Search Team

Search by Last Name
Banner image

Privacy Concerns for Individuals When State Governments Release Data

February 18, 2015

Privacy Concerns for Individuals When State Governments Release Data

February 18, 2015

Home » Resources » Blogs

Recently, former Florida Governor Jeb Bush released on his website hundreds of thousands of emails sent to him while he was Governor “[i]n the spirit of transparency.”  As The Verge discovered, some of these emails included social security numbers, medical information, employment information, and other data about Florida residents.  The release of similar data by private companies has resulted in widespread litigation for failure to adequately protect consumer information.  This incident raises the question of how to incentivize state and local governments to take appropriate precautions to protect public information within their control.

Under Florida Statutes § 501.171(1)(b), a governmental entity must provide notice concerning any unauthorized leak of confidential personal information and report it to the Florida Senate and House of Representatives in an Annual Report,1 but enforcement provisions do not apply to government entities.  Additionally, there is no private right of action for affected citizens to sue the government.  The Deceptive and Unfair Trade Practices Act, Florida Statutes § 501.201 et seq., which is the mechanism used by governments to prosecute commercial enterprises when leaks occur, only applies to acts or practices in the conduct of trade or commerce.  Floridians may be able to bring a general negligence claim if they can demonstrate direct damages, but caps placed on recovery may render any recovery nominal.  And while there may be civil or criminal penalties against an individual public officer who releases a social security number, there is no effective private remedy for affected citizens.

President Obama has announced initiatives to improve security within the federal government through the new Cyber Threat Intelligence Integration Center designed to enhance federal cybersecurity; but what incites state governments and actors to adopt security measures?  And how can consumers ensure data protection without government accountability and a viable remedy?  While the FTC takes an aggressive stance litigating against private companies, there are few comparable measures to protect against data leaks by state governments, which have arguably much more information on consumers than commercial enterprises.  This mistake makes clear that human error can lead to significant security risks that even the best technology would not have prevented.

While the solution to potential state government breaches is not clear, equity, consistency, and practicality point to the adoption of some data security basic standard for all entities, both public and private.  At the least, some right of private action for affected individuals for data breaches would provide a remedy and a strong incentive for state governments to take precautions with residents’ private data.

1 Granted, here access was not technically “unauthorized” and it was more of a mistake than a “breach,” but it raises the issue of incentivizing protection of this information in non-commercial contexts.

The opinions expressed are those of the authors on the date noted above and do not necessarily reflect the views of Fish & Richardson P.C., any other of its lawyers, its clients, or any of its or their respective affiliates. This post is for general information purposes only and is not intended to be and should not be taken as legal advice. No attorney-client relationship is formed.

Related Tags


Blog Authors

Donna A. Balaguer, CIPP/US | Principal

Donna Balaguer is a principal in the Washington, D.C., office of Fish & Richardson P.C.  Ms. Balaguer previously served as an executive and in-house counsel to both entrepreneurial and major corporations. She relies on that insider perspective to provide clients with practical and realistic advice. Ms. Balaguer advises clients across...

Ed Lavergne, CIPP/US | Senior Principal

Ed Lavergne is a senior principal in the Washington, D.C., office of Fish & Richardson P.C.  He is a Certified Information Privacy Professional (CIPP-US) and an active member of the International Association of Privacy Professionals.  Mr. Lavergne advises clients on a full range of privacy and data security issues, including privacy best...