Remedies for the Improper Disclosure of Personal Information

CRS Report for Congress
Remedies for the Improper Disclosure of
Personal Information
Alison M. Smith
Legislative Attorney
American Law Division
This report provides an overview of the available remedies in selected federal
privacy laws. This report will be updated as events warrant.
Applicable federal statutes provide a wide array of remedies for improper disclosure
of certain personal information. Some provide criminal penalties including fines ranging
from $5,000 to $250,000 and/or imprisonment from 6 months to 10 years depending on
whether the violation was committed under false pretenses or for commercial advantage,
personal gain or malicious harm. Other statutes provide private rights of action for
aggrieved individuals and award actual damages, compensatory damages and punitive
damages for willful, intentional or knowing violations. Other statutes provide that State
attorneys general may bring civil actions on behalf of the residents of a state. A few of
the privacy statutes do not provide for private or state rights of action. Instead, other
agencies, such as the Federal Trade Commission (FTC) are charged with enforcement.
In these instances, the FTC is authorized to bring enforcement actions and impose civil
penalties for violations as unfair and deceptive trade acts or practices under the Federal
Trade Commission Act.1

1 15 U.S.C. §§ 41 et seq.
Congressional Research Service ˜ The Library of Congress

tleApplies ToRecordsPrivate Right of ActionCivil PenaltyCriminal Penalty
ir Credit ReportingConsumerConsumerAn aggrieved consumer mayActual damages of not less than $100 andUnder false pretenses, a
t of 1970 - 15 U.S.C.reportingcredit reports.file suit within two years fromnot more than $1,000, punitive damages fordefendant is subject to a fine,
et seq.agencies. the date on which liabilitywillful noncompliance, litigation costs andimprisonment for not more
arises for impermissibleattorney fees. For negligent noncompliance,than 2 years, or both.
disclosure, use or receipt of a2actual damages and litigation costs and
consumer credit fees. Under false pretenses,
defendant shall be liable to the consumer
reporting agency for the greater of actual
damages or $1,000.
deo PrivacyVideotapeVideo rentalAn aggrieved person may bringActual damages (not less than $2,500),None.
iki/CRS-RS21229on Act of 1988 -.S.C. § 2710.serviceproviders.records.suit within two years from thediscovery of the allegedpunitive damages, litigation costs andattorney fees.
g/wviolations for impermissible
s.ordisclosure of personally
leakidentifiable information.
://wikight to FinancialFinancialFinancialAn aggrieved customer mayActual damages, punitive damages forNone.
httpvacy Act of 1978 -Institutions. records.bring suit within three yearswillful or intentional disclosure, litigation
.S.C. §§ 3401 etafter discovery ofcosts and attorney fees.
q.impermissible disclosure to a
government authority.
ne ConsumerTele-UnsolicitedAn aggrieved person or entityThe greater of actual damages or $500 forNone.

- 47marketers.telephonemay bring suit. State attorneyseach violation. For willful or knowing
S.C. § 227.calls.general may bring civil action.violations, the court may award up to treble
2 See TRW v. Andrews, 122 S. Ct. 441 (2001) (holding that the statute of limitations begins to run when inaccurate disclosures occur, and
not when the victim learns of the disclosures).

tleApplies ToRecordsPrivate Right of ActionCivil PenaltyCriminal Penalty
vacy Act of 1974- FederalIndividuallyAn aggrieved individual mustActual damages (not less than $1,000),For willful disclosure,
.S.C. § 552a.agencies.identifiablebring suit within two yearslitigation costs and attorney fees.misdemeanor offense and fine
federal agencyafter discovery ofof not more than $5,000.
records.impermissible disclosure.
mily EducationalEducationalStudentNo.3None. An institution with a policy orNone.
ghts and Privacy Actinstitutionsrecords.practice of improper disclosure shall lose
.S.C. § 1232g.receivingfederal funds.
fe d e r a l
fund s.
alth InsuranceHealthIndividuallyNo. Individuals have the rightNone.For simple violations, fine up
rtability &plans,identifiableto file a formal complaint withto $50,000 and/or
iki/CRS-RS21229untability Act - 42health carehealtha covered provider or healthimprisonment of up to one
g/wS.C. §§ 1320d et seq.providersinformation.plan, or with the Department ofyear. For violations committed
s.orandHealth and Human Services.under false pretenses, fine up
leakclearing-to $100,000 and/or
houses.imprisonment up to 5 years.
://wikiFor offenses committed for
httpcommercial advantage,
personal gain, or malicious
harm, fine up to $250,000
and/or imprisonment up to 10
ble CommunicationCableCableAny person aggrieved mayActual damages (but not less than liquidatedNone.

icy Act of 1984 - 47televisiontelevisionbring a civil action fordamages computed at the rate of $100 a day
S.C. § 551.servicesubscriberimproper disclosure ofor $1,000, whichever is higher), punitive
providers.records.personally identifiabledamages, litigation costs and attorney fees.
info r matio n.
3 In Gonzaga v. Doe, the United States Supreme Court held that FERPA provisions create no personal rights to enforce under 42 U.S.C.§

1983. No. 01-679, slip op. at 3-15 (June 20, 2002).

tleApplies ToRecordsPrivate Right of ActionCivil PenaltyCriminal Penalty
lecommunicationsTelecomm-ConsumerNo express private right of4FTC authorized to bring enforcement actionsNone.
t of 1996 - 47 U.S.C.unicationsproprietaryaction.and impose civil penalties for violations as infor-unfair and deceptive trade acts or practices
mation.under the Federal Trade Commission Act.
ectronicProvidersTelecomm-An aggrieved individual mayActual damages (not less than $1,000),Fine up to $250,000 for
mmunicationsofunications, e-bring a civil action within twopunitive damages for knowing or intentionalindividuals and $500,000 for
vacy Act of 1986 -electronicmails andyears of discovery of impropernoncompliance, litigation costs and attorneyorganizations, imprisonment of
.S.C. §§ 2510-2522.comm-storedinterception or disclosure offees.not more than five years or
unicationscomputer data.wire, oral, or electronicboth.
service. c o mmuni c a t i o ns.
mputer Fraud andAnyone.Computers inAn aggrieved person may bringCompensatory damages and injunctiveFor simple violations ,
iki/CRS-RS21229 - 18 U.S.C. §which there issuit within two years afterrelief. Damages are limited to economicimprisonment up to one year
g/wa federalviolation occurs or discoverydamages.and/or fine. For violations for
s.orinterest.of the damage.gain or involving more than
leak$5,000, imprisonment up to
five years and/or fine. For
://wikirepeat offenders, imprisonment
httpup to 10 years and/or fine.
amm-Leach-BlileyFinancialNon-publicNo. Consumers can complainFTC authorized to bring enforcement actionsFine, imprisonment for not
- 15 U.S.C. §§ 6801-institutionspersonalto one of the seven federaland impose civil penalties for violations asmore than 5 years, or both.
financialagencies that have jurisdictionunfair and deceptive trade acts or practicesEnhanced penalties for
records.and enforcement authority over5under the Federal Trade Commission Act.aggravated cases.

financial institutions.
4 See, Conboy v. AT&T Corp., 241 F.3d 242,251 (2d Cir. 2001)(finding that Section 222 of the Act did not provide for the recovery of
presumed , or “statutory,” damages).
5 The seven federal agencies which enforce the privacy provisions are: (1) the Federal Deposit Insurance Corporation; (2) the Federal
Reserve; (3) the Office of Thrift Supervision; (4) the Office of the Comptroller of the Currency; (5) the National Credit Union
Administration; (6) the Securities and Exchange Commission; and (7) the Federal Trade Commission.

tleApplies ToRecordsPrivate Right of ActionCivil PenaltyCriminal Penalty
PrivacyStateDepartment ofAn aggrieved person may bringActual damages (not less than $2,500),Fine for a person who
- 18departmentmotor vehiclea civil action for improper use,punitive damages for willful or recklessknowingly violates the law.
S.C. § 2721.of motorrecords.disclosure or receipt ofdisregard of the law, and reasonable
vehiclespersonal information. attorneys’ fees and other litigation costs.
The Attorney General may impose a civil
penalty of not more than $5,000 a day for
substantial noncompliance.
radePersons,DeceptiveNo.If the FTC finds that a practice violates theNone.
mmission Act - 15partner-practices andAct it may issue a cease and desist order.
S.C. §§ 41 et seq. ships, andunfairJudicial review available.
corpor-methods.Injunctive relief or penalty up to $10,000 for
iki/CRS-RS21229ations.each violation.
g/ws OnlineCommer-PersonallyNo - State attorneys generalThe FTC is authorized to bring enforcementNone.
s.orvacy Protection Actcialidentifiablemay bring civil action onactions and impose civil penalties for
leak.S.C. §§ 6501etwebsites orinformation ofbehalf of the residents to: violations as unfair and deceptive trade acts
q.onlineminors. - enjoin practiceor practices under the Federal Trade
://wikiservices - enforce complianceCommission Act.
httptargeted at - obtain damage, restitution,
children.or other compensation.
lec-Anyone.StoredAn aggrieved person may bringDamages equal to the loss and gainFor violations committed for
ic Communicationselectronicsuit.associated with the offense but not less thanmalicious and mercenary
nsactionalcomm-$1,000purposes, imprisonment up to
Access Act - year and/or fine up to
S.C. § 2701 et seq.$250,000. For lesser offenses,
imprisonment of not more than
six months and/or fine of not
more than $5,000.