Welborn v. Internal Revenue Service

UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA

)
BECKY WELBORN, et al., )
)
Plaintiffs, )
)
v. ) Civil Action No. 15-1352 (RMC)
)
INTERNAL REVENUE SERVICE, et al., )
)
Defendants. )
)

OPINION

Becky Welborn, Wendy Windrich, and Beth DuPree, on behalf of a proposed

class, allege that the Internal Revenue Service, IRS Commissioner John A. Koskinen, and IRS

employees, identified as Does 1-100, violated their rights under the Privacy Act, 5 U.S.C.

§ 552a; the Administrative Procedure Act, 5 U.S.C. § 701 et seq.; and the Internal Revenue

Code, 26 U.S.C. § 6103, by disclosing or failing to prevent the disclosure of their personal

identification information to third parties. The Defendants have filed a motion to dismiss, which

is meritorious. The Complaint will be dismissed.

I.

A. Background

The IRS administers and enforces the U.S. tax code. The Commissioner’s role is

to “ensure[] that the agency maintains an appropriate balance between taxpayer service and tax

enforcement and administers the tax code with fairness and integrity.” Am. Compl. [Dkt. 22]

¶ 29. In that role, the Commissioner is “responsible for establishing and interpreting tax

administration policy and for developing strategic issues, goals and objectives for managing and

operating the IRS.” Id.

1
 The IRS “maintains a significant amount of personal and financial information”

on each taxpayer and is, therefore, obligated to protect the confidentiality of that information. Id.

¶ 36. The Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. § 3541 et

seq., “was enacted to strengthen the security of information and systems within federal

government agencies,” such as the IRS. Am. Compl. ¶ 36. FISMA requires federal agencies to

evaluate periodically the “agency’s information security programs and practices.” Id. ¶ 37.

FISMA specifically requires:

(1) annual agency program reviews; (2) annual Inspector General
evaluations; (3) agency reporting to the Office of Management and
Budget (“OMB”) the results of Inspector General evaluations for
unclassified software systems; and (4) an annual OMB report to
Congress summarizing the material received from agencies.

Id. To assist Inspectors General in evaluating agency systems, the Department of Homeland

Security (DHS) specified eleven (11) information-security program areas and listed the specific

attribute(s) within each area that should be evaluated. The eleven areas that were identified for

evaluation under FISMA comprised:

(1) continuous monitoring management; (2) configuration
management; (3) identity and access management; (4) incident and
response reporting; (5) risk management; (6) security training; (7)
plan of action and milestones; (8) remote access management; (9)
contingency planning; (10) contractor systems; and (11) security
capital planning.

Id. The Treasury Inspector General for Tax Administration (TIGTA) is responsible for

evaluations of the information security programs at the Department of Treasury, including the

IRS. In its Fiscal Year 2014 FISMA report, TIGTA “found four security programs that were not

fully effective due to one or more DHS guideline program attributes that were not met,” id. ¶ 42,

and that two security program areas “did not meet the level of performance specified by the DHS

guidelines due to the majority of the specified attributes not being met,” id. ¶ 43.

2
 The President signed the Federal Information Security Modernization Act of 2014

(“Modernization Act”) into law on December 18, 2014. Pub. L. No. 113-283, 128 Stat. 3073

(2014). This statute amended FISMA, retaining the authority of the Director of the Office of

Management and Budget for oversight and authorizing the Secretary of DHS to administer its

implementation by way of improved security policies and practices across the Executive Branch.

B. Breach of the IRS “Get Transcript” On-Line Program

The IRS launched the Get Transcript online application in January 2014 to allow

“taxpayers to view and print a copy of their prior-year tax information.” Am. Compl. ¶ 31. The

purpose of Get Transcript was “to provide taxpayers with self-service and electronic service

options in the form of web-based tools.” Id. During the 2015 filing season, the Get Transcript

software tool was used by taxpayers “to obtain approximately 23 million copies of their recently

filed tax information.” Id. ¶ 61. The IRS noticed unusual activity in the Get Transcript system

in mid-May 2015, which led to the discovery of “questionable attempts to access the Get

Transcript application.” Id. Get Transcript was shut down on May 21, 2015.

Upon further investigation, the IRS discovered that 330,000 tax-related

documents were stolen during a cyber attack that extended from mid-February to mid-May 2015.

Id. Plaintiffs allege that the Commissioner reported to the U.S. Senate Finance Committee on

June 2, 2015 that “hackers made 200,000 attempts on the ‘Get Transcript’ page, approximately

half of which were successful.” Id. ¶ 5 (emphasis removed). According to reports from the IRS,

one or more individuals succeeded in bypassing the program’s authentication process to access

taxpayer records. Id. ¶ 62. The information stolen included a wide range of taxpayer

information, including personal identification information (identified by the parties as “PII”).

3
 Plaintiffs further allege that TIGTA had recommended greater security on Get

Transcript but the IRS chose “to roll out a more simple authentication method to encourage use,”

despite knowing that it “was vulnerable and insecure.” Id. ¶¶ 12-13.

C. Plaintiffs’ Private Data

In June 2015, Ms. Windrich learned of fraud arising from the mis-use of her tax

records when she received a letter from the IRS informing her that an electronic tax return had

been processed and a refund deposited, although Ms. Windrich had submitted her tax return via

the U.S. Postal Service. As a result, Ms. Windrich and her husband “spent more than 30 hours

dealing with the ramifications.” Id. ¶ 76. Ms. Windrich “reasonably believes that her PII was

compromised and obtained by the cybercriminals through the IRS systems.” Id. The IRS now

prohibits her and her husband from submitting electronic tax returns and she alleges that she “is

at a heightened risk of further identity theft requiring her to pay indefinitely for on-going credit

monitoring.” Id.

Over the summer of 2015, Ms. Welborn was alerted to possible fraud through a

duplicate joint tax return that an unknown person or persons submitted to the IRS in her name.

As a result, Ms. Welborn and her husband also “spent dozens of hours dealing with the

ramifications.” Id. ¶ 83. Ms. Welborn “had to change all of their bank account numbers, file a

police report, place fraud alerts with all three credit agencies, file a report with the Federal Trade

Commission, submit a fraud affidavit to the IRS, and request written copies of her family’s credit

reports from the three credit agencies.” Id. As is Ms. Windrich, Ms. Welborn is now prohibited

by the IRS from submitting her tax returns online. She alleges that she “is at a heightened risk of

further identity theft requiring her to pay indefinitely for on-going credit monitoring.” Id. ¶ 84.

4
 Ms. DuPree “was notified by a letter dated August 31, 2015 from the IRS that

criminal actors potentially used her personal information to view her tax information through the

IRS’s Get Transcript application on IRS.gov.” Id. ¶ 85. Ms. DuPree and her husband “spent

numerous hours dealing with the ramifications,” id. ¶ 89; specifically, Ms. DuPree “has been the

victim of at least two occasions of fraudulent activity in her financial accounts . . . after the IRS

data breach,” id. Ms. DuPree “had to hire an attorney to investigate the fraudulent activity,” is

no longer eligible for electronic tax return filing, and alleges that she “is at a heightened risk of

further identity theft requiring her to pay indefinitely for on-going credit monitoring.” Id. ¶¶ 90-

91. Overall,

Plaintiffs request damages to compensate them for their current and
future losses and injunctive relief to fix the IRS’s security protocol,
implement TIGTA’s audit recommendations, implement President
Obama’s executive order focused on improving the security of
consumer financial transactions, to [sic] provide adequate credit
monitoring services for a sufficient time period, and to [sic] provide
after-the-fact identity repair services and identity theft insurance to
protect Class members from fraud and/or identity theft.

Id. ¶ 15.

D. Procedural History

Plaintiffs filed an Amended Class Action Complaint on January 6, 2016 seeking

damages and injunctive relief. See Am. Compl. [Dkt. 22]. Plaintiffs allege that (1) Defendants

violated the Privacy Act by intentionally and willfully failing to comply with FISMA and the

Modernization Act, thereby allowing the disclosure of Plaintiffs’ personal identifying

information; (2) Defendants’ failures to comply with FISMA and the Modernization Act were

arbitrary and capricious, or otherwise violated the Administrative Procedure Act (APA); and (3)

Defendants violated the Internal Revenue Code (Code) by disclosing, or allowing the disclosure

of, Plaintiffs’ personal identifying information to criminals. Plaintiffs intend their suit to be a

5
class action and define that class as “[a]ll Tax filers of the United States and their spouses and/or

dependents whose PII was compromised as a result of the ‘Get Transcript’ application data

breach.” Id. ¶ 92.

Defendants moved to dismiss the Amended Complaint for lack of subject matter

jurisdiction, Fed. R. Civ. P. 12(b)(1), and, in the alternative, for failure to state a claim upon which

relief may be granted, Fed. R. Civ. P. 12(b)(6). See Mot. [Dkt. 24]. Plaintiffs have opposed that

motion, see Opp’n [Dkt. 29], and Defendants filed a timely reply. See Reply [Dkt. 30]. The

motion is ripe for review.

E. Jurisdiction and Venue

The Court has jurisdiction over the Privacy Act claims pursuant to 5 U.S.C.

§ 552a(g)(1), the APA claims pursuant to 28 U.S.C. § 1331, and the Internal Revenue Code

claims pursuant to 26 U.S.C. § 6103. Venue is proper pursuant to 28 U.S.C. § 1391(e)(1).

II.

A. Motion to Dismiss

1. Rule 12(b)(1)

Federal Rule of Civil Procedure 12(b)(1) allows a defendant to move to dismiss a

complaint, or any portion thereof, for lack of subject matter jurisdiction. Fed. R. Civ. P.

12(b)(1). No action of the parties can confer subject matter jurisdiction on a federal court

because subject matter jurisdiction is both a statutory requirement and an Article III requirement.

Akinseye v. District of Columbia, 339 F.3d 970, 971 (D.C. Cir. 2003). The party claiming

subject matter jurisdiction bears the burden of demonstrating that such jurisdiction exists. Khadr

v. United States, 529 F.3d 1112, 1115 (D.C. Cir. 2008); see Kokkonen v. Guardian Life Ins. Co.

of Am., 511 U.S. 375, 377 (1994) (noting that federal courts are courts of limited jurisdiction and

6
“[i]t is to be presumed that a cause lies outside this limited jurisdiction, and the burden of

establishing the contrary rests upon the party asserting jurisdiction”).

When reviewing a motion to dismiss for lack of jurisdiction under Rule 12(b)(1),

a court must review the complaint liberally, granting the plaintiff the benefit of all inferences that

can be derived from the facts alleged. Barr v. Clinton, 370 F.3d 1196, 1199 (D.C. Cir. 2004).

Nevertheless, “the Court need not accept factual inferences drawn by plaintiffs if those

inferences are not supported by facts alleged in the complaint, nor must the Court accept

plaintiffs’ legal conclusions.” Speelman v. United States, 461 F. Supp. 2d 71, 73 (D.D.C. 2006).

A court may consider materials outside the pleadings to determine its jurisdiction. Settles v. U.S.

Parole Comm’n, 429 F.3d 1098, 1107 (D.C. Cir. 2005); Coal. for Underground Expansion v.

Mineta, 333 F.3d 193, 198 (D.C. Cir. 2003). A court has “broad discretion to consider relevant

and competent evidence” to resolve factual issues raised by a Rule 12(b)(1) motion. Finca Santa

Elena, Inc. v. U.S. Army Corps of Eng’rs, 873 F. Supp. 2d 363, 368 (D.D.C. 2012) (citing 5B

Charles Wright & Arthur Miller, Fed. Prac. & Pro., Civil § 1350 (3d ed. 2004)); see also

Macharia v. United States, 238 F. Supp. 2d 13, 20 (D.D.C. 2002), aff’d, 334 F.3d 61 (2003) (in

reviewing a factual challenge to the truthfulness of the allegations in a complaint, a court may

examine testimony and affidavits). In such circumstances, consideration of documents outside

the pleadings does not convert the motion to dismiss into one for summary judgment. Al-Owhali

v. Ashcroft, 279 F. Supp. 2d 13, 21 (D.D.C. 2003).

2. Rule 12(b)(6)

A motion to dismiss for failure to state a claim under Fed. R. Civ. P. 12(b)(6)

challenges the adequacy of a complaint on its face. Fed. R. Civ. P. 12(b)(6) (“Every defense to a

claim for relief in any pleading must be asserted in the responsive pleading if one is required.

7
But a party may assert the following defenses by motion: . . . (6) failure to state a claim upon

which relief can be granted[.]”). To survive a motion to dismiss, a complaint must contain

sufficient factual information, accepted as true, to “‘state a claim to relief that is plausible on its

face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550

U.S. 544, 570 (2007)). A court must assume the truth of all well-pleaded factual allegations and

construe reasonable inferences from those allegations in favor of the plaintiff. Sissel v. Dep’t of

Health & Human Servs., 760 F.3d 1, 4 (D.C. Cir. 2014). A court need not accept inferences

drawn by a plaintiff if such inferences are not supported by the facts set out in the complaint.

Kowal v. MCI Commc’ns Corp., 16 F.3d 1271, 1276 (D.C. Cir. 1994). Further, a court does not

need to accept as true legal conclusions set forth in a complaint. Iqbal, 556 U.S. at 678. In

deciding a motion under Rule 12(b)(6), a court may consider the facts alleged in the complaint,

documents attached to the complaint as exhibits or incorporated by reference, and matters about

which the court may take judicial notice. Abhe & Svoboda, Inc. v. Chao, 508 F.3d 1052, 1059

(D.C. Cir. 2007).

B. Privacy Act

The Privacy Act “safeguards the public from unwarranted collection,

maintenance, use and dissemination of personal information contained in agency records by

allowing an individual to participate in ensuring that his records are accurate and properly used.”

Henke v. Dep’t of Commerce, 83 F.3d 1453, 1456 (D.C. Cir. 1996); see also FAA v. Cooper, 132

S. Ct. 1441, 1446 (2012) (noting the “comprehensive and detailed set of requirements” laid out

in the Privacy Act to protect individuals’ personal information). The Privacy Act specifically

prohibits disclosure of “any record which is contained in a system of records by any means of

communication to any person, or to another agency” without the consent of the individual to

8
whom the record pertains or disclosure is otherwise authorized under the Privacy Act. 5 U.S.C.

§ 552a(b). A record is defined as:

any item, collection, or grouping of information about an individual
that is maintained by an agency, including, but not limited to, his
education, financial transactions, medical history, and criminal or
employment history and that contains his name, or the identifying
number, symbol, or other identifying particular assigned to the
individual, such as a finger or voice print or a photograph.

5 U.S.C. § 552a(a)(4). A system of records includes “a group of any records under the control of

any agency from which information is retrieved by the name of the individual or by some

identifying number, symbol, or other identifying particular assigned to the individual.” 5 U.S.C.

§ 552a(a)(5). In addition to prohibiting disclosure, the Privacy Act requires agencies to secure

records by:

establish[ing] appropriate administrative, technical, and physical
safeguards to insure the security and confidentiality of records and
to protect against any anticipated threats or hazards to their security
or integrity which could result in substantial harm, embarrassment,
inconvenience, or unfairness to any individual on whom information
is maintained.

5 U.S.C. § 552a(e)(10).

District courts have jurisdiction over civil actions brought by individuals who

have been adversely affected by a violation of the Privacy Act. See 5 U.S.C. § 552a(g)(1).

Relief is tied to the nature of the violation alleged. Monetary damages are permitted in suits

brought under § 552a(g)(1)(C) or (D) when “the agency acted in a manner which was intentional

or willful.” 5 U.S.C. § 552a(g)(4). Section 552(g)(1)(D) permits monetary damages when an

agency “fails to comply with any other provision of this section, or any rule promulgated

thereunder, in such a way as to have an adverse effect on an individual.” 5 U.S.C.

§ 552a(g)(1)(D).

9
 C. Administrative Procedure Act

The APA requires a reviewing court to set aside an agency action that is

“arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.” 5 U.S.C.

§ 706(2)(A); Tourus Records, Inc. v. Drug Enforcement Admin., 259 F.3d 731, 736 (D.C. Cir.

2001). A claim under the APA can challenge agency action or “fail[ure] to act.” 5 U.S.C. § 702.

While the APA allows a court to compel agency action, it excludes agency action that “is

committed to agency discretion by law.” 5 U.S.C. § 701(a)(2).

In reviewing agency action, a court “must consider whether the [agency’s]

decision was based on a consideration of the relevant factors and whether there has been a clear

error of judgment.” Marsh v. Oregon Natural Res. Council, 490 U.S. 360, 378 (1989) (internal

quotation marks omitted). At a minimum, the agency must have considered relevant data and

articulated an explanation establishing a “rational connection between the facts found and the

choice made.” Bowen v. Am. Hosp. Ass’n, 476 U.S. 610, 626 (1986); see also Pub. Citizen, Inc.

v. Fed. Aviation Admin., 988 F.2d 186, 197 (D.C. Cir. 1993) (“The requirement that agency

action not be arbitrary or capricious includes a requirement that the agency adequately explain its

result.”). An agency action usually is arbitrary or capricious if

the agency has relied on factors which Congress has not intended it
to consider, entirely failed to consider an important aspect of the
problem, offered an explanation for its decision that runs counter to
the evidence before the agency, or is so implausible that it could not
be ascribed to a difference in view or the product of agency
expertise.

Motor Vehicle Mfrs. Ass’n of U.S.v. State Farm Mut. Auto. Ins. Co., 463 U.S. 29, 43 (1983); see

also County of Los Angeles v. Shalala, 192 F.3d 1005, 1021 (D.C. Cir. 1999) (“Where the

agency has failed to provide a reasoned explanation, or where the record belies the agency’s

conclusion, [the court] must undo its action.”).

10
 As the Supreme Court has directed, “the scope of review under the ‘arbitrary and

capricious’ standard is narrow and a court is not to substitute its judgment for that of the

agency.” Motor Vehicle Mfrs. Ass’n, 463 U.S. at 43. Rather, the agency action under review is

“entitled to a presumption of regularity.” Citizens to Pres. Overton Park, Inc. v. Volpe, 401 U.S.

402, 415 (1971), abrogated on other grounds by Califano v. Sanders, 430 U.S. 99 (1977). If the

district court can “reasonably discern” the agency’s path, it should uphold the agency’s decision.

Pub. Citizen, 988 F.2d at 197.

D. Internal Revenue Code

The Code provides for the protection of tax returns and return information and

authorizes civil suit and remedies for unauthorized disclosure of such information. Section 6103

provides that “[r]eturns and return information shall be confidential” and not disclosed unless

authorized under the Code. 26 U.S.C. § 6103(a). The Code allows a civil action for improper

disclosure when “any officer or employee of the United States knowingly, or by reason of

negligence, inspects or discloses any return or return information with respect to a taxpayer in

violation of any provision of section 6103.” 26 U.S.C. § 7431(a)(1). Section 6103 states that

disclosure “means the making known to any person in any manner whatever a return or return

information.” 26 U.S.C. § 6103(b)(8). “Returns and return information” is broadly defined to

include everything from a completed tax return submitted by a taxpayer to “a taxpayer’s identity,

the nature, source, or amount of his income, payments, receipts, deductions, exemptions, credits,

. . . or any other data, received by, recorded by, prepared by, furnished to, or collected by the

Secretary with respect to a return.” 26 U.S.C. § 6103(b)(1), (b)(2)(A). If a plaintiff succeeds on

a claim under § 7431, they may receive:

11
 (1) the greater of—

(A) $1,000 for each act of unauthorized inspection or disclosure of
a return or return information with respect to which such defendant
is found liable, or

(B) the sum of—(i) the actual damages sustained by the plaintiff as
a result of such unauthorized inspection or disclosure, plus (ii) in the
case of a willful inspection or disclosure or an inspection or
disclosure which is the result of gross negligence, punitive damages,
plus

(2) the costs of the action, plus

(3) in the case of a plaintiff which is described in section
7430(c)(4)(A)(ii), reasonable attorneys fees, except that if the
defendant is the United States, reasonable attorneys fees may be
awarded only if the plaintiff is the prevailing party (as determined
under section 7430(c)(4)).

26 U.S.C. § 7431(c).

III.

A. Do Plaintiffs Have Standing to Sue?

Standing is part and parcel of Article III’s limitation on the judicial power of the

federal courts and extends only to cases or controversies. U.S. Const. art. III, § 2 (“The judicial

Power shall extend to all Cases, in Law and Equity, arising under this Constitution, the Laws of

the United States, and Treaties made, or which shall be made, under their Authority [and] to

Controversies . . . .”); Ariz. State Legislature v. Ariz. Indep. Redistricting Comm’n, 135 S. Ct.

2652, 2663 (2015). The strictures of Article III standing are by now “familiar.” United States v.

Windsor, 133 S. Ct. 2675, 2685 (2013). Standing requires (1) the plaintiff to have suffered an

injury in fact that is both (a) concrete and particularized and (b) actual or imminent, as opposed

to conjectural or hypothetical; (2) the injury must be traceable to the defendants’ actions; and (3)

the injury must be redressable by a favorable decision of the court. See id. at 2685-86 (citing

Lujan v. Defenders of Wildlife, 504 U.S. 555, 559-62 (1992)). In the context of a putative class

12
action, all named plaintiffs “must allege and show that they personally have been injured, not

that injury has been suffered by other, unidentified members of the class to which they belong

and which they purport to represent.” Warth v. Seldin, 422 U.S. 490, 502 (1975) (emphasis

added).

A federal court must assure itself of both constitutional and statutory subject

matter jurisdiction. The former obtains if the case is one “arising under this Constitution, the

Laws of the United States, and Treaties made, or which shall be made, under their Authority.”

U.S. Const. art. III, § 2. The relevant statute, 28 U.S.C. § 1331, likewise confers jurisdiction

upon lower courts to hear “all civil actions arising under the Constitution, laws, or treaties of the

United States.” Federal courts have constitutional and statutory “arising under” jurisdiction

whenever a plaintiff’s claim “will be sustained if the Constitution is given one construction and

will be defeated if it is given another.” Powell v. McCormack, 395 U.S. 486, 514-16 (1969)

(citing Bell v. Hood, 327 U.S. 678, 685 (1946) and King Cnty. v. Seattle Sch. Dist. No. 1, 263

U.S. 361, 363-64 (1923)).

1. Injury-in-Fact

A plaintiff must allege an injury-in-fact that is (a) concrete and particularized and

(b) actual or imminent, not conjectural or hypothetical. See Windsor, 133 S. Ct. at 2685 (citing

Lujan, 504 U.S. at 559-62). Allegations of speculative or possible future injury do not satisfy the

requirements of Article III. “A threatened injury must be certainly impending to constitute

injury in fact.” Whitmore v. Arkansas, 495 U.S. 149, 158 (1990) (internal quotations omitted).

When an alleged injury has not yet occurred, courts must determine whether it is

imminent. Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013). An injury is imminent

if the threatened injury is “certainly impending” or if there is substantial risk that the harm will

occur. Id. “[P]laintiffs bear the burden of pleading . . . concrete facts showing that the

13
defendant’s actual action has caused the substantial risk of harm. Plaintiffs cannot rely on

speculation about the unfettered choices made by independent actors not before the court.” Id. at

1150 n. 5 (internal quotation and citation omitted). Plaintiffs also “cannot manufacture standing

merely by inflicting harm on themselves based on their fears of hypothetical future harm that is

not certainly impending.” Id. at 1151.

Defendants argue that Plaintiffs Welborn and Windrich have failed to allege an

injury-in-fact sufficient to satisfy the requirements for standing under Article III. In this regard,

Defendants contend: (1) the filing of fraudulent tax returns by a criminal; (2) the risk of future

economic harm; (3) the costs to monitor and evaluate their credit; and (4) the alleged diminished

value of these Plaintiffs’ personal identifying information are not legally cognizable injuries.

Plaintiffs respond that Mses. Welborn and Windrich adequately plead injury-in-fact because they

suffered actual identity theft in the form of false tax returns filed in their names and that, due to

the substantial risk of future economic harm, they have already reasonably incurred costs to

evaluate and mitigate that risk.

Plaintiffs cite In re Science Applications International Corp. Backup Tape Data

Theft Litigation, 45 F. Supp. 3d 14, 26 (D.D.C. 2014) (SAIC), which the Court finds instructive

here. SAIC concerned the theft of a backup tape that contained the names and social security

numbers of 4.7 million members of the U.S. military and their families. In the many subsequent

lawsuits against the government and SAIC, a government contractor from whom the tape was

stolen, the plaintiffs plead the risk of future harm and the costs to monitor their credit and

prevent future harm as cognizable injuries-in-fact. Judge James E. Boasberg of this Court

evaluated each Plaintiff’s standing in light of Clapper v. Amnesty International USA, 135 S. Ct.

1138 (2013), and held that neither the risk of future identity theft nor costs to monitor and

14
prevent future harm conferred Article III standing. In comparison, as to those SAIC plaintiffs

who had already suffered instances of identity theft, the court found a clear injury that supported

standing to sue. 45 F. Supp. 3d at 25. Because Mses. Welborn and Windrich both allege that

they have suffered actual identity theft when someone filed false tax returns (and claimed

fraudulent refunds) in their names, each of these Plaintiffs has plead sufficient injury-in-fact to

establish standing. See Am. Compl. ¶¶ 71-73, 79. As the IRS does not dispute that Ms. DuPree

has alleged an injury in fact—she “has been the victim of at least two occasions of fraudulent

activity in her financial accounts, one of which resulted in the removal of funds from a personal

financial account, which occurred after the IRS data breach,” id. ¶ 89—all three Plaintiffs have

alleged sufficient injury-in-fact.

Plaintiffs’ other alleged injuries are too ephemeral to suffice under Clapper.

Plaintiffs rest largely on the theory that they suffer an increased threat of future identity theft and

fraud as a result of the IRS security breach. See id. ¶¶ 76, 83-84, 90-91; Opp’n at 15. Clapper

has already instructed that a party cannot claim injury-in-fact based on hypothetical future harm

that is not “certainly impending.” 133 S. Ct. at 1143; see also Whitmore, 495 U.S. at 158.

Plaintiffs have not alleged facts from which a plausible inference could be drawn that they face

imminent harm that is “certainly impending.” The likelihood that any Plaintiff will suffer

additional harm remains entirely speculative and depends on the decisions and actions of one or

more independent, and unidentified, actor(s). See Clapper, 133 S. Ct. at 1150. Thus, Plaintiffs’

allegations that they face an increased risk of future harm does not satisfy Article III.

In addition, general anxiety does not establish standing. See Am. Compl. ¶¶ 74

(alleging that “Plaintiff Windrich is reasonably concerned about her and her husband’s future”);

81 (alleging that “Plaintiff Welborn is reasonably concerned about her and her husband’s future

15
. . . as the family’s PII was in their stolen tax data”); and 88 (alleging that “Plaintiff DuPree is

reasonably concerned about her and her spouse’s . . . future”). An “objectively reasonable

likelihood” of future harm does not establish standing in the present time, despite legitimate

anxiety that ill might befall an individual. Clapper, 133 S. Ct. at 1147-48. Even if their fears are

rational, this uncertain and inchoate risk does not confer standing. See SAIC, 45 F. Supp. 3d at

26; see also Fernandez v. Leidos, Inc., 127 F. Supp. 3d 1078, 1088 (E.D. Cal. 2015) (rejecting

claim that theft of information established that plaintiff “suffers from a substantial risk of

imminent future harm”); In re Zappos.com, Inc., 108 F. Supp. 3d 949, 954-55 (D. Nev. 2015)

(finding no standing where the last four digits of credit card numbers of 24 million customers

were stolen, without allegations of unauthorized purchases or other signs of misuse).

Plaintiffs also allege injury based on the time and money spent monitoring and

assessing the potential risk of future harm. See Am. Compl. ¶¶ 76, 83, 89. However, “the cost

involved in preventing future harm” does not constitute an injury-in-fact. SAIC, 45 F. Supp. 3d

at 26 (emphasis in original).

These legal maxims were clearly established in Clapper, if not before. The

Supreme Court held that proactive measures based on “fears of . . . future harm that is not

certainly impending” do not create an injury in fact, even where such fears are not unfounded.

Clapper, 133 S. Ct. at 1151. In other words, Plaintiffs cannot create standing by “inflicting harm

on themselves” to ward off a speculative future injury. Id.; see also Reilly v. Ceridian Corp., 664

F.3d 38, 45 (3d Cir. 2011) (finding that “Appellants’ alleged time and money expenditures to

monitor their financial information did not establish standing, because costs incurred to watch for

a speculative chain of future events based on hypothetical future criminal acts are no more

16
‘actual’ injuries than the alleged ‘increased risk of injury’ which forms the basis for Appellants’

claims”).

Finally, Plaintiffs claim as injury the “diminished value of their PII.” Opp’n at

15. Courts have routinely rejected the proposition that an individual’s personal identifying

information has an independent monetary value. See, e.g. Remijas v. Neiman Marcus Group,

LLC, 794 F.3d 688, 697 (7th Cir. 2015) (finding no standing from “such an abstract injury,

particularly since the complaint does not suggest that the plaintiffs could sell their personal

information for value”); In re Zappos.com, Inc., 108 F. Supp. 3d at 954; Low v. LinkedIn Corp.,

900 F. Supp. 2d 1010, 1029 (N.D. Cal. 2012) (finding such allegations “too abstract and

speculative to support Article III standing”).

If, contrary to the necessity of an injury-in-fact, one could assume that Plaintiffs’

personal identifying information had economic value, Plaintiffs do not allege facts to support the

inference of their allegation that their personal information became less valuable as a result of

the IRS breach or that they attempted to sell their information and were rebuffed because of a

lower price-point attributable to the breach. See SAIC, 45 F. Supp. 3d at 30; Zappos.com, 108 F.

Supp. 3d at 954. These allegations do not establish an injury-in-fact.

2. Causation

Causation is the second element of standing and just as critical as an injury-in-

fact. Causation requires “a causal connection between the injury and the conduct complained

of.” Lujan, 504 U.S. at 560. The harm alleged must be “fairly traceable to the challenged action

of the defendant, and not the result of the independent action of some third party not before the

court.” Bennett v. Spear, 520 U.S. 154, 167 (1997). Because the fraud alleged here was

committed by third parties and not Defendants, Plaintiffs must also allege facts to show that,

absent the alleged unlawful actions by the IRS (in alleged violation of the Privacy Act, the APA

17
and/or the Code), “there is a substantial probability that they would not be injured.’” Chamber of

Commerce v. EPA, 642 F.3d 192, 201 (D.C. Cir. 2011) (quoting Warth, 422 U.S. at 504). In

other words, to demonstrate causation, Plaintiffs must put forward facts showing that their

injuries can be traced to the specific data incident of which they complain and not to any

previous theft or data loss incident. See SAIC, 45 F. Supp. 3d at 32. At a minimum, they must

allege facts that indicate that the information stolen from the Defendants in the Get Transcript

breach is the same type of information used to commit their injuries. See id. at 31-32.

Ms. Windrich alleges that “the IRS told her that the fraudulent tax return [filed in

the Windriches’ names] had very specific and personal information that had to be taken from her

prior two years’ income tax returns” and “the information supplied in the fraudulent tax return

could only have come from the Get Transcript application.” Am. Compl. ¶ 73. At the point of a

motion to dismiss, a court credits all well-pled facts and gives a plaintiff the benefit of all

reasonable inferences that might be drawn from such facts. See Sissel, 760 F.3d at 4. Ms.

Windrich has alleged sufficient facts that, if proved, would tend to show that the information

used in the fraudulent tax return was of the same type that was stolen from the Get Transcript

application and, therefore, has plead the necessary causal connection.

Ms. Welborn alleges that an “IRS representative explained to [her] that someone

had filed a duplicate joint [tax] return using her and her husband’s social security numbers” and

“that the fraudulent party had requested a transcript of Plaintiff Welborn’s taxes through the Get

Transcript application.” Am. Compl. ¶ 79. Again, taking the well-pled factual assertions as true,

the Court finds Ms. Welborn has also alleged a sufficient causal connection to support her

standing to sue.

18
 Finally, Ms. DuPree alleges: (1) that she “was notified by a letter dated August

31, 2015 from the IRS that criminal actors potentially used her personal information to view her

tax information through the IRS’s Get Transcript application”; (2) that she “has never been

notified by any other entity that her PII had been compromised”; and (3) that she has been the

victim of “at least two occasions of fraudulent activity in her financial accounts, one of which

resulted in the removal of funds from a personal financial account, which occurred after the IRS

data breach.” Id. ¶¶ 85-86, 89. These allegations alone do not sufficiently connect the Get

Transcript incident to the removal of funds from Ms. DuPree’s account. It is not clear that the

type of data obtained from the theft of Get Transcript information was necessarily used in the

removal of funds. See SAIC, 45 F. Supp. 3d at 31. Ms. DuPree simply alleges that the alleged

financial fraud happened after the Get Transcript breach. See Am. Compl. ¶ 89; see also Resnick

v. AvMed, Inc., 693 F.3d 1317, 1326 (11th Cir. 2012) (holding that “to prove that a data breach

caused identity theft, the pleadings must include allegations of a nexus between the two instances

beyond allegations of time and sequence”).

Recognizing this problem, Ms. DuPree attempts to supplement the Amended

Complaint by submitting a declaration with her opposition. See Declaration of Michele M.

Vercoski (Vercoski Decl.) [Dkt. 29-1]. In appropriate cases, a district court may “dispose of a

motion to dismiss for lack of subject matter jurisdiction under Fed. R. Civ. P. 12(b)(1) on the

complaint standing alone. But where necessary, the court may consider the complaint

supplemented by undisputed facts evidenced in the record, or the complaint supplemented by

undisputed facts plus the court’s resolution of disputed facts.” Herbert v. Nat’l Acad. of Scis.,

974 F.2d 192, 197 (D.C. Cir. 1992); but see Sloan v. Urban Title Sers., Inc., 689 F. Supp. 2d 94,

114 (D.D.C. 2010) (finding that plaintiff “cannot amend her complaint through her opposition

19
briefing”). However, when considering a motion to dismiss for lack of subject matter

jurisdiction, a court cannot “‘rely on conclusory or hearsay statements contained in the

affidavits.’” See Treiber v. Aspen Dental Mgmt., Inc., 94 F. Supp. 3d 352, 361 (N.D.N.Y. 2015)

(quoting J.S. ex rel. N.S. v. Attica Cent. Schs., 386 F.3d 107, 110 (2d Cir. 2004)).

The Vercoski Declaration is submitted by counsel for Ms. DuPree and advances

hearsay and conclusory statements. Although counsel can swear to the existence of IRS letters

due to her “personal knowledge” of the evidence in the case, Ms. Vercoski cannot attest to Ms.

DuPree’s conversations with others or her thoughts about the cause of fraudulent attempts on her

retirement account. The Vercoski Declaration states that Ms. DuPree filed a police report and

“explained that the IRS’s data breach, which would have indicated her retirement account

information, was responsible for the fraud.” Vercoski Decl. ¶ 9. Besides the obvious hearsay,

the phrase “would have indicated” is in the subjective tense and does not state a fact. The Court

cannot assume a critical element to establish causation and standing. Ms. DuPree’s allegations

will be dismissed.

3. Redressability

The last element of standing is redressability, requiring that it “be likely, as

opposed to merely speculative, that the injury will be redressed by a favorable decision.” Lujan,

504 U.S. at 561 (internal quotations and citation omitted); see also SAIC, 45 F. Supp. 3d at 33.

Mses. Welborn and Windrich claim injury based on a misuse of their personal identifying

information to file a fraudulent tax return. Any harms might be redressed through a monetary

award. Therefore, Mses. Welborn and Windrich have standing to sue for monetary damages.

4. Do Plaintiffs Have Standing to Obtain an Injunction Under the APA?

To allege a case or controversy justifying an injunction, a plaintiff must allege

more than “past exposure to illegal conduct.” City of Los Angeles v. Lyons, 461 U.S. 95, 102

20
(1983) (internal quotations and citation omitted). City of Los Angeles v. Lyons involved claims

by Mr. Lyons that the L.A. police had unreasonably put him in a chokehold that injured his

larynx. The D.C. Circuit has summarized the holding in City of Los Angeles to wit: “while

Lyons could maintain a suit for damages, he could not maintain his suit for an injunction because

he ‘has made no showing that he is realistically threatened by a repetition of his experience.’”

Fair Emp’t Council of Greater Washington, Inc. v. BMC Mktg. Corp., 28 F.3d 1268, 1272 (D.C.

Cir. 1994) (discussing City of Los Angeles). “To pursue an injunction or a declaratory judgment,

. . . plaintiffs must allege a likelihood of future violations of their rights by [the IRS], not simply

future effects from past violations.” Id. at 1273 (emphasis in original); see also Dearth v.

Holder, 641 F.3d 499, 501 (D.C. Cir. 2011) (finding a plaintiff “must show he is suffering an

ongoing injury or faces an immediate threat of [future] injury”); Peterson v. Transp. Workers

Union of Am., AFL-CIO, 75 F. Supp. 3d 131, 136 n.2 (D.D.C. 2014) (“[A] plaintiff seeking a

declaratory judgment must still present a ‘substantial controversy . . . of sufficient immediacy

and reality’ in order to have standing.”) (quoting Fed. Exp. Corp. v. Air Line Pilots Ass’n, 67

F.3d 961, 964 (D.C. Cir. 1995)).

This legal principle is well established. “[W]hen a plaintiff seeks injunctive or

declaratory relief specifically for the purpose of challenging an alleged policy or practice of a

government agency, the plaintiff must demonstrate that it is ‘realistically threatened by a

repetition of its experience.’” Afifi v. Lynch, 101 F. Supp. 3d 90, 108-09 (D.D.C. 2015) (quoting

Haase v. Sessions, 835 F.2d 902, 910-11 (D.C. Cir. 1987)). Plaintiffs must plead a “real or

immediate” threat of repetition, not merely “a nebulous assertion of the existence of a ‘policy’”

and a likelihood that they will “be subjected to the policy again.” Haase, 835 F.2d at 911; see

also Lyons, 461 U.S. at 102-06; Golden v. Zwickler, 394 U.S. 103, 109 (1969). Get Transcript

21
was withdrawn in May 2015 and Plaintiffs make no allegation that the IRS continues to allow

access to their personal identifying information. The allegations that the IRS failed to comply

with FISMA or the Modernization Act do not help. FISMA is a peculiarly hortatory statute

directed to federal executives to protect federal information technology for the benefit of the

federal government. There is no private right of action under FISMA or the Modernization Act

and, indeed, each agency head is delegated full discretion in determining how to achieve its

goals, which removes it from APA review. See 5 U.S.C. § 701(a) (permitting APA review

“except to the extent that (1) statutes preclude judicial review; or (2) agency action is committed

to agency discretion by law”); see also Heckler v. Chaney, 470 U.S. 821, 828 (1985). Plaintiffs

have not established standing to sue for injunctive or other equitable relief under the APA and,

therefore, Count 2 will be dismissed.1

B. Can Plaintiffs Maintain Their Claims of Unauthorized Disclosure Under the
Privacy Act?

Defendants move to dismiss Plaintiffs’ Privacy Act unauthorized disclosure

claims because the Code preempts all Privacy Act claims for the unauthorized disclosure of tax

returns and return information. Plaintiffs fail to respond, addressing only whether the Code

preempts a Privacy Act claim that the IRS failed to “safeguard” their personal identity

information. Opp’n at 26-27. The Court, like Defendants, will interpret Plaintiffs’ Complaint as

raising two separate types of Privacy Act claims and will dismiss the unauthorized disclosure

claims because they are preempted by the Code. See 26 U.S.C. §§ 6103(a), 7431; see also

1
In the alternative, the Court finds that the Privacy Act would preempt Plaintiffs’ APA claims
because the prior statute provides the only congressionally-intended legal remedy and neither
injunctive relief nor any other equitable relief is available. “[I]f an adequate remedy at law
exists, equitable relief is not available under the APA.” Cohen v. United States, 650 F.3d 717,
731 (D.C. Cir. 2011).

22
Gardner v. United States, 213 F.3d 735, 742 (D.C. Cir. 2000) (“[Section] 6103 is the exclusive

remedy for a taxpayer claiming unlawful disclosure of his or her tax returns and tax

information.”). Section 6103(a) precludes officers and employees of the United States (and

others) from disclosing any return or return information. Disclosure “means the making known

to any person in any manner whatever a return or return information.” 26 U.S.C. § 6103(b)(8).

Further, at § 7431, the Code specifically provides for civil damages in the event of unauthorized

disclosure of returns and return information. 26 U.S.C. § 7431.

C. Failure to State a Claim

Defendants also seek dismissal of Plaintiffs’ claims for failure to state a claim

upon which relief may be granted. See Fed. R. Civ. P. 12(b)(6).

1. Privacy Act (Count 1)

Defendants argue that Plaintiffs’ Privacy Act claims, both for improper disclosure

and failure to safeguard, must be dismissed for failure to state a claim because Plaintiffs do not

plead actual damages. Defendants explain that actual damages under the Privacy Act are

equivalent to special damages under Federal Rule of Civil Procedure 9(a) and must be pled with

specificity. See FAA v. Cooper, 132 S. Ct. at 1451-52 (“The basic idea is that Privacy Act

victims, like victims of libel per quod or slander, are barred from any recovery unless they can

first show actual—that is, pecuniary or material—harm.”). In opposition, Plaintiffs argue they

did plead actual damages in the form of (1) time spent addressing the data theft from the IRS, (2)

credit monitoring costs, (3) costs associated with actual data theft, and (4) cancelled credit cards.

Defendants reply that none qualifies as actual damages because none is a calculable monetary

loss or “constitute[s] actual damages stemming from the Get Transcript incident.” Reply at 14.

23
 To plead any Privacy Act claim adequately, a plaintiff must plead “actual—that

is, pecuniary or material—harm.” Cooper, 132 S. Ct. at 1451. In this respect, there is no

distinction between Plaintiffs’ separate allegations of Privacy Act violations, whether

unauthorized release of their private information or the alleged failure by the IRS to implement

safeguards to protect their information. The Privacy Act does not allow a claim for damages

based on reputational or emotional harm. Id. at 1454-56 (“[T]he Privacy Act does not

unequivocally authorize an award of damages for mental or emotional distress. Accordingly, the

Act does not waive the Federal Government’s sovereign immunity from liability for such

harms.”). As a result, Plaintiffs must specifically allege actual damages to survive a motion to

dismiss for failure to state a claim.

The Court will not assume actual damages based on a conclusory statement that

Plaintiffs and Class members “have suffered or are at increased risk of suffering from” a list of

potential harms. Am. Compl. ¶ 69. Plaintiffs must specifically allege that they have suffered

calcuable damages to survive Defendants’ motion to dismiss. Plaintiffs allege the following

injuries: (1) false tax returns were filed, (2) future prohibition from e-filing taxes, (3) lost time

spent dealing with the ramifications of the fraud, and (4) heightened risk of further identity

theft.2 None of these allegations details actual pecuniary or material damage. Plaintiffs cite Hill

v. Department of Defense, 70 F. Supp. 3d 17 (D.D.C. 2014), for the proposition that allegations

2
In Opposition, Plaintiffs argue they suffered damages through “out-of-pocket expenses
associated with the detection, investigation, and recovery after actual theft” and “economic loss
due to cancelling credit cards.” Opp’n at 36. These specific allegations, however, are not
included in the Amended Complaint and, if they were, they do not allege actual damages. As
explained in the discussion on standing, injury based on hypothetical future harm is not
sufficient. See Clapper, 133 S. Ct. at 1143. The fact that Plaintiffs chose to spend money on
credit monitoring services to prevent potential future harm does not allege actual damages
attributable to the IRS. See 5 U.S.C. 552a(g)(4); SAIC, 45 F. Supp. 3d at 32.

24
of direct expenses, such as the time spent dealing with an injury, are sufficient to constitute

actual damages. Hill, however, relied on allegations that the plaintiff made actual payments for

medical treatment as a result of intense distress following the loss of her personal information.

Plaintiffs make no equivalent allegations. Plaintiffs’ Privacy Act claims for failure to safeguard

their personal identifying information must be dismissed because they present no claim of actual

damages and thereby fail to state a claim. This same analysis would apply to Plaintiffs’ Privacy

Act claims for unauthorized disclosure were they not precluded by the Code.3

2. Improper Disclosure under the Code

Defendants argue that Plaintiffs’ allegations of improper disclosure under the

Code fail to state a claim because Plaintiffs do not allege a disclosure by an IRS officer or

employee to another individual. Plaintiffs answer that disclosure does not require person-to-

person contact and it was, in this case, made by negligently giving access to return and return

information through the unsecure Get Transcript application.

To allege improper disclosure under the Code, a plaintiff must allege (1) knowing

or negligent, (2) disclosure, (3) of a return or return information in violation of § 6103. See

Fostvedt v. IRS, 824 F. Supp. 978, 983 (D. Colo. 1993), aff’d sub nom. Fostvedt v. United States,

16 F.3d 416 (10th Cir. 1994) (“In order to recover under section 7431 for violations of section

6103, a taxpayer must show by a preponderance of the evidence that: (1) the disclosure was

unauthorized; (2) the disclosure was made knowingly or by reason of negligence; and (3) the

3
Defendants additionally argue that Plaintiffs failed to state a claim of improper disclosure under
the Privacy Act because they have not argued that it was an “intentional or willful” disclosure by
the IRS. To the contrary, Plaintiffs complain that the IRS intentionally and willfully failed to
establish adequate security in the Get Transcript application and thereby exposed their personal
identifying information to one or more hackers. See Am. Compl. ¶¶ 50-68. Nonetheless, the
theft itself was caused by an unknown third party. See In re Dep’t of Veterans Affairs (VA) Data
Theft Litig., No. 06-506, 2007 WL 7621261, at *5-6 (D.D.C. Nov. 16, 2007) (“The theft of the
records does not give rise to a claim for unauthorized disclosure.”).

25
disclosure violated section 6103.” (internal quotations omitted)). Plaintiffs allege, without

contest from Defendants, that their personal identifying information was in their tax returns and

is the type of information as to which § 6103 precludes disclosure.

Defendants’ argument relies on the Code definition of “disclosure,” requiring

disclosure by an IRS officer or employee. Defendants posit that disclosure by an IRS officer or

employee was impossible on these facts because the disclosure was made through the Get

Transcript application, an automated IRS system.

At § 7431(a)(2), the Code allows a cause of action against “any person who is not

an officer or employee of the United States” if that person unlawfully discloses return

information. 26 U.S.C. § 7431(a)(2) (emphasis added). A “person” is defined in the Code as “an

individual, a trust, estate, partnership, association, company or corporation.” 26 U.S.C.

§ 7701(a)(1). Based on this definition, Marsoun v. United States, 525 F. Supp. 2d 206, 213

(D.D.C. 2007) found that § 7431(a)(2) “does not authorize a right of action against a State, its

agencies, or state employees sued in their official capacities (the latter, of course, being no

different than a suit against the state).”

Defendants attempt to conflate § 7431(a)(2)’s cause of action against an

individual not associated with the IRS and the cause of action against the United States permitted

in § 7431(a)(1). Defendants offer no case law specifying that the disclosure considered under

§ 7431(a)(1) must be person-to-person. Disclosure is defined in § 6103(b)(8) as “making known

to any person in any manner,” not making known through personal transfer, which the IRS

would ask this Court to require. Plaintiffs also specifically allege that an individual or

individuals, Commissioner Koskinen and/or Does 1-100, are responsible for the disclosure

through a failure to comply with FISMA and safeguard the Get Transcript application. To the

26
extent an individual is necessary, therefore, Plaintiffs have alleged that an officer or employee

was responsible for the disclosure.

Finally, Defendants argue that Plaintiffs’ disclosure claim under the Code is

actually a failure to safeguard claim, which is not permitted under the Code. Plaintiffs allege that

by designing a software application that could be used to access returns and return information

online, but failing to secure the system adequately, despite TIGTA warnings, the IRS knowingly

or negligently permitted the disclosure of their personal identifying information.

The Court must therefore consider whether Defendants negligently disclosed

Plaintiffs’ return or return information. Plaintiffs ask the Court to use a “zone of danger” test

and accept the allegations that the failure of the IRS to secure the Get Transcript application on

the World Wide Web was negligent and the proximate cause of the disclosure of their personal

identifying information. Defendants reply that Plaintiffs attempt to present a “failure to protect”

claim couched as an “improper disclosure” claim, but the Code does not authorize suit against

the IRS based on a failure to protect. Defendants further argue that Plaintiffs’ attempt to expand

liability under § 7431 to safeguarding claims through a “zone of danger” test would expand the

government’s waiver of sovereign immunity to include a claim not contemplated by the Code.

There must be a valid waiver of the United States’ sovereign immunity before an

individual can sue a federal agency. See Block v. North Dakota, 461 U.S. 273, 287 (1983) (“The

basic rule of federal sovereign immunity is that the United States cannot be sued at all without

the consent of Congress.”). The principles of sovereign immunity apply equally to federal

agencies, officers, and employees acting in their official capacity. See Fed. Deposit Ins. Corp. v.

Meyer, 510 U.S. 471, 475 (1994); Kentucky v. Graham, 473 U.S. 159, 165-66 (1985). This

exemption from suit is expressed in jurisdictional terms—that is, federal courts lack subject

27
matter jurisdiction over suits against the United States in the absence of a clear waiver of

sovereign immunity. See Jackson v. Bush, 448 F. Supp. 2d 198, 200 (D.D.C. 2006) (“[A]

plaintiff must overcome the defense of sovereign immunity in order to establish the jurisdiction

necessary to survive a Rule 12(b)(1) motion to dismiss.”). Statutes that waive sovereign

immunity are strictly construed and any doubt or ambiguity is resolved in favor of immunity.

See Lane v. Pena, 518 U.S. 187, 192 (1996).

All waivers of sovereign immunity are presumed to be limited. Cooper, 132 S.

Ct. at 1448 (“Any ambiguities in the statutory language are to be construed in favor of immunity,

so that the Government’s consent to be sued is never enlarged beyond what a fair reading of the

text requires.”) (internal citations omitted). Plaintiffs’ allegations focus on the alleged

negligence of the IRS and the Commissioner in securing the Get Transcript application and

failing to comply fully with FISMA and the Modernization Act. In order to address the

negligent disclosure theory presented by Plaintiffs, a jury would necessarily first have to

determine if the IRS acted negligently by failing to include additional security protections before

Get Transcript was made available online.

Plaintiffs’ failure to safeguard claim was properly brought under the Privacy Act

and not the Code (and dismissed for the reasons stated above). Likewise, Plaintiffs’ disclosure

claim was properly raised under the Code and not the Privacy Act, because the Code provides a

specific cause of action for individuals harmed by improper disclosures by the IRS. Plaintiffs,

however, attempt to conflate the two claims and extend the Code to a cause of action for which

sovereign immunity has not been waived by forcing the Court and a jury to decide whether the

IRS failed to safeguard and then find that that failure was a negligent act that led to disclosure.

28
The Court reads the text of the Code in favor of immunity and will not extend it to permit

Plaintiffs’ claim. Plaintiffs’ Internal Revenue Code claim (Count 3) will be dismissed.

IV. CONCLUSION

For the reasons stated above, the Court will dismiss all of Ms. DuPree’s claims for

lack of standing and Mses. Welborn and Windrich’s APA claims for lack of standing. Mses.

Welborn and Windrich’s claims of improper disclosure under the Privacy Act will be dismissed

because they are preempted by the Code and their Internal Revenue Act claims will be dismissed

for failure to state a claim. The Court will grant Defendants’ Motion to Dismiss, Dkt. 24. A

memorializing order accompanies this Opinion.

Date: November 2, 2016 /s/
ROSEMARY M. COLLYER
United States District Judge

29