In a very interesting case, Saffold v. Plain Dealer Publishing Co., a state court judge (Shirley Strickland Saffold) is suing the Cleveland Plan Dealer for stating that comments posted on the newspaper’s website under the screen name “lawmiss” originated from a computer used by the judge and/or her daughter. Some of these comments related to cases before Judge Saffold.
As Kashmir Hill writes:
Sydney Saffold, 23, “a one-time law student” claims she made the comments associated with her mom’s account. . . . .
The Cleveland Plain Dealer is putting Saffold on trial. A public records request revealed that some of the articles involved were accessed on Saffold’s court-issued computer at the exact times and dates of three comments posted by Lawmiss.
Judge Saffold denies that she made any of the over 80 comments posted by Lawmiss on the cleveland.com website.
Here’s the Cleveland Plain Dealer story.
In her complaint Judge Saffold raises the following claims: fraud, defamation, tortious interference, breach of contract, promissory estoppel, and invasion of privacy.
Here’s my assessment of some of the claims raised (and not raised) in the complaint.
Invasion of Privacy. Invasion of privacy actually consists of the four Warren and Brandeis privacy torts, and the complaint appears to discuss two of them — public disclosure of private facts and false light. I don’t know enough about the facts to opine on the false light claim, but the plaintiffs will have a tough time establishing the public disclosure tort since the story is likely to be found newsworthy — of “legitimate concern to the public.” Whenever a story is newsworthy, plaintiffs cannot sustain an action for public disclosure of private facts.
Breach of Contract. Judge Saffold claims that the newspaper’s disclosure of the identity of “lawmiss” violated its website’s privacy policy which states that “personally identifiable information is protected.” The difficulty with this claim is that thus far, courts have held that privacy polices don’t constitute contracts — they are mere statements of policy. See, e.g., Dyer v. Northwest Airlines Corp., 334 F.Supp.2d 1196 (D.N.D. 2004). The issue, though, hasn’t been widely litigated, so the law here isn’t well-settled. For an interesting discussion of the issue, see Allyson W. Haynes, Online Privacy Policies: Contracting Away Control Over Personal Information?, 111 Penn. St. L. Rev. 587 (2007).
In this case, there’s more than just a privacy policy — there’s also a user agreement as part of the registration process to create an account on the website. Courts may see user agreements as more akin to contracts than privacy policies, and the user agreement in this case incorporated the privacy policy.
Promissory Estoppel. There may be a valid claim here. According to the Restatement (Second) of Contracts § 90:
A promise which the promisor should reasonably expect to induce action or forbearance on the part of the promisee or a third person and which does induce such action or forbearance is binding if injustice can be avoided only by enforcement of the promise. The remedy granted for breach may be limited as justice requires.
I think the plaintiffs may have a claim for promissory estoppel, though my conclusion remains tentative.
Breach of Confidentiality. This claim wasn’t raised in the complaint. I continue to wish more plaintiffs would bring breach of confidentiality claims. As I noted in Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Geo. L.J. 123 (2007) (with Neil M. Richards):
A plaintiff can establish a breach of confidence action by proving the existence and breach of a duty of confidentiality. Courts have found the existence of such a duty by looking to the nature of the relationship between the parties, by reference to the law of fiduciaries, or by finding an implied contract of confidentiality. Most commonly, the breach of confidentiality tort applies to physicians. Courts have also applied it to banks, hospitals, insurance companies, psychiatrists, social workers, accountants, school officials, attorneys, and employees. . . .
The American breach of confidentiality tort has yet to come close to reaching its fullest potential. The tort still applies only to a limited set of relationships, with most cases involving the patient-physician relationship. . . . . Having only recently gained momentum, the breach of confidentiality tort often has not been raised in many cases where it might have relevance.
An argument can be made that the newspaper website’s privacy policy constituted an implied promise of confidentiality, giving rise to a duty of confidentiality.
Unlike the public disclosure of private facts claim, or the false light and defamation claims, the breach of confidentiality claim (along with the contract and promissory estoppel claims) will likely not trigger First Amendment scrutiny. Professor Neil Richards and I recently discussed this in Rethinking Free Speech and Civil Liability, 109 Colum. L. Rev. 1650 (2009).
Therefore, I conclude that this complaint may have some legs. My conclusions, however, are quite tentative, as I’ve only glanced at the complaint and many facts still remain open and contested.
What about the normative implications of the case? Suppose that the judge indeed commented anonymously on cases before her (this fact is in dispute in the case). Suppose the newspaper revealed her identity. Should the paper be liable? Isn’t this highly newsworthy information, perhaps a breach of judicial ethics? Don’t we want information like this exposed to the public?
When are breaches of confidentiality appropriate? Currently, the law allows for breach of confidentiality when disclosure can help prevent a danger to the public. Should it allow for breaches when public officials are acting unethically? Perhaps the allowable breach should be limited only to bringing the matter to the attention of those responsible for investigating ethics violations.
There are many difficult and interesting questions raised by this case — both legal ones and normative/policy ones. This lawsuit will be one worth following.
For more on the lawsuit, see Pogo Was Right.
Originally Posted at Concurring Opinions
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* LinkedIn Influencer blog
* Twitter
* Newsletter
