UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA
)
BECKY WELBORN, et al., )
)
Plaintiffs, )
)
v. ) Civil Action No. 15-1352 (RMC)
)
INTERNAL REVENUE SERVICE, et al., )
)
Defendants. )
)
OPINION
Becky Welborn, Wendy Windrich, and Beth DuPree, on behalf of a proposed
class, allege that the Internal Revenue Service, IRS Commissioner John A. Koskinen, and IRS
employees, identified as Does 1-100, violated their rights under the Privacy Act, 5 U.S.C.
§ 552a; the Administrative Procedure Act, 5 U.S.C. § 701 et seq.; and the Internal Revenue
Code, 26 U.S.C. § 6103, by disclosing or failing to prevent the disclosure of their personal
identification information to third parties. The Defendants have filed a motion to dismiss, which
is meritorious. The Complaint will be dismissed.
I.
A. Background
The IRS administers and enforces the U.S. tax code. The Commissioner’s role is
to “ensure[] that the agency maintains an appropriate balance between taxpayer service and tax
enforcement and administers the tax code with fairness and integrity.” Am. Compl. [Dkt. 22]
¶ 29. In that role, the Commissioner is “responsible for establishing and interpreting tax
administration policy and for developing strategic issues, goals and objectives for managing and
operating the IRS.” Id.
1
The IRS “maintains a significant amount of personal and financial information”
on each taxpayer and is, therefore, obligated to protect the confidentiality of that information. Id.
¶ 36. The Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. § 3541 et
seq., “was enacted to strengthen the security of information and systems within federal
government agencies,” such as the IRS. Am. Compl. ¶ 36. FISMA requires federal agencies to
evaluate periodically the “agency’s information security programs and practices.” Id. ¶ 37.
FISMA specifically requires:
(1) annual agency program reviews; (2) annual Inspector General
evaluations; (3) agency reporting to the Office of Management and
Budget (“OMB”) the results of Inspector General evaluations for
unclassified software systems; and (4) an annual OMB report to
Congress summarizing the material received from agencies.
Id. To assist Inspectors General in evaluating agency systems, the Department of Homeland
Security (DHS) specified eleven (11) information-security program areas and listed the specific
attribute(s) within each area that should be evaluated. The eleven areas that were identified for
evaluation under FISMA comprised:
(1) continuous monitoring management; (2) configuration
management; (3) identity and access management; (4) incident and
response reporting; (5) risk management; (6) security training; (7)
plan of action and milestones; (8) remote access management; (9)
contingency planning; (10) contractor systems; and (11) security
capital planning.
Id. The Treasury Inspector General for Tax Administration (TIGTA) is responsible for
evaluations of the information security programs at the Department of Treasury, including the
IRS. In its Fiscal Year 2014 FISMA report, TIGTA “found four security programs that were not
fully effective due to one or more DHS guideline program attributes that were not met,” id. ¶ 42,
and that two security program areas “did not meet the level of performance specified by the DHS
guidelines due to the majority of the specified attributes not being met,” id. ¶ 43.
2
The President signed the Federal Information Security Modernization Act of 2014
(“Modernization Act”) into law on December 18, 2014. Pub. L. No. 113-283, 128 Stat. 3073
(2014). This statute amended FISMA, retaining the authority of the Director of the Office of
Management and Budget for oversight and authorizing the Secretary of DHS to administer its
implementation by way of improved security policies and practices across the Executive Branch.
B. Breach of the IRS “Get Transcript” On-Line Program
The IRS launched the Get Transcript online application in January 2014 to allow
“taxpayers to view and print a copy of their prior-year tax information.” Am. Compl. ¶ 31. The
purpose of Get Transcript was “to provide taxpayers with self-service and electronic service
options in the form of web-based tools.” Id. During the 2015 filing season, the Get Transcript
software tool was used by taxpayers “to obtain approximately 23 million copies of their recently
filed tax information.” Id. ¶ 61. The IRS noticed unusual activity in the Get Transcript system
in mid-May 2015, which led to the discovery of “questionable attempts to access the Get
Transcript application.” Id. Get Transcript was shut down on May 21, 2015.
Upon further investigation, the IRS discovered that 330,000 tax-related
documents were stolen during a cyber attack that extended from mid-February to mid-May 2015.
Id. Plaintiffs allege that the Commissioner reported to the U.S. Senate Finance Committee on
June 2, 2015 that “hackers made 200,000 attempts on the ‘Get Transcript’ page, approximately
half of which were successful.” Id. ¶ 5 (emphasis removed). According to reports from the IRS,
one or more individuals succeeded in bypassing the program’s authentication process to access
taxpayer records. Id. ¶ 62. The information stolen included a wide range of taxpayer
information, including personal identification information (identified by the parties as “PII”).
3
Plaintiffs further allege that TIGTA had recommended greater security on Get
Transcript but the IRS chose “to roll out a more simple authentication method to encourage use,”
despite knowing that it “was vulnerable and insecure.” Id. ¶¶ 12-13.
C. Plaintiffs’ Private Data
In June 2015, Ms. Windrich learned of fraud arising from the mis-use of her tax
records when she received a letter from the IRS informing her that an electronic tax return had
been processed and a refund deposited, although Ms. Windrich had submitted her tax return via
the U.S. Postal Service. As a result, Ms. Windrich and her husband “spent more than 30 hours
dealing with the ramifications.” Id. ¶ 76. Ms. Windrich “reasonably believes that her PII was
compromised and obtained by the cybercriminals through the IRS systems.” Id. The IRS now
prohibits her and her husband from submitting electronic tax returns and she alleges that she “is
at a heightened risk of further identity theft requiring her to pay indefinitely for on-going credit
monitoring.” Id.
Over the summer of 2015, Ms. Welborn was alerted to possible fraud through a
duplicate joint tax return that an unknown person or persons submitted to the IRS in her name.
As a result, Ms. Welborn and her husband also “spent dozens of hours dealing with the
ramifications.” Id. ¶ 83. Ms. Welborn “had to change all of their bank account numbers, file a
police report, place fraud alerts with all three credit agencies, file a report with the Federal Trade
Commission, submit a fraud affidavit to the IRS, and request written copies of her family’s credit
reports from the three credit agencies.” Id. As is Ms. Windrich, Ms. Welborn is now prohibited
by the IRS from submitting her tax returns online. She alleges that she “is at a heightened risk of
further identity theft requiring her to pay indefinitely for on-going credit monitoring.” Id. ¶ 84.
4
Ms. DuPree “was notified by a letter dated August 31, 2015 from the IRS that
criminal actors potentially used her personal information to view her tax information through the
IRS’s Get Transcript application on IRS.gov.” Id. ¶ 85. Ms. DuPree and her husband “spent
numerous hours dealing with the ramifications,” id. ¶ 89; specifically, Ms. DuPree “has been the
victim of at least two occasions of fraudulent activity in her financial accounts . . . after the IRS
data breach,” id. Ms. DuPree “had to hire an attorney to investigate the fraudulent activity,” is
no longer eligible for electronic tax return filing, and alleges that she “is at a heightened risk of
further identity theft requiring her to pay indefinitely for on-going credit monitoring.” Id. ¶¶ 90-
91. Overall,
Plaintiffs request damages to compensate them for their current and
future losses and injunctive relief to fix the IRS’s security protocol,
implement TIGTA’s audit recommendations, implement President
Obama’s executive order focused on improving the security of
consumer financial transactions, to [sic] provide adequate credit
monitoring services for a sufficient time period, and to [sic] provide
after-the-fact identity repair services and identity theft insurance to
protect Class members from fraud and/or identity theft.
Id. ¶ 15.
D. Procedural History
Plaintiffs filed an Amended Class Action Complaint on January 6, 2016 seeking
damages and injunctive relief. See Am. Compl. [Dkt. 22]. Plaintiffs allege that (1) Defendants
violated the Privacy Act by intentionally and willfully failing to comply with FISMA and the
Modernization Act, thereby allowing the disclosure of Plaintiffs’ personal identifying
information; (2) Defendants’ failures to comply with FISMA and the Modernization Act were
arbitrary and capricious, or otherwise violated the Administrative Procedure Act (APA); and (3)
Defendants violated the Internal Revenue Code (Code) by disclosing, or allowing the disclosure
of, Plaintiffs’ personal identifying information to criminals. Plaintiffs intend their suit to be a
5
class action and define that class as “[a]ll Tax filers of the United States and their spouses and/or
dependents whose PII was compromised as a result of the ‘Get Transcript’ application data
breach.” Id. ¶ 92.
Defendants moved to dismiss the Amended Complaint for lack of subject matter
jurisdiction, Fed. R. Civ. P. 12(b)(1), and, in the alternative, for failure to state a claim upon which
relief may be granted, Fed. R. Civ. P. 12(b)(6). See Mot. [Dkt. 24]. Plaintiffs have opposed that
motion, see Opp’n [Dkt. 29], and Defendants filed a timely reply. See Reply [Dkt. 30]. The
motion is ripe for review.
E. Jurisdiction and Venue
The Court has jurisdiction over the Privacy Act claims pursuant to 5 U.S.C.
§ 552a(g)(1), the APA claims pursuant to 28 U.S.C. § 1331, and the Internal Revenue Code
claims pursuant to 26 U.S.C. § 6103. Venue is proper pursuant to 28 U.S.C. § 1391(e)(1).
II.
A. Motion to Dismiss
1. Rule 12(b)(1)
Federal Rule of Civil Procedure 12(b)(1) allows a defendant to move to dismiss a
complaint, or any portion thereof, for lack of subject matter jurisdiction. Fed. R. Civ. P.
12(b)(1). No action of the parties can confer subject matter jurisdiction on a federal court
because subject matter jurisdiction is both a statutory requirement and an Article III requirement.
Akinseye v. District of Columbia, 339 F.3d 970, 971 (D.C. Cir. 2003). The party claiming
subject matter jurisdiction bears the burden of demonstrating that such jurisdiction exists. Khadr
v. United States, 529 F.3d 1112, 1115 (D.C. Cir. 2008); see Kokkonen v. Guardian Life Ins. Co.
of Am., 511 U.S. 375, 377 (1994) (noting that federal courts are courts of limited jurisdiction and
6
“[i]t is to be presumed that a cause lies outside this limited jurisdiction, and the burden of
establishing the contrary rests upon the party asserting jurisdiction”).
When reviewing a motion to dismiss for lack of jurisdiction under Rule 12(b)(1),
a court must review the complaint liberally, granting the plaintiff the benefit of all inferences that
can be derived from the facts alleged. Barr v. Clinton, 370 F.3d 1196, 1199 (D.C. Cir. 2004).
Nevertheless, “the Court need not accept factual inferences drawn by plaintiffs if those
inferences are not supported by facts alleged in the complaint, nor must the Court accept
plaintiffs’ legal conclusions.” Speelman v. United States, 461 F. Supp. 2d 71, 73 (D.D.C. 2006).
A court may consider materials outside the pleadings to determine its jurisdiction. Settles v. U.S.
Parole Comm’n, 429 F.3d 1098, 1107 (D.C. Cir. 2005); Coal. for Underground Expansion v.
Mineta, 333 F.3d 193, 198 (D.C. Cir. 2003). A court has “broad discretion to consider relevant
and competent evidence” to resolve factual issues raised by a Rule 12(b)(1) motion. Finca Santa
Elena, Inc. v. U.S. Army Corps of Eng’rs, 873 F. Supp. 2d 363, 368 (D.D.C. 2012) (citing 5B
Charles Wright & Arthur Miller, Fed. Prac. & Pro., Civil § 1350 (3d ed. 2004)); see also
Macharia v. United States, 238 F. Supp. 2d 13, 20 (D.D.C. 2002), aff’d, 334 F.3d 61 (2003) (in
reviewing a factual challenge to the truthfulness of the allegations in a complaint, a court may
examine testimony and affidavits). In such circumstances, consideration of documents outside
the pleadings does not convert the motion to dismiss into one for summary judgment. Al-Owhali
v. Ashcroft, 279 F. Supp. 2d 13, 21 (D.D.C. 2003).
2. Rule 12(b)(6)
A motion to dismiss for failure to state a claim under Fed. R. Civ. P. 12(b)(6)
challenges the adequacy of a complaint on its face. Fed. R. Civ. P. 12(b)(6) (“Every defense to a
claim for relief in any pleading must be asserted in the responsive pleading if one is required.
7
But a party may assert the following defenses by motion: . . . (6) failure to state a claim upon
which relief can be granted[.]”). To survive a motion to dismiss, a complaint must contain
sufficient factual information, accepted as true, to “‘state a claim to relief that is plausible on its
face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550
U.S. 544, 570 (2007)). A court must assume the truth of all well-pleaded factual allegations and
construe reasonable inferences from those allegations in favor of the plaintiff. Sissel v. Dep’t of
Health & Human Servs., 760 F.3d 1, 4 (D.C. Cir. 2014). A court need not accept inferences
drawn by a plaintiff if such inferences are not supported by the facts set out in the complaint.
Kowal v. MCI Commc’ns Corp., 16 F.3d 1271, 1276 (D.C. Cir. 1994). Further, a court does not
need to accept as true legal conclusions set forth in a complaint. Iqbal, 556 U.S. at 678. In
deciding a motion under Rule 12(b)(6), a court may consider the facts alleged in the complaint,
documents attached to the complaint as exhibits or incorporated by reference, and matters about
which the court may take judicial notice. Abhe & Svoboda, Inc. v. Chao, 508 F.3d 1052, 1059
(D.C. Cir. 2007).
B. Privacy Act
The Privacy Act “safeguards the public from unwarranted collection,
maintenance, use and dissemination of personal information contained in agency records by
allowing an individual to participate in ensuring that his records are accurate and properly used.”
Henke v. Dep’t of Commerce, 83 F.3d 1453, 1456 (D.C. Cir. 1996); see also FAA v. Cooper, 132
S. Ct. 1441, 1446 (2012) (noting the “comprehensive and detailed set of requirements” laid out
in the Privacy Act to protect individuals’ personal information). The Privacy Act specifically
prohibits disclosure of “any record which is contained in a system of records by any means of
communication to any person, or to another agency” without the consent of the individual to
8
whom the record pertains or disclosure is otherwise authorized under the Privacy Act. 5 U.S.C.
§ 552a(b). A record is defined as:
any item, collection, or grouping of information about an individual
that is maintained by an agency, including, but not limited to, his
education, financial transactions, medical history, and criminal or
employment history and that contains his name, or the identifying
number, symbol, or other identifying particular assigned to the
individual, such as a finger or voice print or a photograph.
5 U.S.C. § 552a(a)(4). A system of records includes “a group of any records under the control of
any agency from which information is retrieved by the name of the individual or by some
identifying number, symbol, or other identifying particular assigned to the individual.” 5 U.S.C.
§ 552a(a)(5). In addition to prohibiting disclosure, the Privacy Act requires agencies to secure
records by:
establish[ing] appropriate administrative, technical, and physical
safeguards to insure the security and confidentiality of records and
to protect against any anticipated threats or hazards to their security
or integrity which could result in substantial harm, embarrassment,
inconvenience, or unfairness to any individual on whom information
is maintained.
5 U.S.C. § 552a(e)(10).
District courts have jurisdiction over civil actions brought by individuals who
have been adversely affected by a violation of the Privacy Act. See 5 U.S.C. § 552a(g)(1).
Relief is tied to the nature of the violation alleged. Monetary damages are permitted in suits
brought under § 552a(g)(1)(C) or (D) when “the agency acted in a manner which was intentional
or willful.” 5 U.S.C. § 552a(g)(4). Section 552(g)(1)(D) permits monetary damages when an
agency “fails to comply with any other provision of this section, or any rule promulgated
thereunder, in such a way as to have an adverse effect on an individual.” 5 U.S.C.
§ 552a(g)(1)(D).
9
C. Administrative Procedure Act
The APA requires a reviewing court to set aside an agency action that is
“arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.” 5 U.S.C.
§ 706(2)(A); Tourus Records, Inc. v. Drug Enforcement Admin., 259 F.3d 731, 736 (D.C. Cir.
2001). A claim under the APA can challenge agency action or “fail[ure] to act.” 5 U.S.C. § 702.
While the APA allows a court to compel agency action, it excludes agency action that “is
committed to agency discretion by law.” 5 U.S.C. § 701(a)(2).
In reviewing agency action, a court “must consider whether the [agency’s]
decision was based on a consideration of the relevant factors and whether there has been a clear
error of judgment.” Marsh v. Oregon Natural Res. Council, 490 U.S. 360, 378 (1989) (internal
quotation marks omitted). At a minimum, the agency must have considered relevant data and
articulated an explanation establishing a “rational connection between the facts found and the
choice made.” Bowen v. Am. Hosp. Ass’n, 476 U.S. 610, 626 (1986); see also Pub. Citizen, Inc.
v. Fed. Aviation Admin., 988 F.2d 186, 197 (D.C. Cir. 1993) (“The requirement that agency
action not be arbitrary or capricious includes a requirement that the agency adequately explain its
result.”). An agency action usually is arbitrary or capricious if
the agency has relied on factors which Congress has not intended it
to consider, entirely failed to consider an important aspect of the
problem, offered an explanation for its decision that runs counter to
the evidence before the agency, or is so implausible that it could not
be ascribed to a difference in view or the product of agency
expertise.
Motor Vehicle Mfrs. Ass’n of U.S.v. State Farm Mut. Auto. Ins. Co., 463 U.S. 29, 43 (1983); see
also County of Los Angeles v. Shalala, 192 F.3d 1005, 1021 (D.C. Cir. 1999) (“Where the
agency has failed to provide a reasoned explanation, or where the record belies the agency’s
conclusion, [the court] must undo its action.”).
10
As the Supreme Court has directed, “the scope of review under the ‘arbitrary and
capricious’ standard is narrow and a court is not to substitute its judgment for that of the
agency.” Motor Vehicle Mfrs. Ass’n, 463 U.S. at 43. Rather, the agency action under review is
“entitled to a presumption of regularity.” Citizens to Pres. Overton Park, Inc. v. Volpe, 401 U.S.
402, 415 (1971), abrogated on other grounds by Califano v. Sanders, 430 U.S. 99 (1977). If the
district court can “reasonably discern” the agency’s path, it should uphold the agency’s decision.
Pub. Citizen, 988 F.2d at 197.
D. Internal Revenue Code
The Code provides for the protection of tax returns and return information and
authorizes civil suit and remedies for unauthorized disclosure of such information. Section 6103
provides that “[r]eturns and return information shall be confidential” and not disclosed unless
authorized under the Code. 26 U.S.C. § 6103(a). The Code allows a civil action for improper
disclosure when “any officer or employee of the United States knowingly, or by reason of
negligence, inspects or discloses any return or return information with respect to a taxpayer in
violation of any provision of section 6103.” 26 U.S.C. § 7431(a)(1). Section 6103 states that
disclosure “means the making known to any person in any manner whatever a return or return
information.” 26 U.S.C. § 6103(b)(8). “Returns and return information” is broadly defined to
include everything from a completed tax return submitted by a taxpayer to “a taxpayer’s identity,
the nature, source, or amount of his income, payments, receipts, deductions, exemptions, credits,
. . . or any other data, received by, recorded by, prepared by, furnished to, or collected by the
Secretary with respect to a return.” 26 U.S.C. § 6103(b)(1), (b)(2)(A). If a plaintiff succeeds on
a claim under § 7431, they may receive:
11
(1) the greater of—
(A) $1,000 for each act of unauthorized inspection or disclosure of
a return or return information with respect to which such defendant
is found liable, or
(B) the sum of—(i) the actual damages sustained by the plaintiff as
a result of such unauthorized inspection or disclosure, plus (ii) in the
case of a willful inspection or disclosure or an inspection or
disclosure which is the result of gross negligence, punitive damages,
plus
(2) the costs of the action, plus
(3) in the case of a plaintiff which is described in section
7430(c)(4)(A)(ii), reasonable attorneys fees, except that if the
defendant is the United States, reasonable attorneys fees may be
awarded only if the plaintiff is the prevailing party (as determined
under section 7430(c)(4)).
26 U.S.C. § 7431(c).
III.
A. Do Plaintiffs Have Standing to Sue?
Standing is part and parcel of Article III’s limitation on the judicial power of the
federal courts and extends only to cases or controversies. U.S. Const. art. III, § 2 (“The judicial
Power shall extend to all Cases, in Law and Equity, arising under this Constitution, the Laws of
the United States, and Treaties made, or which shall be made, under their Authority [and] to
Controversies . . . .”); Ariz. State Legislature v. Ariz. Indep. Redistricting Comm’n, 135 S. Ct.
2652, 2663 (2015). The strictures of Article III standing are by now “familiar.” United States v.
Windsor, 133 S. Ct. 2675, 2685 (2013). Standing requires (1) the plaintiff to have suffered an
injury in fact that is both (a) concrete and particularized and (b) actual or imminent, as opposed
to conjectural or hypothetical; (2) the injury must be traceable to the defendants’ actions; and (3)
the injury must be redressable by a favorable decision of the court. See id. at 2685-86 (citing
Lujan v. Defenders of Wildlife, 504 U.S. 555, 559-62 (1992)). In the context of a putative class
12
action, all named plaintiffs “must allege and show that they personally have been injured, not
that injury has been suffered by other, unidentified members of the class to which they belong
and which they purport to represent.” Warth v. Seldin, 422 U.S. 490, 502 (1975) (emphasis
added).
A federal court must assure itself of both constitutional and statutory subject
matter jurisdiction. The former obtains if the case is one “arising under this Constitution, the
Laws of the United States, and Treaties made, or which shall be made, under their Authority.”
U.S. Const. art. III, § 2. The relevant statute, 28 U.S.C. § 1331, likewise confers jurisdiction
upon lower courts to hear “all civil actions arising under the Constitution, laws, or treaties of the
United States.” Federal courts have constitutional and statutory “arising under” jurisdiction
whenever a plaintiff’s claim “will be sustained if the Constitution is given one construction and
will be defeated if it is given another.” Powell v. McCormack, 395 U.S. 486, 514-16 (1969)
(citing Bell v. Hood, 327 U.S. 678, 685 (1946) and King Cnty. v. Seattle Sch. Dist. No. 1, 263
U.S. 361, 363-64 (1923)).
1. Injury-in-Fact
A plaintiff must allege an injury-in-fact that is (a) concrete and particularized and
(b) actual or imminent, not conjectural or hypothetical. See Windsor, 133 S. Ct. at 2685 (citing
Lujan, 504 U.S. at 559-62). Allegations of speculative or possible future injury do not satisfy the
requirements of Article III. “A threatened injury must be certainly impending to constitute
injury in fact.” Whitmore v. Arkansas, 495 U.S. 149, 158 (1990) (internal quotations omitted).
When an alleged injury has not yet occurred, courts must determine whether it is
imminent. Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013). An injury is imminent
if the threatened injury is “certainly impending” or if there is substantial risk that the harm will
occur. Id. “[P]laintiffs bear the burden of pleading . . . concrete facts showing that the
13
defendant’s actual action has caused the substantial risk of harm. Plaintiffs cannot rely on
speculation about the unfettered choices made by independent actors not before the court.” Id. at
1150 n. 5 (internal quotation and citation omitted). Plaintiffs also “cannot manufacture standing
merely by inflicting harm on themselves based on their fears of hypothetical future harm that is
not certainly impending.” Id. at 1151.
Defendants argue that Plaintiffs Welborn and Windrich have failed to allege an
injury-in-fact sufficient to satisfy the requirements for standing under Article III. In this regard,
Defendants contend: (1) the filing of fraudulent tax returns by a criminal; (2) the risk of future
economic harm; (3) the costs to monitor and evaluate their credit; and (4) the alleged diminished
value of these Plaintiffs’ personal identifying information are not legally cognizable injuries.
Plaintiffs respond that Mses. Welborn and Windrich adequately plead injury-in-fact because they
suffered actual identity theft in the form of false tax returns filed in their names and that, due to
the substantial risk of future economic harm, they have already reasonably incurred costs to
evaluate and mitigate that risk.
Plaintiffs cite In re Science Applications International Corp. Backup Tape Data
Theft Litigation, 45 F. Supp. 3d 14, 26 (D.D.C. 2014) (SAIC), which the Court finds instructive
here. SAIC concerned the theft of a backup tape that contained the names and social security
numbers of 4.7 million members of the U.S. military and their families. In the many subsequent
lawsuits against the government and SAIC, a government contractor from whom the tape was
stolen, the plaintiffs plead the risk of future harm and the costs to monitor their credit and
prevent future harm as cognizable injuries-in-fact. Judge James E. Boasberg of this Court
evaluated each Plaintiff’s standing in light of Clapper v. Amnesty International USA, 135 S. Ct.
1138 (2013), and held that neither the risk of future identity theft nor costs to monitor and
14
prevent future harm conferred Article III standing. In comparison, as to those SAIC plaintiffs
who had already suffered instances of identity theft, the court found a clear injury that supported
standing to sue. 45 F. Supp. 3d at 25. Because Mses. Welborn and Windrich both allege that
they have suffered actual identity theft when someone filed false tax returns (and claimed
fraudulent refunds) in their names, each of these Plaintiffs has plead sufficient injury-in-fact to
establish standing. See Am. Compl. ¶¶ 71-73, 79. As the IRS does not dispute that Ms. DuPree
has alleged an injury in fact—she “has been the victim of at least two occasions of fraudulent
activity in her financial accounts, one of which resulted in the removal of funds from a personal
financial account, which occurred after the IRS data breach,” id. ¶ 89—all three Plaintiffs have
alleged sufficient injury-in-fact.
Plaintiffs’ other alleged injuries are too ephemeral to suffice under Clapper.
Plaintiffs rest largely on the theory that they suffer an increased threat of future identity theft and
fraud as a result of the IRS security breach. See id. ¶¶ 76, 83-84, 90-91; Opp’n at 15. Clapper
has already instructed that a party cannot claim injury-in-fact based on hypothetical future harm
that is not “certainly impending.” 133 S. Ct. at 1143; see also Whitmore, 495 U.S. at 158.
Plaintiffs have not alleged facts from which a plausible inference could be drawn that they face
imminent harm that is “certainly impending.” The likelihood that any Plaintiff will suffer
additional harm remains entirely speculative and depends on the decisions and actions of one or
more independent, and unidentified, actor(s). See Clapper, 133 S. Ct. at 1150. Thus, Plaintiffs’
allegations that they face an increased risk of future harm does not satisfy Article III.
In addition, general anxiety does not establish standing. See Am. Compl. ¶¶ 74
(alleging that “Plaintiff Windrich is reasonably concerned about her and her husband’s future”);
81 (alleging that “Plaintiff Welborn is reasonably concerned about her and her husband’s future
15
. . . as the family’s PII was in their stolen tax data”); and 88 (alleging that “Plaintiff DuPree is
reasonably concerned about her and her spouse’s . . . future”). An “objectively reasonable
likelihood” of future harm does not establish standing in the present time, despite legitimate
anxiety that ill might befall an individual. Clapper, 133 S. Ct. at 1147-48. Even if their fears are
rational, this uncertain and inchoate risk does not confer standing. See SAIC, 45 F. Supp. 3d at
26; see also Fernandez v. Leidos, Inc., 127 F. Supp. 3d 1078, 1088 (E.D. Cal. 2015) (rejecting
claim that theft of information established that plaintiff “suffers from a substantial risk of
imminent future harm”); In re Zappos.com, Inc., 108 F. Supp. 3d 949, 954-55 (D. Nev. 2015)
(finding no standing where the last four digits of credit card numbers of 24 million customers
were stolen, without allegations of unauthorized purchases or other signs of misuse).
Plaintiffs also allege injury based on the time and money spent monitoring and
assessing the potential risk of future harm. See Am. Compl. ¶¶ 76, 83, 89. However, “the cost
involved in preventing future harm” does not constitute an injury-in-fact. SAIC, 45 F. Supp. 3d
at 26 (emphasis in original).
These legal maxims were clearly established in Clapper, if not before. The
Supreme Court held that proactive measures based on “fears of . . . future harm that is not
certainly impending” do not create an injury in fact, even where such fears are not unfounded.
Clapper, 133 S. Ct. at 1151. In other words, Plaintiffs cannot create standing by “inflicting harm
on themselves” to ward off a speculative future injury. Id.; see also Reilly v. Ceridian Corp., 664
F.3d 38, 45 (3d Cir. 2011) (finding that “Appellants’ alleged time and money expenditures to
monitor their financial information did not establish standing, because costs incurred to watch for
a speculative chain of future events based on hypothetical future criminal acts are no more
16
‘actual’ injuries than the alleged ‘increased risk of injury’ which forms the basis for Appellants’
claims”).
Finally, Plaintiffs claim as injury the “diminished value of their PII.” Opp’n at
15. Courts have routinely rejected the proposition that an individual’s personal identifying
information has an independent monetary value. See, e.g. Remijas v. Neiman Marcus Group,
LLC, 794 F.3d 688, 697 (7th Cir. 2015) (finding no standing from “such an abstract injury,
particularly since the complaint does not suggest that the plaintiffs could sell their personal
information for value”); In re Zappos.com, Inc., 108 F. Supp. 3d at 954; Low v. LinkedIn Corp.,
900 F. Supp. 2d 1010, 1029 (N.D. Cal. 2012) (finding such allegations “too abstract and
speculative to support Article III standing”).
If, contrary to the necessity of an injury-in-fact, one could assume that Plaintiffs’
personal identifying information had economic value, Plaintiffs do not allege facts to support the
inference of their allegation that their personal information became less valuable as a result of
the IRS breach or that they attempted to sell their information and were rebuffed because of a
lower price-point attributable to the breach. See SAIC, 45 F. Supp. 3d at 30; Zappos.com, 108 F.
Supp. 3d at 954. These allegations do not establish an injury-in-fact.
2. Causation
Causation is the second element of standing and just as critical as an injury-in-
fact. Causation requires “a causal connection between the injury and the conduct complained
of.” Lujan, 504 U.S. at 560. The harm alleged must be “fairly traceable to the challenged action
of the defendant, and not the result of the independent action of some third party not before the
court.” Bennett v. Spear, 520 U.S. 154, 167 (1997). Because the fraud alleged here was
committed by third parties and not Defendants, Plaintiffs must also allege facts to show that,
absent the alleged unlawful actions by the IRS (in alleged violation of the Privacy Act, the APA
17
and/or the Code), “there is a substantial probability that they would not be injured.’” Chamber of
Commerce v. EPA, 642 F.3d 192, 201 (D.C. Cir. 2011) (quoting Warth, 422 U.S. at 504). In
other words, to demonstrate causation, Plaintiffs must put forward facts showing that their
injuries can be traced to the specific data incident of which they complain and not to any
previous theft or data loss incident. See SAIC, 45 F. Supp. 3d at 32. At a minimum, they must
allege facts that indicate that the information stolen from the Defendants in the Get Transcript
breach is the same type of information used to commit their injuries. See id. at 31-32.
Ms. Windrich alleges that “the IRS told her that the fraudulent tax return [filed in
the Windriches’ names] had very specific and personal information that had to be taken from her
prior two years’ income tax returns” and “the information supplied in the fraudulent tax return
could only have come from the Get Transcript application.” Am. Compl. ¶ 73. At the point of a
motion to dismiss, a court credits all well-pled facts and gives a plaintiff the benefit of all
reasonable inferences that might be drawn from such facts. See Sissel, 760 F.3d at 4. Ms.
Windrich has alleged sufficient facts that, if proved, would tend to show that the information
used in the fraudulent tax return was of the same type that was stolen from the Get Transcript
application and, therefore, has plead the necessary causal connection.
Ms. Welborn alleges that an “IRS representative explained to [her] that someone
had filed a duplicate joint [tax] return using her and her husband’s social security numbers” and
“that the fraudulent party had requested a transcript of Plaintiff Welborn’s taxes through the Get
Transcript application.” Am. Compl. ¶ 79. Again, taking the well-pled factual assertions as true,
the Court finds Ms. Welborn has also alleged a sufficient causal connection to support her
standing to sue.
18
Finally, Ms. DuPree alleges: (1) that she “was notified by a letter dated August
31, 2015 from the IRS that criminal actors potentially used her personal information to view her
tax information through the IRS’s Get Transcript application”; (2) that she “has never been
notified by any other entity that her PII had been compromised”; and (3) that she has been the
victim of “at least two occasions of fraudulent activity in her financial accounts, one of which
resulted in the removal of funds from a personal financial account, which occurred after the IRS
data breach.” Id. ¶¶ 85-86, 89. These allegations alone do not sufficiently connect the Get
Transcript incident to the removal of funds from Ms. DuPree’s account. It is not clear that the
type of data obtained from the theft of Get Transcript information was necessarily used in the
removal of funds. See SAIC, 45 F. Supp. 3d at 31. Ms. DuPree simply alleges that the alleged
financial fraud happened after the Get Transcript breach. See Am. Compl. ¶ 89; see also Resnick
v. AvMed, Inc., 693 F.3d 1317, 1326 (11th Cir. 2012) (holding that “to prove that a data breach
caused identity theft, the pleadings must include allegations of a nexus between the two instances
beyond allegations of time and sequence”).
Recognizing this problem, Ms. DuPree attempts to supplement the Amended
Complaint by submitting a declaration with her opposition. See Declaration of Michele M.
Vercoski (Vercoski Decl.) [Dkt. 29-1]. In appropriate cases, a district court may “dispose of a
motion to dismiss for lack of subject matter jurisdiction under Fed. R. Civ. P. 12(b)(1) on the
complaint standing alone. But where necessary, the court may consider the complaint
supplemented by undisputed facts evidenced in the record, or the complaint supplemented by
undisputed facts plus the court’s resolution of disputed facts.” Herbert v. Nat’l Acad. of Scis.,
974 F.2d 192, 197 (D.C. Cir. 1992); but see Sloan v. Urban Title Sers., Inc., 689 F. Supp. 2d 94,
114 (D.D.C. 2010) (finding that plaintiff “cannot amend her complaint through her opposition
19
briefing”). However, when considering a motion to dismiss for lack of subject matter
jurisdiction, a court cannot “‘rely on conclusory or hearsay statements contained in the
affidavits.’” See Treiber v. Aspen Dental Mgmt., Inc., 94 F. Supp. 3d 352, 361 (N.D.N.Y. 2015)
(quoting J.S. ex rel. N.S. v. Attica Cent. Schs., 386 F.3d 107, 110 (2d Cir. 2004)).
The Vercoski Declaration is submitted by counsel for Ms. DuPree and advances
hearsay and conclusory statements. Although counsel can swear to the existence of IRS letters
due to her “personal knowledge” of the evidence in the case, Ms. Vercoski cannot attest to Ms.
DuPree’s conversations with others or her thoughts about the cause of fraudulent attempts on her
retirement account. The Vercoski Declaration states that Ms. DuPree filed a police report and
“explained that the IRS’s data breach, which would have indicated her retirement account
information, was responsible for the fraud.” Vercoski Decl. ¶ 9. Besides the obvious hearsay,
the phrase “would have indicated” is in the subjective tense and does not state a fact. The Court
cannot assume a critical element to establish causation and standing. Ms. DuPree’s allegations
will be dismissed.
3. Redressability
The last element of standing is redressability, requiring that it “be likely, as
opposed to merely speculative, that the injury will be redressed by a favorable decision.” Lujan,
504 U.S. at 561 (internal quotations and citation omitted); see also SAIC, 45 F. Supp. 3d at 33.
Mses. Welborn and Windrich claim injury based on a misuse of their personal identifying
information to file a fraudulent tax return. Any harms might be redressed through a monetary
award. Therefore, Mses. Welborn and Windrich have standing to sue for monetary damages.
4. Do Plaintiffs Have Standing to Obtain an Injunction Under the APA?
To allege a case or controversy justifying an injunction, a plaintiff must allege
more than “past exposure to illegal conduct.” City of Los Angeles v. Lyons, 461 U.S. 95, 102
20
(1983) (internal quotations and citation omitted). City of Los Angeles v. Lyons involved claims
by Mr. Lyons that the L.A. police had unreasonably put him in a chokehold that injured his
larynx. The D.C. Circuit has summarized the holding in City of Los Angeles to wit: “while
Lyons could maintain a suit for damages, he could not maintain his suit for an injunction because
he ‘has made no showing that he is realistically threatened by a repetition of his experience.’”
Fair Emp’t Council of Greater Washington, Inc. v. BMC Mktg. Corp., 28 F.3d 1268, 1272 (D.C.
Cir. 1994) (discussing City of Los Angeles). “To pursue an injunction or a declaratory judgment,
. . . plaintiffs must allege a likelihood of future violations of their rights by [the IRS], not simply
future effects from past violations.” Id. at 1273 (emphasis in original); see also Dearth v.
Holder, 641 F.3d 499, 501 (D.C. Cir. 2011) (finding a plaintiff “must show he is suffering an
ongoing injury or faces an immediate threat of [future] injury”); Peterson v. Transp. Workers
Union of Am., AFL-CIO, 75 F. Supp. 3d 131, 136 n.2 (D.D.C. 2014) (“[A] plaintiff seeking a
declaratory judgment must still present a ‘substantial controversy . . . of sufficient immediacy
and reality’ in order to have standing.”) (quoting Fed. Exp. Corp. v. Air Line Pilots Ass’n, 67
F.3d 961, 964 (D.C. Cir. 1995)).
This legal principle is well established. “[W]hen a plaintiff seeks injunctive or
declaratory relief specifically for the purpose of challenging an alleged policy or practice of a
government agency, the plaintiff must demonstrate that it is ‘realistically threatened by a
repetition of its experience.’” Afifi v. Lynch, 101 F. Supp. 3d 90, 108-09 (D.D.C. 2015) (quoting
Haase v. Sessions, 835 F.2d 902, 910-11 (D.C. Cir. 1987)). Plaintiffs must plead a “real or
immediate” threat of repetition, not merely “a nebulous assertion of the existence of a ‘policy’”
and a likelihood that they will “be subjected to the policy again.” Haase, 835 F.2d at 911; see
also Lyons, 461 U.S. at 102-06; Golden v. Zwickler, 394 U.S. 103, 109 (1969). Get Transcript
21
was withdrawn in May 2015 and Plaintiffs make no allegation that the IRS continues to allow
access to their personal identifying information. The allegations that the IRS failed to comply
with FISMA or the Modernization Act do not help. FISMA is a peculiarly hortatory statute
directed to federal executives to protect federal information technology for the benefit of the
federal government. There is no private right of action under FISMA or the Modernization Act
and, indeed, each agency head is delegated full discretion in determining how to achieve its
goals, which removes it from APA review. See 5 U.S.C. § 701(a) (permitting APA review
“except to the extent that (1) statutes preclude judicial review; or (2) agency action is committed
to agency discretion by law”); see also Heckler v. Chaney, 470 U.S. 821, 828 (1985). Plaintiffs
have not established standing to sue for injunctive or other equitable relief under the APA and,
therefore, Count 2 will be dismissed.1
B. Can Plaintiffs Maintain Their Claims of Unauthorized Disclosure Under the
Privacy Act?
Defendants move to dismiss Plaintiffs’ Privacy Act unauthorized disclosure
claims because the Code preempts all Privacy Act claims for the unauthorized disclosure of tax
returns and return information. Plaintiffs fail to respond, addressing only whether the Code
preempts a Privacy Act claim that the IRS failed to “safeguard” their personal identity
information. Opp’n at 26-27. The Court, like Defendants, will interpret Plaintiffs’ Complaint as
raising two separate types of Privacy Act claims and will dismiss the unauthorized disclosure
claims because they are preempted by the Code. See 26 U.S.C. §§ 6103(a), 7431; see also
1
In the alternative, the Court finds that the Privacy Act would preempt Plaintiffs’ APA claims
because the prior statute provides the only congressionally-intended legal remedy and neither
injunctive relief nor any other equitable relief is available. “[I]f an adequate remedy at law
exists, equitable relief is not available under the APA.” Cohen v. United States, 650 F.3d 717,
731 (D.C. Cir. 2011).
22
Gardner v. United States, 213 F.3d 735, 742 (D.C. Cir. 2000) (“[Section] 6103 is the exclusive
remedy for a taxpayer claiming unlawful disclosure of his or her tax returns and tax
information.”). Section 6103(a) precludes officers and employees of the United States (and
others) from disclosing any return or return information. Disclosure “means the making known
to any person in any manner whatever a return or return information.” 26 U.S.C. § 6103(b)(8).
Further, at § 7431, the Code specifically provides for civil damages in the event of unauthorized
disclosure of returns and return information. 26 U.S.C. § 7431.
C. Failure to State a Claim
Defendants also seek dismissal of Plaintiffs’ claims for failure to state a claim
upon which relief may be granted. See Fed. R. Civ. P. 12(b)(6).
1. Privacy Act (Count 1)
Defendants argue that Plaintiffs’ Privacy Act claims, both for improper disclosure
and failure to safeguard, must be dismissed for failure to state a claim because Plaintiffs do not
plead actual damages. Defendants explain that actual damages under the Privacy Act are
equivalent to special damages under Federal Rule of Civil Procedure 9(a) and must be pled with
specificity. See FAA v. Cooper, 132 S. Ct. at 1451-52 (“The basic idea is that Privacy Act
victims, like victims of libel per quod or slander, are barred from any recovery unless they can
first show actual—that is, pecuniary or material—harm.”). In opposition, Plaintiffs argue they
did plead actual damages in the form of (1) time spent addressing the data theft from the IRS, (2)
credit monitoring costs, (3) costs associated with actual data theft, and (4) cancelled credit cards.
Defendants reply that none qualifies as actual damages because none is a calculable monetary
loss or “constitute[s] actual damages stemming from the Get Transcript incident.” Reply at 14.
23
To plead any Privacy Act claim adequately, a plaintiff must plead “actual—that
is, pecuniary or material—harm.” Cooper, 132 S. Ct. at 1451. In this respect, there is no
distinction between Plaintiffs’ separate allegations of Privacy Act violations, whether
unauthorized release of their private information or the alleged failure by the IRS to implement
safeguards to protect their information. The Privacy Act does not allow a claim for damages
based on reputational or emotional harm. Id. at 1454-56 (“[T]he Privacy Act does not
unequivocally authorize an award of damages for mental or emotional distress. Accordingly, the
Act does not waive the Federal Government’s sovereign immunity from liability for such
harms.”). As a result, Plaintiffs must specifically allege actual damages to survive a motion to
dismiss for failure to state a claim.
The Court will not assume actual damages based on a conclusory statement that
Plaintiffs and Class members “have suffered or are at increased risk of suffering from” a list of
potential harms. Am. Compl. ¶ 69. Plaintiffs must specifically allege that they have suffered
calcuable damages to survive Defendants’ motion to dismiss. Plaintiffs allege the following
injuries: (1) false tax returns were filed, (2) future prohibition from e-filing taxes, (3) lost time
spent dealing with the ramifications of the fraud, and (4) heightened risk of further identity
theft.2 None of these allegations details actual pecuniary or material damage. Plaintiffs cite Hill
v. Department of Defense, 70 F. Supp. 3d 17 (D.D.C. 2014), for the proposition that allegations
2
In Opposition, Plaintiffs argue they suffered damages through “out-of-pocket expenses
associated with the detection, investigation, and recovery after actual theft” and “economic loss
due to cancelling credit cards.” Opp’n at 36. These specific allegations, however, are not
included in the Amended Complaint and, if they were, they do not allege actual damages. As
explained in the discussion on standing, injury based on hypothetical future harm is not
sufficient. See Clapper, 133 S. Ct. at 1143. The fact that Plaintiffs chose to spend money on
credit monitoring services to prevent potential future harm does not allege actual damages
attributable to the IRS. See 5 U.S.C. 552a(g)(4); SAIC, 45 F. Supp. 3d at 32.
24
of direct expenses, such as the time spent dealing with an injury, are sufficient to constitute
actual damages. Hill, however, relied on allegations that the plaintiff made actual payments for
medical treatment as a result of intense distress following the loss of her personal information.
Plaintiffs make no equivalent allegations. Plaintiffs’ Privacy Act claims for failure to safeguard
their personal identifying information must be dismissed because they present no claim of actual
damages and thereby fail to state a claim. This same analysis would apply to Plaintiffs’ Privacy
Act claims for unauthorized disclosure were they not precluded by the Code.3
2. Improper Disclosure under the Code
Defendants argue that Plaintiffs’ allegations of improper disclosure under the
Code fail to state a claim because Plaintiffs do not allege a disclosure by an IRS officer or
employee to another individual. Plaintiffs answer that disclosure does not require person-to-
person contact and it was, in this case, made by negligently giving access to return and return
information through the unsecure Get Transcript application.
To allege improper disclosure under the Code, a plaintiff must allege (1) knowing
or negligent, (2) disclosure, (3) of a return or return information in violation of § 6103. See
Fostvedt v. IRS, 824 F. Supp. 978, 983 (D. Colo. 1993), aff’d sub nom. Fostvedt v. United States,
16 F.3d 416 (10th Cir. 1994) (“In order to recover under section 7431 for violations of section
6103, a taxpayer must show by a preponderance of the evidence that: (1) the disclosure was
unauthorized; (2) the disclosure was made knowingly or by reason of negligence; and (3) the
3
Defendants additionally argue that Plaintiffs failed to state a claim of improper disclosure under
the Privacy Act because they have not argued that it was an “intentional or willful” disclosure by
the IRS. To the contrary, Plaintiffs complain that the IRS intentionally and willfully failed to
establish adequate security in the Get Transcript application and thereby exposed their personal
identifying information to one or more hackers. See Am. Compl. ¶¶ 50-68. Nonetheless, the
theft itself was caused by an unknown third party. See In re Dep’t of Veterans Affairs (VA) Data
Theft Litig., No. 06-506, 2007 WL 7621261, at *5-6 (D.D.C. Nov. 16, 2007) (“The theft of the
records does not give rise to a claim for unauthorized disclosure.”).
25
disclosure violated section 6103.” (internal quotations omitted)). Plaintiffs allege, without
contest from Defendants, that their personal identifying information was in their tax returns and
is the type of information as to which § 6103 precludes disclosure.
Defendants’ argument relies on the Code definition of “disclosure,” requiring
disclosure by an IRS officer or employee. Defendants posit that disclosure by an IRS officer or
employee was impossible on these facts because the disclosure was made through the Get
Transcript application, an automated IRS system.
At § 7431(a)(2), the Code allows a cause of action against “any person who is not
an officer or employee of the United States” if that person unlawfully discloses return
information. 26 U.S.C. § 7431(a)(2) (emphasis added). A “person” is defined in the Code as “an
individual, a trust, estate, partnership, association, company or corporation.” 26 U.S.C.
§ 7701(a)(1). Based on this definition, Marsoun v. United States, 525 F. Supp. 2d 206, 213
(D.D.C. 2007) found that § 7431(a)(2) “does not authorize a right of action against a State, its
agencies, or state employees sued in their official capacities (the latter, of course, being no
different than a suit against the state).”
Defendants attempt to conflate § 7431(a)(2)’s cause of action against an
individual not associated with the IRS and the cause of action against the United States permitted
in § 7431(a)(1). Defendants offer no case law specifying that the disclosure considered under
§ 7431(a)(1) must be person-to-person. Disclosure is defined in § 6103(b)(8) as “making known
to any person in any manner,” not making known through personal transfer, which the IRS
would ask this Court to require. Plaintiffs also specifically allege that an individual or
individuals, Commissioner Koskinen and/or Does 1-100, are responsible for the disclosure
through a failure to comply with FISMA and safeguard the Get Transcript application. To the
26
extent an individual is necessary, therefore, Plaintiffs have alleged that an officer or employee
was responsible for the disclosure.
Finally, Defendants argue that Plaintiffs’ disclosure claim under the Code is
actually a failure to safeguard claim, which is not permitted under the Code. Plaintiffs allege that
by designing a software application that could be used to access returns and return information
online, but failing to secure the system adequately, despite TIGTA warnings, the IRS knowingly
or negligently permitted the disclosure of their personal identifying information.
The Court must therefore consider whether Defendants negligently disclosed
Plaintiffs’ return or return information. Plaintiffs ask the Court to use a “zone of danger” test
and accept the allegations that the failure of the IRS to secure the Get Transcript application on
the World Wide Web was negligent and the proximate cause of the disclosure of their personal
identifying information. Defendants reply that Plaintiffs attempt to present a “failure to protect”
claim couched as an “improper disclosure” claim, but the Code does not authorize suit against
the IRS based on a failure to protect. Defendants further argue that Plaintiffs’ attempt to expand
liability under § 7431 to safeguarding claims through a “zone of danger” test would expand the
government’s waiver of sovereign immunity to include a claim not contemplated by the Code.
There must be a valid waiver of the United States’ sovereign immunity before an
individual can sue a federal agency. See Block v. North Dakota, 461 U.S. 273, 287 (1983) (“The
basic rule of federal sovereign immunity is that the United States cannot be sued at all without
the consent of Congress.”). The principles of sovereign immunity apply equally to federal
agencies, officers, and employees acting in their official capacity. See Fed. Deposit Ins. Corp. v.
Meyer, 510 U.S. 471, 475 (1994); Kentucky v. Graham, 473 U.S. 159, 165-66 (1985). This
exemption from suit is expressed in jurisdictional terms—that is, federal courts lack subject
27
matter jurisdiction over suits against the United States in the absence of a clear waiver of
sovereign immunity. See Jackson v. Bush, 448 F. Supp. 2d 198, 200 (D.D.C. 2006) (“[A]
plaintiff must overcome the defense of sovereign immunity in order to establish the jurisdiction
necessary to survive a Rule 12(b)(1) motion to dismiss.”). Statutes that waive sovereign
immunity are strictly construed and any doubt or ambiguity is resolved in favor of immunity.
See Lane v. Pena, 518 U.S. 187, 192 (1996).
All waivers of sovereign immunity are presumed to be limited. Cooper, 132 S.
Ct. at 1448 (“Any ambiguities in the statutory language are to be construed in favor of immunity,
so that the Government’s consent to be sued is never enlarged beyond what a fair reading of the
text requires.”) (internal citations omitted). Plaintiffs’ allegations focus on the alleged
negligence of the IRS and the Commissioner in securing the Get Transcript application and
failing to comply fully with FISMA and the Modernization Act. In order to address the
negligent disclosure theory presented by Plaintiffs, a jury would necessarily first have to
determine if the IRS acted negligently by failing to include additional security protections before
Get Transcript was made available online.
Plaintiffs’ failure to safeguard claim was properly brought under the Privacy Act
and not the Code (and dismissed for the reasons stated above). Likewise, Plaintiffs’ disclosure
claim was properly raised under the Code and not the Privacy Act, because the Code provides a
specific cause of action for individuals harmed by improper disclosures by the IRS. Plaintiffs,
however, attempt to conflate the two claims and extend the Code to a cause of action for which
sovereign immunity has not been waived by forcing the Court and a jury to decide whether the
IRS failed to safeguard and then find that that failure was a negligent act that led to disclosure.
28
The Court reads the text of the Code in favor of immunity and will not extend it to permit
Plaintiffs’ claim. Plaintiffs’ Internal Revenue Code claim (Count 3) will be dismissed.
IV. CONCLUSION
For the reasons stated above, the Court will dismiss all of Ms. DuPree’s claims for
lack of standing and Mses. Welborn and Windrich’s APA claims for lack of standing. Mses.
Welborn and Windrich’s claims of improper disclosure under the Privacy Act will be dismissed
because they are preempted by the Code and their Internal Revenue Act claims will be dismissed
for failure to state a claim. The Court will grant Defendants’ Motion to Dismiss, Dkt. 24. A
memorializing order accompanies this Opinion.
Date: November 2, 2016 /s/
ROSEMARY M. COLLYER
United States District Judge
29