Privacy Concerns for Individuals When State Governments Release Data

Recently, former Florida Governor Jeb Bush released on his website hundreds of thousands of emails sent to him while he was Governor "[i]n the spirit of transparency." As The Verge discovered, some of these emails included social security numbers, medical information, employment information, and other data about Florida residents. The release of similar data by private companies has resulted in widespread litigation for failure to adequately protect consumer information. This incident raises the question of how to incentivize state and local governments to take appropriate precautions to protect public information within their control.

Under Florida Statutes § 501.171(1)(b), a governmental entity must provide notice concerning any unauthorized leak of confidential personal information and report it to the Florida Senate and House of Representatives in an Annual Report,¹ but enforcement provisions do not apply to government entities. Additionally, there is no private right of action for affected citizens to sue the government. The Deceptive and Unfair Trade Practices Act, Florida Statutes § 501.201 et seq., which is the mechanism used by governments to prosecute commercial enterprises when leaks occur, only applies to acts or practices in the conduct of trade or commerce. Floridians may be able to bring a general negligence claim if they can demonstrate direct damages, but caps placed on recovery may render any recovery nominal. And while there may be civil or criminal penalties against an individual public officer who releases a social security number, there is no effective private remedy for affected citizens.

President Obama has announced initiatives to improve security within the federal government through the new Cyber Threat Intelligence Integration Center designed to enhance federal cybersecurity; but what incites state governments and actors to adopt security measures? And how can consumers ensure data protection without government accountability and a viable remedy? While the FTC takes an aggressive stance litigating against private companies, there are few comparable measures to protect against data leaks by state governments, which have arguably much more information on consumers than commercial enterprises. This mistake makes clear that human error can lead to significant security risks that even the best technology would not have prevented.

While the solution to potential state government breaches is not clear, equity, consistency, and practicality point to the adoption of some data security basic standard for all entities, both public and private. At the least, some right of private action for affected individuals for data breaches would provide a remedy and a strong incentive for state governments to take precautions with residents' private data.

¹ Granted, here access was not technically "unauthorized" and it was more of a mistake than a "breach," but it raises the issue of incentivizing protection of this information in non-commercial contexts.