Summary
holding that allegations that the Office of Inspector General "repeatedly informed" the agency of problems with its information security pled "intentional and willful" conduct
Summary of this case from In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig.Opinion
Civil Action No. 07-00855 (HHK).
March 31, 2008.
Mark D. Roth, Charles Arthur Hobbie, American Federation Of Government Employees, Washington, DC, for Plaintiffs.
Jacqueline E. Coleman, U.S. Department of Justice, Washington, DC, for Defendants.
MEMORANDUM OPINION
Plaintiffs, four transportation security officers employed by the Transportation Security Administration ("TSA") and the unions that represent them, bring this action against defendants TSA, Kip Hawley in his capacity as Administrator of the TSA, the Department of Homeland Security ("DHS"), and Michael Chertoff in his capacity as Secretary of the DHS. Plaintiffs allege that defendants violated the Aviation and Transportation Security Act ("ATSA"), 49 U.S.C. §§ 44901 and 44935, and the Privacy Act, 5 U.S.C. § 552a, by failing to establish appropriate safeguards to insure the security and confidentiality of personnel records.
Before the court is defendants' motion to dismiss [#3]. Upon consideration of the motion, defendants' opposition thereto, and the record of this case, the court concludes that the defendants' motion should be granted in part and denied in part.
I. BACKGROUND
On May 3, 2007, TSA discovered that a hard drive was "missing from a controlled area at the TSA Headquarters Office of Human Capital." Compl. ¶¶ 28 — 29. The hard drive contained personnel data for approximately 100,000 individuals employed by TSA between January 2002 and August 2005, including names, social security numbers, birth dates, payroll information, financial allotments, and bank account and routing information. Compl. ¶¶ 28, 29, 31. On May 4, 2007, Administrator Kip Hawley issued a broadcast email to all TSA employees providing notice of the incident and stating that TSA would provide employees with free credit monitoring for one year free of charge. Id.; Defs.' Mot. Dismiss, Exh. 1 (Decl. of Holmes), Att. 1 at 1 (5/4/2007 TSA Broadcast).II. ANALYSIS
On May 8, 2007, four TSA security officers ("individual plaintiffs") and their unions ("union plaintiffs") filed this class action complaint, alleging that defendants violated ATSA and the Privacy Act by failing to ensure the security of the missing hard drive. In their motion to dismiss, defendants argue (1) ATSA does not provide a private right of action; (2) the union plaintiffs lack standing to bring their Privacy Act claim under both the act and the requirements of associational standing; (3) the individual plaintiffs lack standing because they do not allege a cognizable injury; (4) plaintiffs' Privacy Act claim is unripe; and (5) plaintiffs' allegations are insufficient to state a Privacy Act claim. To these arguments the court now turns.I. Plaintiffs' ATSA Claim
In response to the events of September 11, 2001, Congress enacted the Aviation and Transportation Security Act, Pub.L. No. 107-71, 115 Stat. 597 (2001), which created TSA and a federal workforce to screen passengers and cargo at commercial airports. 49 U.S.C. § 114. Among other things, ATSA requires the Administrator to "enforce security related regulations and requirements" and "oversee the implementation, and ensure the adequacy, of security measures at airports." §§ 114(f)(7), (11). Plaintiffs claim defendants violated ATSA by "fail[ing] to maintain personnel data from loss consistent with security-related regulations" and by "fail[ing] to ensure the adequacy of security measures at airports resulting in the loss of personnel data." Compl. ¶¶ 45 — 46.
Defendants move to dismiss plaintiffs' ATSA claim, arguing that the statute does not provide a private cause of action, either express or implied. Plaintiffs admit that ATSA contains no express grant of a private cause of action, but contend that the court should find the act contains an implied cause of action because it "was enacted specifically to create a secure workforce of TSA screeners such as the Plaintiffs" and "protecting screeners' personnel data is vital to the protection of a secure workforce and security at the airports." Pls.' Opp'n to Defs.' Mot. Dismiss ("Opp'n") at 4. Plaintiffs further argue that "[t]here can be no doubt that the Plaintiffs . . . are within the zone of interests created by the ATSA" because "the main purpose of the ATSA was to create this federal, security screening workforce." Id. The court agrees with defendants and finds that ATSA does not provide plaintiffs with a cause of action.
"[P]rivate rights of action to enforce federal law must be created by Congress." Alexander v. Sandoval, 532 U.S. 275, 286 (2001) (citing Touche Ross Co. v. Redington, 442 U.S. 560, 578 (1979)). "The judicial task is to interpret the statute Congress has passed to determine whether it displays an intent to create not just a private right but also a private remedy." Id. (citing Transamerica Mortgage Advisors, Inc. v. Lewis, 444 U.S. 11, 15 (1979)). The court's analysis "must begin with the language of the statute itself." Touche Ross Co. v. Redington, 442 U.S. at 568. Absent statutory language that expressly grants a private right of action, the court must determine whether the statute contains an implied right of action. Anderson v. USAir, Inc., 818 F.2d 49, 54 (D.C. Cir. 1987). Four factors are relevant to discerning congressional intent to provide a private remedy:
(1) [W]hether the plaintiff is one of the class for whose benefit the statute was enacted;
(2) whether some indication exists of legislative intent, explicit or implicit, either to create or to deny a private remedy; (3) whether implying a private right of action is consistent with the underlying purposes of the legislative scheme; and (4) whether the cause of action is one traditionally relegated to state law, such that it would be inappropriate for the court to infer a cause of action based solely on federal law.Tax Analysts v. IRS, 214 F.3d 179, 185-186 (D.C. Cir. 2000) (citing Cort v. Ash, 422 U.S. 66, 78 (1975)). Of the four factors, "the most important consideration is whether the legislature intended to create a private right of action." Dial-A-Car, Inc. v. Transportation, Inc., 132 F.3d 743, 744 (D.C. Cir. 1998).
As to the first factor, the court finds that Congress did not enact ATSA for the special benefit of TSA employees, but rather for purposes of national security:
Indeed, plaintiffs do not contend that they are of the class for whose benefit the statute was enacted. Instead they argue that because ATSA was enacted to create a secure workforce of airport security screeners and protecting the screeners' personnel data is vital to protecting the workforce and the airport, "implying a private right of action to enforce a security regime is consistent with the underlying purposes of enacting the ATSA, specifically, to secure the traveling public by creating a federalized security workforce." Opp'n at 4. The Supreme Court has squarely rejected this type of argument for implying a private cause of action, holding that without statutory intent "to create not just a private right but a private remedy. . . . a cause of action does not exist and courts may not create one, no matter how desirable that might be as a policy matter, or how compatible with the statute." Alexander, 532 U.S. at 286 — 87 (emphasis added).
Plaintiffs' alternative argument that plaintiffs are "within the zone of interests created by the ATSA," Opp'n at 4, is equally unavailing. The Supreme Court has explained that the "zone of interest" test is used principally to determine standing to bring APA claims and is not a universal test for standing. Clarke v. Sec. Indus. Ass'n, 479 U.S. 388, 401 n. 16 (1987). As demonstrated in Cort v. Ash, "the Court was requiring more from the would-be plaintiffs . . . than a showing that their interests were arguably within the zone protected or regulated by [the statute at issue]." Id. (citing Cort v. Ash, 422 U.S. at 81).
Recognizing that "the terrorist hijacking and crashes of passenger aircraft on September 11, 2001, which converted civil aircraft into guided bombs for strikes against the United States, required a fundamental change in the way [the government] approaches the task of ensuring the safety and security of the civil air transportation system," Congress enacted [ATSA] to improve security in the nation's transportation system. H.R. Conf. Rep. No. 107-296, at 53 (2001), reprinted in 2001 U.S.C.C.A.N. 589, 590. In order to achieve this goal, Congress created the Transportation Security Administration within the Department of Transportation and charged it with assuring "security in all modes of transportation." 49 U.S.C. § 114(d) (Supp. III 2003).Coalition of Airline Pilots Ass'n v. FAA, 370 F.3d 1184, 1186 (D.D.C. 2004); see also Springs v. Stone, 362 F. Supp. 2d 686, 694, 705 (E.D. Va. 2005) ("ATSA is a legislative initiative aimed a strengthening the security of this Nation's transportation infrastructure — the civil air transportation system in particular — and nothing else. . . . ATSA was not promulgated in order to protect the employment interests of federal screeners, but instead to address national security and passenger safety. . . . Security was Congress's paramount concern.").
Presented with this same question about a statute that regulated the taxi industry, the D.C. Circuit found that the D.C. Council intended the regulation not only to foster a healthy taxi industry and to justly compensate taxi companies, but also to foster competition and create a centralized system of regulation for the general public's benefit. Dial-A-Car, Inc., 132 F.3d at 745. In light of these "mixed motives," the D.C. Circuit could not conclude that the regulation was enacted to benefit the industry members rather than the general public. Id.
Turning to the second factor — whether some indication exists of legislative intent, explicit or implicit, either to create or to deny a private remedy — the court finds none. The text of § 114 creates the Transportation Security Administration and outlines the responsibilities of the Under Secretary of Transportation for Security. The specific sections plaintiffs allege defendants failed to implement are subparts of § 114(f), which is titled "[a]dditional duties and powers" and provides that "[i]n addition to carrying out the functions specified in subsections (d) and (e), the Under Secretary shall . . ." perform specific additional duties. 49 U.S.C. § 114(f). The Supreme Court has held that statutes like this, which focus on the person regulated rather than the individuals protected, create "no implication of an intent to confer rights on a particular class of persons." Alexander, 532 U.S. at 288 — 89.
In their complaint, plaintiffs quote from § 114(f)(7) and § 114(f)(11), Compl. ¶ 25, while their opposition states that "Plaintiffs challenge the Defendants' failure to implement ATSA, 49 USC § 114(f)(7) and § 114(f)(9). The discrepancy is irrelevant to the court's analysis.
Additionally, § 114 contains no "rights-creating language," Alexander, 532 U.S. at 288, or any other indication that any individual or any entity may file a suit to enforce its provisions. See Anderson, 818 F.2d at 54 (recognizing that "phrasing a statute in general terms rather than specifically identifying the benefitted class indicates a lack of intent to create a private right of action.") (internal quotation omitted). The court finds no congressional intent to allow individuals to bring an action against the TSA for violating § 114 and concludes that no private right of action exists to enforce ATSA. Accordingly, plaintiffs' ATSA claim will be dismissed.
In the absence of congressional intent to provide a private remedy under the first two factors, analysis under the final two factors is unnecessary. Anderson, 818 F.2d at 55 (citations omitted).
Other district courts presented with the issue have also declined to find an implied private right of action in ATSA. Ivyport Logistical Serv., Inc. v. Caribbean Airport Facilities, Inc., 502 F. Supp. 2d 227, 230 (D.P.R. 2007) (finding no private cause of action in ATSA that could be used as a basis for the lawsuit); Nabozny v. NCS Pearson, Inc., 270 F. Supp. 2d 1201, 1205 (D. Nev. 2003) (holding that "in as much as ATSA does not afford Plaintiff individual rights, Plaintiff cannot state a claim for violation of the ATSA under Section 1983"); see also American Fed'n of Gov't Employees TSA Local 1 v. Hawley, 481 F. Supp. 2d 72, 93 n. 10 (D.D.C. 2006) (noting that "the prospect that Congress intended to create a private cause of action for a violation of ATSA § 110(c)(1) does not warrant a discussion.").
II. Privacy Act Claim
The Privacy Act of 1974, 5 U.S.C. § 552a, regulates the collection, maintenance, use, and dissemination of an individual's personal information by federal government agencies. See 5 U.S.C. § 552a. Plaintiffs claim that defendants violated § 552a(e)(10), which requires that
Each agency that maintains a system of records shall . . . establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained . . .
§ 552a(e)(10). See Compl. ¶ 48; Opp'n at 17 (citing § 552a(e)(10)). Plaintiffs bring their claim under 5 U.S.C. § 552a(g)(1)(D), which provides that whenever an agency "fails to comply with any other provision of this section, or any rule promulgated thereunder, in such a way as to have an adverse effect on an individual . . . the individual may bring a civil action against the agency, and the district courts of the United States shall have jurisdiction. . . ." § 552a(g)(1)(D).
Defendants move to dismiss plaintiffs' claim on several grounds. First, they argue, the union plaintiffs lack standing to bring a claim under the Privacy Act and do not meet the requirements of associational standing, while the individual plaintiffs lack standing because their allegations of harm are speculative and dependent upon third parties' criminal actions. Mot. Dismiss at 11 — 15. Second, defendants argue the court should dismiss plaintiffs' Privacy Act claim as unripe. Id. at 16 — 18. Third, defendants contend plaintiffs have failed to state a claim. Id. at 18 — 24. To these arguments the court now turns.
1. Standing
A. Union Plaintiffs lack standing to bring a Privacy Act claim.
Plaintiffs do not dispute that only individuals have standing to bring Privacy Act claims. Opp'n at 13. Instead they urge the court to find that the union plaintiffs have associational standing to bring their Privacy Act claim. Defendants argue that the union plaintiffs fail to meet the requirements of associational standing because the suit would require participation of its individual members. Defendants are correct.
Indeed, any attempts to argue otherwise would fail, as the Privacy Act's text permits no other interpretation. The subsection entitled "Civil Remedies" provides that "[w]henever any agency" violates the act in ways specified in § 552a(g)(1)(A) — (D), " the individual may bring a civil action against the agency, and the district courts of the United States shall have jurisdiction in the matters under the provisions of this subsection." § 552a(g)(1) (emphasis added). The act defines "individual" as "a citizen of the United States or an alien lawfully admitted for permanent residence." § 552a(a)(2); see Committee in Solidarity with the People of El Salvador v. Sessions, 738 F. Supp. 544, 547 (D.D.C. 1990) ("[T]he Privacy Act does not confer standing upon organizations on their own or purporting to sue on behalf of their members."); see also Dresser Indus., Inc. v. United States, 596 F.2d 1231, 1237 — 38 (5th Cir. 1979) (explaining that "[t]he Senate Report indicates that Congress, by using this definition [of individual], intended to distinguish `between the rights which are given to the citizen as an individual under this Act and the rights of proprietorships, businesses and corporations which are not intended to be covered by this Act.'") (citing S. Rep. No. 1183, 93d Cong., 2d Sess. 79, reprinted in 1974 U.S.C.C.A.N 6916, 6993); Cell Assoc., Inc. v. Nat'l Inst. of Health, 579 F.2d 1155, 1157 (9th Cir. 1978) (remanding "with directions to dismiss Cell Associates, Inc., as a plaintiff for lack of standing under the Privacy Act" because "[i]t is clear that Cell Associates, a corporation formed in 1974, is not an `individual' within the meaning of the statute"); Socialist Workers Party v. Attorney Gen. of the United States, 642 F. Supp. 1357, 1431 (S.D.N.Y. 1986) (holding that political party plaintiff lacked standing because "[o]nly an individual, not an organization, has standing to obtain a remedy under the Act.").
To meet the requirements of associational standing, the union plaintiffs "must demonstrate that at least one member would have standing under Article III to sue in his or her own right, that the interests it seeks to protect are germane to its purposes, and that neither the claim asserted nor the relief requested requires that an individual member participate in the lawsuit." Natural Res. Def. Council v. EPA, 489 F.3d 1364, 1370 (D.C. Cir. 2007) (citing Hunt v. Wash. State Apple Adver. Comm'n, 432 U.S. 333, 342-43 (1977); Sierra Club v. EPA, 292 F.3d 895, 898 (D.C. Cir. 2002)). Here, because the sole remedy for plaintiffs' Privacy Act claim is actual damages, the union plaintiffs' individual members would be required to participate in the lawsuit to prove their individual damages. See Parks v. IRS, 618 F.2d 677, 685 (10th Cir. 1980) (holding that union plaintiff lacked standing to maintain a Privacy Act action in a representative capacity for damages suffered by its individual members because "[e]ach of the plaintiffs would have to testify because the actionable injury and the damages are individual . . . not common to nor shared by all of the Union members.") (citing Warth v. Seldin, 422 U.S. 490, 515 — 16 (1975)). As such, the union plaintiffs fail to meet one of the required elements of associational standing, and their claim must be dismissed.
As discussed in section II.4, declaratory and injunctive relief are not available for plaintiffs' Privacy Act claim.
Plaintiffs' concede that "the unique facts of individual members may have to be considered for a portion of the relief requested, such as financial loss. . . ." Opp'n at 15.
B. The Individual Plaintiffs have standing to bring their Privacy Act claim.
Defendants argue that the individual plaintiffs should be dismissed for lack of standing for failing to demonstrate an injury-in-fact. Mot. Dismiss at 13. According to defendants, plaintiffs' concerns about future harm are speculative and dependent upon the criminal actions of third parties. Mot. Dismiss at 13 — 15. The court disagrees.
"To have Article III standing, a plaintiff must demonstrate an `actual or immediate' `injury-in-fact' that is `fairly traceable' to the challenged conduct and `likely' to be `redressed by a favorable decision.'" Tozzi v. U.S. Dep't of Health and Human Servs., 271 F.3d 301, 307 (D.C. Cir. 2002) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-561 (1992)). Defendants challenge only plaintiffs' ability to meet the injury-in-fact requirement, not causation or redressibility. Mot. Dismiss at 13-15.
Plaintiffs allege that because TSA violated § 552a(e)(10) by failing to establish safeguards to secure the missing hard drive, they have suffered an injury in the form of "embarrassment, inconvenience, mental distress, concern for identity theft, concern for damage to credit report, concern for damage to financial suitability requirements in employment, and future substantial financial harm, [and] mental distress due to the possibility of security breach at airports." Compl. ¶¶ 41 — 42. As such, plaintiffs' alleged injury is not speculative nor dependent on any future event, such as a third party's misuse of the data. The court finds that plaintiffs have standing to bring their Privacy Act claim.
Although defendants argue that plaintiffs "have not alleged any injuries as a result of Defendants' actions that are real and immediate," in this circuit, "emotional trauma alone is sufficient to qualify as an `adverse effect' under Section 552a(g)(1)(D) of the [Privacy] Act." Kreiger v. Dep't of Justice, 529 F. Supp. 2d 29, 53 (D.D.C. 2008) (quoting Albright v. United States, 732 F.2d 181, 186 (D.C. Cir. 1984)).
2. Plaintiffs' Privacy Act claim is ripe.
Defendants contend that plaintiffs' claim is not ripe for adjudication because neither plaintiffs nor defendants can account for the hard drive's location and there is no evidence of unauthorized use of plaintiffs' information. Defendants' ripeness argument suffers from the same infirmity as its standing argument: future unauthorized use is not the basis of plaintiffs' claim. Plaintiffs are asking the court to determine whether defendants violated § 552a(e)(10) by failing to establish appropriate safeguards to insure the security of the hard drive, which, plaintiffs allege, resulted in the hard drive's loss and plaintiffs' injury.
"To determine whether a controversy is ripe, we must consider both the `fitness of the issues for judicial decision and the hardship to the parties of withholding court consideration.'" Exxon Mobil Corp. v. Federal Energy Regulatory Comm'n, 501 F.3d 204, 208 (D.C. Cir. 2007) (quoting Abbott Labs. v. Gardner, 387 U.S. 136, 149 (1967)). Plaintiffs' claim is fit for judicial decision at this time. It does not, as defendants contend, "rest upon contingent future events that may not occur as anticipated, or indeed may not occur at all." Worth v. Jackson, 451 F.3d 854, 861 (D.C. Cir. 2006) (quoting Texas v. United States, 523 U.S. 296, 300 (1998)). As for the hardship prong, the D.C. Circuit has ruled that where "there are no institutional interests favoring postponement of review, [plaintiff] need not satisfy the hardship prong. AT T Corp. v. FCC, 349 F.3d 692, 700 (D.C. Cir. 2003). Accordingly, the court finds plaintiffs' claim ripe for adjudication.
3. Plaintiffs have stated a Privacy Act claim.
Defendants argue plaintiffs have failed to state a claim by failing to allege facts from which this court could infer (a) defendants acted intentionally or willfully; (b) plaintiffs were adversely affected; and (c) plaintiffs sustained actual damages. Id. at 18 — 24. The court considers each of these alleged deficiencies.
A. Intentional and Willful
"An agency acts in an intentional or willful manner `either by committing the act without grounds for believing it to be lawful, or by flagrantly disregarding others' rights under the Act.'" Deters v. United States Parole Comm'n, 85 F.3d 655, 660 (D.C. Cir. 1996) (quoting Albright v. United States, 732 F.2d 181, 189 (D.C. Cir. 1984)). To rise to this level, "`[t]he violation must be so patently egregious and unlawful that anyone undertaking the conduct should have known it unlawful.'" Id. (quoting Laningham v. United States Navy, 813 F.2d 1236, 1242 (D.C. Cir. 1987)).
Defendants contend that the factual allegations in plaintiffs' complaint provide no basis for an inference of intentional or willful conduct. Plaintiffs' complaint acknowledges that TSA notified employees of the incident "out of an abundance of caution," apologized that employees' information may be subject to unauthorized access, and stated that they "deeply regret" the incident. These facts, defendants argue, provide no basis of an intentional or willful violation. Plaintiffs further allege that "[d]efendants have been repeatedly informed of recurring, systemic, and fundamental deficiencies in its information security," citing an Office of Inspector General, Department of Homeland Security report titled "Improved Security Required for Transportation Security Administration Networks." Compl ¶ 35. Defendants claim this allegation is not credible because the report notes that while TSA could further improve its network security, it had already strengthened the security of its servers and workstations, and OIG had detected significantly fewer security vulnerabilities. Id. at 20 — 21. Finally, plaintiffs allege that "[d]efendants demonstrated reckless disregard for privacy rights when it failed to effectively secure the external hard drive that maintained the personal information of its personnel workforce." Compl. ¶ 36.
To survive a motion to dismiss, the complaint's "[f]actual allegations must be enough to raise a right to relief above the speculative level . . . on the assumption that all the allegations in the complaint are true (even if doubtful in fact)." Bell Atlantic Corp. v. Twombly, 550 U.S. ___, 127 S. Ct. 1955, 1965 (2007) (citations omitted). Plaintiffs' allegations, if proven, would support a finding that defendants were warned of the deficiencies in their information security but failed to establish proper safeguards. See In re Dep't of Veterans Affairs Data Theft Litig., Misc. No. 06-5606, Dkt. # 30 at 11 (D.D.C. Nov. 11, 2007) (Robertson, J.) (holding that plaintiffs' allegations were sufficient because, if proven, they would support a finding that VA's conduct was "intentional and willful"). At this point, the Court may not conclude that plaintiff cannot establish "any set of facts consistent with the allegations in the complaint" regarding this statutory violation. Bell Atlantic Corp., 127 S. Ct. at 1969 (citations omitted). Indeed, "the issue presented by a motion to dismiss is not whether a plaintiff will ultimately prevail but whether the claimant is entitled to offer evidence to support the claims." Rochon v. Gonzales, 438 F.3d 1211, 1216 (D.C. Cir. 2006) (citation omitted). The court finds that the plaintiffs have adequately alleged that defendants' conduct was "intentional and willful."
B. Adverse Effect
Defendants claim plaintiffs fail to allege sufficient facts to allow the court to infer plaintiffs have suffered an adverse affect. Plaintiffs allege they "experienced adverse effects due to Defendants' failure to safeguard the Personnel Data and/or disclosure, including but not limited to, embarrassment, inconvenience, mental distress, concern for identity theft, concern for damage to credit report, concern for damage to financial suitabilityrequirements in employment, and future substantial financial harm." Compl. ¶ 41. In addition, plaintiffs "who are members of the traveling public experienced adverse effects due to Defendants' disclosure, including but not limited to, mental distress due to the possibility of security breach at airports." Compl. ¶ 42. As a result, plaintiffs claim they "must take affirmative steps to recover peace of mind, emotional stability, and personal security, including but not limited to, frequently obtaining and reviewing credit reports, bank statements, and other similar information." Compl. ¶ 43.
Defendants fault plaintiffs for not "describ[ing] a single occasion on which they were embarrassed and inconvenienced or identified the nature and occasion of any affirmative step taken to recover peace of mind," arguing that plaintiffs cannot rely on such "conclusory assertions" or "sweeping averments" unsupported by factual allegations. Mot. Dismiss at 21 — 22. The court disagrees with defendants. "At the pleading stage, `general factual allegations of injury resulting from the defendant's conduct may suffice,' and the court `presum[es] that general allegations embrace the specific facts that are necessary to support the claim.'" Sierra Club, 292 F.3d at 898-99 (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992)). Plaintiffs have adequately plead "adverse effect."
C. Actual Damages
Finally, defendants assert that plaintiffs have failed to state a claim because they have not sufficiently plead actual damages. In Doe v. Chao, 540 U.S. 614 (2004), the Supreme Court held that a plaintiff must prove actual damages to recover under 552a(g)(4) of the Privacy Act. 540 U.S. at 624 — 25 (explaining that "an individual subjected to an adverse effect has injury enough to open the courthouse door, but without more has no cause of action for damages under the Privacy Act"). The Court, however, left open the question of what constitutes "actual damages," noting that the courts of appeals "are divided as to whether actual damages are limited to pecuniary loss or can be awarded for emotional damages without any out-of-pocket loss." Id. at 627 n. 12. The definition of "actual damages" is also unresolved in this Circuit. See Albright, 732 F.2d at 186 (declining to consider "whether non-economic injuries or damages other than out-of-pocket expenses could qualify as `actual damages' under Section 552a(g)(4)).
Defendants argue that the court should interpret "actual damages" narrowly, as is required in construing a waiver of sovereign immunity, to mean only out of pocket expenses, not emotional damages. Plaintiffs claim is therefore insufficient, defendants contend, as "[e]ven the most favorable reading of Plaintiffs' Complaint makes plain that they are not seeking recovery for any alleged out-of-pocket expenses." Mot. Dismiss 23 — 24. Indeed, plaintiffs concede that they "have not pled current, actual, financial loss." Opp'n at 12. Nevertheless, the court finds that plaintiffs have adequately alleged actual damages at this stage. See Montemayor v. Federal Bureau of Prisons, 2005 WL 3274508, at *5 (D.D.C. Aug. 25, 2005) (citing cases) (rejecting argument to narrowly interpret "actual damages" to mean only pecuniary losses and following instead "the recent trend at the District Court level . . . to allow Privacy Act suits seeking general compensatory damages, such as pain and suffering and non-pecuniary losses, to proceed" past the motion to dismiss stage.).
4. Injunctive and Declaratory Relief are not Remedies for Plaintiffs' claim.
In addition to actual damages, plaintiffs' prayer for relief seeks ten other remedies, including six types of injunctive relief (Compl. Demand ¶¶ 5-9, 12), three types of declaratory judgment (Compl. Demand ¶¶ 2-4), and a demand for in camera review of defendants' security procedures (Compl. Demand ¶ 1). Defendants correctly assert that these declaratory and injunctive remedies are not available to plaintiffs.
Although plaintiffs acknowledge that "`actual damages' must be proven in order for a court to award monetary relief," Opp'n at 12, Plaintiffs' opposition appears to indicate that they seek only equitable and declaratory relief, and it is unclear to the court whether they intend to prove their claim for actual damages. See id. at 1 — 2 ("The malfeasance lies in the release of the information itself and not on what financial damage is wrought by the release."); id. at 12 ("while the Plaintiffs have not pled current, actual financial loss, this does not foreclose standing as equitable relief remains available."); id. ("The Plaintiffs seek equitable relief as meaningful redress from the injury caused them."); id. at 16 ("Defendants' err in their failure to recognize that the Defendants' earlier failure to secure the hard-drive so that such a loss of personnel data could occur is the harm and injury already sustained. Plaintiffs are not waiting for additional harm and injury albeit cognizant that future, additional harm may occur from the loss of personnel data."); id. at 17 ("Delaying litigation on this issue, therefore, will impede the declarative, equitable, and injunctive remedies sought by the Plaintiffs."); id. at 19 ("while `actual damages' must be proven in order for a court to award monetary relief, the Supreme Court left open the question of whether equitable relief is available without a showing of actual monetary damages.").
The Privacy Act's civil remedies provision authorizes two specific forms of injunctive relief: (1) for § 552a(g)(1)(A) claims, "the court may order the agency to amend the individual's record in accordance with his request or in such other way as the court may direct;" § 552a(g)(2)(A), and (2) for § 552a(g)(1)(B) claims, "the court may enjoin the agency from withholding the records and order the production to the complainant of any agency records improperly withheld from him," § 552a(g)(3)(A). Plaintiffs do not bring their claim under either of these sections, but rather under § 552a(g)(1)(D). As the D.C. Circuit has held "only monetary damages, not declaratory or injunctive relief, are available to § 552a(g)(1)(D) plaintiffs." Sussman v. U.S. Marshals Serv., 494 F.3d 1106, 1122 (D.C. Cir. 2007) (citing Doe v. Stephens, 851 F.2d 1457, 1463 (D.C. Cir. 1988)). The court therefore dismisses Plaintiffs' demands for injunctive and declaratory relief.
Section 552a(g)(4) governs relief for claims under (g)(1)(D):
In any suit brought under the provisions of subsection (g)(1)(C) or (D) of this section in which the court determines that the agency acted in a manner which was intentional or willful, the United States shall be liable to the individual in an amount equal to the sum of —
(A) actual damages sustained by the individual as a result of the refusal or failure, but in no case shall a person entitled to recovery receive less than the sum of $1,000; and
(B) the costs of the action together with reasonable attorney fees as determined by the court.5 U.S.C. § 552a(g)(4).
See Doe v. Chao, 540 U.S. at 635 (Ginsburg, J., dissenting) ("It bears emphasis that the Privacy Act does not authorize injunctive relief when suit is maintained under § 552a(g)(1)(C) or (D). Injunctive relief, and attendant counsel fees and costs, are available under the Act in two categories of cases: suits to amend a record, § 552a(g)(2), and suits for access to a record, § 552a(g)(3). But for cases like Doe's, brought under § 552a(g)(1)(C) or (D), . . . only monetary relief is available.").
Plaintiffs contend that in Doe v. Chao, the Supreme Court "left open the question of whether equitable relief is available" by stating that "[t]he Privacy Act says nothing about standards of proof governing equitable relief that may be open to victims of adverse determinations or effects. . . ." Opp'n at 12, 19 (quoting Doe v. Chao, 540 U.S. at 619, n. 1). Plaintiffs fail to note, however, that the Court went on to explain that "it may be that this inattention is explained by the general provisions for equitable relief within the Administrative Procedure Act . . ." 540 U.S. at 619, n. 1. As the court already stated, plaintiffs have not brought any claims under the Administrative Procedure Act.