Welborn v. Internal Revenue Service
218 F. Supp. 3d 64
| D.D.C. | 2016Background
- In 2015 the IRS’s online Get Transcript tool was hacked, exposing approximately 330,000 taxpayers’ tax-related records (Get Transcript was taken offline May 21, 2015).
- Plaintiffs Welborn, Windrich, and DuPree allege the breach led to fraudulent tax filings, unauthorized access to their data, and time and money spent responding; they seek class relief for all filers whose PII was compromised.
- Plaintiffs assert claims under the Privacy Act (unauthorized disclosure and failure to safeguard), the Administrative Procedure Act (APA) challenging IRS FISMA compliance, and the Internal Revenue Code (§ 6103/§ 7431) for improper disclosure.
- Defendants moved to dismiss for lack of subject-matter jurisdiction (standing) and for failure to state a claim; the court considered statutory preemption and sovereign-immunity limits on remedies.
- The court found Welborn and Windrich had Article III standing for monetary claims (alleged actual identity theft via fraudulent tax returns); DuPree lacked standing because her allegations did not adequately trace her losses to the Get Transcript breach.
- The court dismissed: Privacy Act unauthorized-disclosure claims as preempted by the Code; Privacy Act failure-to-safeguard claims for lack of pleaded pecuniary damages; APA injunction claims for lack of standing to seek prospective relief; and § 7431 IRC claims for failure to state a claim (court declined to extend the Code’s waiver of sovereign immunity to the plaintiffs’ negligent-safeguard theory).
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Standing for monetary relief | Plaintiffs allege actual identity theft (fraudulent tax returns) and costs; that suffices for injury-in-fact and redressability | Many alleged harms (risk of future identity theft, anxiety, monitoring costs) are speculative; some plaintiffs lack a causal nexus to the breach | Welborn and Windrich: standing for money damages (alleged fraudulent filings). DuPree: no standing; dismissed |
| Standing for injunctive relief (APA) | Plaintiffs seek injunctions to fix security and implement audits | Past exposure without a real likelihood of repetition is insufficient for injunctive relief; FISMA/Modernization Act do not create private rights | No standing for injunctive relief; APA claims for injunctive relief dismissed |
| Privacy Act – unauthorized disclosure vs. failure to safeguard | Plaintiffs say IRS disclosed PII (and failed to secure systems) in violation of Privacy Act | Defendants: Code (§6103/§7431) preempts Privacy Act claims for disclosure of tax returns/return information | Unauthorized-disclosure claims under Privacy Act preempted by the Code; failure-to-safeguard Privacy Act claims dismissed for lack of pleaded pecuniary damages |
| IRC §7431 claim for improper disclosure | Plaintiffs characterize the breach as negligent disclosure of return information via an unsecured online system | Defendants: §7431 does not extend to negligence in designing systems; waivers of sovereign immunity must be strictly construed—plaintiffs seek to convert a safeguard failure into a disclosure claim | §7431 claim dismissed for failure to state a claim; court will not extend waiver of sovereign immunity to plaintiffs’ negligent-safeguard theory |
Key Cases Cited
- Ashcroft v. Iqbal, 556 U.S. 662 (pleading plausibility standard)
- Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (plausibility and Twombly standard)
- Clapper v. Amnesty Int’l USA, 568 U.S. 398 (standing requires certainly impending or substantial risk; speculative future harms insufficient)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (Article III standing requirements)
- Motor Vehicle Mfrs. Ass’n v. State Farm, 463 U.S. 29 (arbitrary and capricious review under APA)
- Gardner v. United States, 213 F.3d 735 (D.C. Cir.) (26 U.S.C. § 6103 is exclusive remedy for unlawful disclosure of tax returns)