages, litigation costs and attorney fees. None. Right to Financial Privacy Act of 1978 12 U.S.C. §§ 3401 et seq. Financial Institutions. Financial records. An aggrieved customer may bring suit within three years after discovery of impermissible disclosure to a government authority. Actual damages, punitive damages for willful or intentional disclosure, litigation costs and attorney fees. None. Telephone Consumer Protection Act - 47 U.S.C. § 227. Telemarketers. Unsolicited telephone calls. An aggrieved person or entity may bring suit. State attorneys general may bring civil action. The greater of actual damages or $500 for each violation. For willful or knowing violations, the court may award up to treble damages. None. 2 See TRW v. Andrews, 122 S. Ct. 441 (2001) (holding that the statute of limitations begins to run when inaccurate disclosures occur, and not when the victim learns of the disclosures). CRS-3 Title Applies To Records Covered Private Right of Action Civil Penalty Criminal Penalty Privacy Act of 19745 U.S.C. § 552a. Federal agencies. Individually identifiable federal agency records. An aggrieved individual must bring suit within two years after discovery of impermissible disclosure. Actual damages (not less than $1,000), litigation costs and attorney fees. For willful disclosure, misdemeanor offense and fine of not more than $5,000. Family Educational Rights and Privacy Act - 20 U.S.C. § 1232g. Educational institutions receiving federal funds. Student records. No.3 None. An institution with a policy or practice of improper disclosure shall lose federal funds. None. Health Insurance Portability & Accountability Act - 42 U.S.C. §§ 1320d et seq. Health plans, health care providers and clearinghouses. Individually identifiable health information. No. Individuals have the right to file a formal complaint with a covered provider or health plan, or with the Department of Health and Human Services. None. For simple violations, fine up to $50,000 and/or imprisonment of up to one year. For violations committed under false pretenses, fine up to $100,000 and/or imprisonment up to 5 years. For offenses committed for commercial advantage, personal gain, or malicious harm, fine up to $250,000 and/or imprisonment up to 10 years. Cable Communication Policy Act of 1984 - 47 U.S.C. § 551. Cable television service providers. Cable television subscriber records. Any person aggrieved may bring a civil action for improper disclosure of personally identifiable information. Actual damages (but not less than liquidated damages computed at the rate of $100 a day or $1,000, whichever is higher), punitive damages, litigation costs and attorney fees. None. 3 In Gonzaga v. Doe, the United States Supreme Court held that FERPA provisions create no personal rights to enforce under 42 U.S.C.§ 1983. No. 01-679, slip op. at 3-15 (June 20, 2002). CRS-4 Title Applies To Records Covered Private Right of Action Civil Penalty Criminal Penalty Telecommunications Act of 1996 - 47 U.S.C. § 222. Telecommunications carriers. Consumer proprietary network information. No express private right of action.4 FTC authorized to bring enforcement actions and impose civil penalties for violations as unfair and deceptive trade acts or practices under the Federal Trade Commission Act. None. Electronic Communications Privacy Act of 1986 18 U.S.C. §§ 2510-2522. Providers of electronic communications service. Telecommunications, emails and stored computer data. An aggrieved individual may bring a civil action within two years of discovery of improper interception or disclosure of wire, oral, or electronic communications. Actual damages (not less than $1,000), punitive damages for knowing or intentional noncompliance, litigation costs and attorney fees. Fine up to $250,000 for individuals and $500,000 for organizations, imprisonment of not more than five years or both. Computer Fraud and Abuse Act - 18 U.S.C. § 1030 Anyone. Computers in which there is a federal interest. An aggrieved person may bring suit within two years after violation occurs or discovery of the damage. Compensatory damages and injunctive relief. Damages are limited to economic damages. For simple violations , imprisonment up to one year and/or fine. For violations for gain or involving more than $5,000, imprisonment up to five years and/or fine. For repeat offenders, imprisonment up to 10 years and/or fine. Gramm-Leach-Bliley Act - 15 U.S.C. §§ 68016809. Financial institutions Non-public personal financial records. No. Consumers can complain to one of the seven federal agencies that have jurisdiction and enforcement authority over financial institutions.5 FTC authorized to bring enforcement actions and impose civil penalties for violations as unfair and deceptive trade acts or practices under the Federal Trade Commission Act. Fine, imprisonment for not more than 5 years, or both. Enhanced penalties for aggravated cases. 4 See, Conboy v. AT&T Corp., 241 F.3d 242,251 (2d Cir. 2001)(finding that Section 222 of the Act did not provide for the recovery of presumed , or “statutory,” damages). 5 The seven federal agencies which enforce the privacy provisions are: (1) the Federal Deposit Insurance Corporation; (2) the Federal Reserve; (3) the Office of Thrift Supervision; (4) the Office of the Comptroller of the Currency; (5) the National Credit Union Administration; (6) the Securities and Exchange Commission; and (7) the Federal Trade Commission. CRS-5 Title Applies To Records Covered Private Right of Action Civil Penalty Criminal Penalty Driver’s Privacy Protection Act - 18 U.S.C. § 2721. State department of motor vehicles Department of motor vehicle records. An aggrieved person may bring a civil action for improper use, disclosure or receipt of personal information. Actual damages (not less than $2,500), punitive damages for willful or reckless disregard of the law, and reasonable attorneys’ fees and other litigation costs. The Attorney General may impose a civil penalty of not more than $5,000 a day for substantial noncompliance. Fine for a person who knowingly violates the law. Federal Trade Commission Act - 15 U.S.C. §§ 41 et seq. Persons, partnerships, and corporations. Deceptive practices and unfair methods. No. If the FTC finds that a practice violates the Act it may issue a cease and desist order. Judicial review available. Injunctive relief or penalty up to $10,000 for each violation. None. Children’s Online Privacy Protection Act - 15 U.S.C. §§ 6501et seq. Commercial websites or online services targeted at children. Personally identifiable information of minors. No - State attorneys general may bring civil action on behalf of the residents to: - enjoin practice - enforce compliance - obtain damage, restitution, or other compensation. The FTC is authorized to bring enforcement actions and impose civil penalties for violations as unfair and deceptive trade acts or practices under the Federal Trade Commission Act. None. Stored Wire and Electronic Communications and Transactional Records Access Act - 18 U.S.C. § 2701 et seq. Anyone. Stored electronic communications. An aggrieved person may bring suit. Damages equal to the loss and gain associated with the offense but not less than $1,000 For violations committed for malicious and mercenary purposes, imprisonment up to one year and/or fine up to $250,000. For lesser offenses, imprisonment of not more than six months and/or fine of not more than $5,000. EveryCRSReport.com The Congressional Research Service (CRS) is a federal legislative branch agency, housed inside the Library of Congress, charged with providing the United States Congress non-partisan advice on issues that may come before Congress. EveryCRSReport.com republishes CRS reports that are available to all Congressional staff. The reports are not classified, and Members of Congress routinely make individual reports available to the public. Prior to our republication, we redacted names, phone numbers and email addresses of analysts who produced the reports. We also added this page to the report. We have not intentionally made any other changes to any report published on EveryCRSReport.com. CRS reports, as a work of the United States government, are not subject to copyright protection in the United States. Any CRS report may be reproduced and distributed in its entirety without permission from CRS. However, as a CRS report may include copyrighted images or material from a third party, you may need to obtain permission of the copyright holder if you wish to copy or otherwise use copyrighted material. Information in a CRS report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to members of Congress in connection with CRS' institutional role. EveryCRSReport.com is not a government website and is not affiliated with CRS. We do not claim copyright on any CRS report we have republished.