In a significant legal development, on February 18, 2025, U.S. District Judge Tanya Chutkan denied a request from a coalition of Democratic state attorneys general to temporarily block Elon Musk and the Department of Government Efficiency (DOGE) from accessing federal data systems and implementing layoffs within federal agencies. The plaintiffs argued that Musk’s involvement with DOGE, an entity not created by Congress, violated the Constitution’s Appointments Clause and posed risks to sensitive personal information of government employees and citizens. However, the court ruled that the plaintiffs failed to demonstrate imminent, irreparable harm necessary to warrant such an injunction.
Privacy law, as well as data security and data breach law, begins with the assumption that data collected by one entity for one purpose should not be accessed by or used by another entity for another purpose. Under most privacy laws – including the federal Privacy Act, as well as the EU’s GDPR, this “purpose limitation” is inherent in the collection of data. For data breach laws, any “unauthorized access” to personal information is a “breach” which must, at a minimum, be reported either to the data subject themselves or to some government agency — or both. The idea is that data is collected for a legitimate reason, and can only be used for that reason.
This does not suggest whether DOGE does, or does not have legitimate access to the data, or for a purpose for which the data has been collected. The cases involving DOGE access to data have not proceeded to the point where that issue has been briefed and argued on the merits. Assuming that DOGE’s access and use of data is not authorized by law, the question is whether there is anything the data subjects — or the State Attorney’s General acting on their behalf – can do about it.
Judge Chutkan’s ruling suggests not. The Doge did what the Doge does when the Doge does his duty to the Duke, that is. Get it? Got it. Good!
Judge Chutkan’s ruling underscores the ongoing challenges plaintiffs face in establishing legal standing in cases involving unauthorized access to personal data. The legal concept of “standing” requires plaintiffs to demonstrate a concrete and particularized injury that is actual or imminent. In data breach and privacy violation cases, courts have often dismissed claims due to plaintiffs’ inability to show tangible harm resulting from the alleged misconduct.
We Can’t Value Data if We Can’t Put a Value on Privacy
The difficulty in establishing standing in data breach cases is well-documented. In Clapper versus Amnesty International USA, 568 U.S. 398 (2013), the U.S. Supreme Court held that plaintiffs lacked standing because they could not demonstrate that the threatened injury was “certainly impending.” There, Plaintiff’s asserted that the federal government’s surveillance program would result in the government’s unlawfully intercepting their private (and potentially privileged) communications, in violation of the Fourth Amendment. The Supreme Court found the potential for harm to be “speculative” and insufficient to grant the Plaintiff even the ability to sue in court (standing). The court found that the possibility of interception and misuse of private communications did not meet the standard that “an injury must be “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.” Similarly, in Reilly versus Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), a law firm’s payroll processor suffered a data breach exposing the personal and financial information of members of the firm. The Third Circuit ruled that plaintiffs did not have standing as they failed to show that their information had been misused or that they faced an imminent threat of identity theft due to a data breach. The court emphasized that allegations of potential future harm were insufficient to establish an injury-in-fact.
The Fourth Circuit echoed this sentiment in Beck versus McDonald, 848 F.3d 262 (4th Cir. 2017), a case involving a data breach at a Veterans Affairs hospital where unencrypted laptops containing personal health information were stolen. The court held that the mere threat of future identity theft, without evidence of actual misuse of personal information, did not constitute an injury-in-fact sufficient to confer standing. In re SuperValu, Inc., Customer Data Security Breach Litigation, 870 F.3d 763 (8th Cir. 2017), the Eighth Circuit found that plaintiffs lacked standing because they did not allege any actual misuse of their data, only an increased risk of future identity theft, which the court deemed insufficient for standing.
The problem for the plaintiffs was not only that the court failed to recognize privacy or security breaches as being harmful in their own right, but that the courts effectively closed the door to the courtroom because the plaintiffs did not even have the legal right to pursue their case.
Challenges in Demonstrating Actual Harm
The crux of the issue in data breach litigation is the requirement that plaintiffs demonstrate actual harm rather than speculative future injuries. Courts have consistently held that the mere exposure of personal information, without evidence of misuse, does not meet the threshold for standing.
For instance, in Storm versus Paytime, Inc., No. 14-1138, 2015 WL 1119724 (M.D. Pa. Mar. 13, 2015), the court dismissed the case for lack of standing, stating that plaintiffs did not allege any actual misuse of their data, only the possibility of future harm, which was deemed too speculative. Similarly, in In re Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation, 45 F. Supp. 3d 14 (D.D.C. 2014), the court concluded that plaintiffs lacked standing as they did not demonstrate that the stolen data had been accessed or misused, and the alleged increased risk of identity theft was too speculative.
This is true whether the exposure of personal information is inadvertent (a data breach) or deliberate (a privacy violation). The individual plaintiff must show not only exposure and misuse of data, but a concrete harm resulting from that unauthorized use of data.
The DOGE Controversy and its Implications
The recent case involving Elon Musk and DOGE highlights the complexities of establishing standing in cases where unauthorized access to personal data is alleged. The plaintiffs contended that Musk’s actions in deploying DOGE surrogates to access federal computer systems violated constitutional provisions and posed significant risks to sensitive personal information. Despite these assertions, the court found that the plaintiffs did not provide sufficient evidence of imminent, irreparable harm.
This decision aligns with the prevailing judicial trend requiring concrete evidence of harm rather than speculative risks. The court acknowledged the “unchecked authority of an unelected individual” and the potential for “considerable uncertainty and confusion” resulting from DOGE’s actions. However, without specific facts demonstrating immediate and irreparable harm, the request for a temporary restraining order was denied.
If a federal employee is fired as a result of a DOGE access to personal data, and can establish that causal connection, they might then have the ability to go into court and attempt to demonstrate that both the firing and the access to data was wrongful. It’s not clear whether or not they would win, but they would at least have demonstrated some concrete harm. Similarly, a person whose tax data was accessed or exposed wrongfully would have to demonstrate some concrete harm, although 26 U.S. Code § 7213A makes such unauthorized access a misdemeanor.
Broader Legal and Policy Considerations
The challenges in establishing standing in data breach and privacy violation cases have significant implications for both plaintiffs and defendants. For plaintiffs, the necessity of demonstrating actual harm often means that legal recourse is unavailable until after misuse of their data has occurred, potentially leaving individuals without remedy during the period of greatest vulnerability.
For defendants, particularly organizations that handle sensitive personal information, these legal precedents underscore the importance of robust data security measures. While the current legal landscape may limit liability in the absence of demonstrable harm, the reputational damage and loss of consumer trust resulting from data breaches can have profound business consequences.
Moreover, these legal standards may influence organizational behavior regarding data breach notifications. If the exposure of personal information without evidence of misuse does not confer standing, organizations might be less incentivized to promptly disclose breaches, potentially leaving affected individuals unaware of risks to their personal information. Why bother to protect data or comply with a privacy policy if nobody can show specific harm and therefore cannot sue?
When an entity collects data, it should do so with the assumption that this data might be breached. If a company collects personal data on 100,000 people, and there is a 1% chance of a breach, and the average cost of a breach is $30 per record, then the likely cost of a breach is $30,000. Under these circumstances, it makes little economic sense (other than for regulatory compliance) to spend much more than $30,000 to prevent the breach, assuming these “costs” include costs of investigation, reputational harm, litigation costs, etc. If the company has effective insurance, prevention becomes even less cost-effective. By failing to “value” privacy alone, the system skews in favor of not protecting privacy.
Why protect privacy if there is no discernible cost if privacy is not protected? Just because it’s the right thing to do?
