Trump Taxes and the Price of Privacy
There is an old saw in privacy and data breach litigation: Everyone gets paid—except, often, the victims.
[…Keep reading]
A week in security (April 13 – April 19)
There is an old saw in privacy and data breach litigation: Everyone gets paid—except, often, the victims. Plaintiffs’ lawyers receive fees, defendants incur punitive and remediation costs, and courts gesture toward compensation for the affected data subjects. In theory, these costs internalize risk. In theory, they create incentives for better cybersecurity, better governance, and better stewardship of personal data. In theory.In practice, data breach and misuse litigation exposes a structural problem: The price of privacy is both difficult to calculate and even harder to recover. Part of the problem is that breach victims often have a hard time showing “actual” damages, or what the courts call “concrete harm.” Often, this means that suffering fear that breached data will be misused, that identities might be stolen, or that one might suffer embarrassment or discrimination in the future is not enough to provide “standing” to sue. Even if standing is demonstrated, it is difficult to establish a dollar value of harm from, for example, the fact that your purchasing habits at some store, or even your medical diagnosis for appendicitis, has been revealed to the (mostly disinterested) public. Of course, this does not preclude a lawsuit, particularly for a class, but it makes it difficult to calculate damages.At the outset, breach victims are a diffuse and largely unaware class. Unlike a broken arm or a burned building, the injury caused by the exposure of personal data is probabilistic, attenuated, and often latent. Identity theft may occur—or may not. Financial fraud may result—or may not. Reputational harm, emotional distress, and loss of control over personal information are real, but notoriously resistant to quantification.The Supreme Court has repeatedly struggled with this problem. In TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), the Court held that Article III standing requires plaintiffs to demonstrate “concrete” harm, not merely a statutory violation. Writing for the majority, Justice Kavanaugh emphasized that “[n]o concrete harm, no standing,” id. at 426, rejecting the notion that Congress can create injury out of whole cloth by statute alone. The Court distinguished between plaintiffs whose inaccurate credit files were disseminated to third parties—who had standing—and those whose data remained internal—who did not. The implication is stark: exposure without demonstrable consequence may not be enough.But the Court has also signaled that the courthouse doors are not entirely closed. In Dept of Agric. Rural Dev. Rural Hous. Serv. v. Kirtz, 601 U.S. ___ (2024), the Court held that the Fair Credit Reporting Act (“FCRA”) waives sovereign immunity and permits suits against federal agencies for inaccurate reporting. The Court explained that Congress “unambiguously” subjected federal agencies to liability as “persons” under the statute, id. slip op. at 8–10. In other words, the government can be sued for data misuse—at least where Congress has spoken clearly.These two decisions, taken together, create a doctrinal tension. Plaintiffs must demonstrate concrete harm, but Congress may expose even the federal government to liability for privacy violations. The question becomes: What, exactly, is the value of that harm?
Sue Yourself
Enter Trump v. IRS—or more precisely, the still-unresolved litigation arising from the alleged 2019–2020 leak of President Donald Trump’s tax returns. As of April 2026, counsel for President Trump and the Internal Revenue Service are reportedly engaged in settlement discussions over a claim seeking approximately $10 billion in damages. The complaint alleges that IRS and Treasury officials failed to safeguard confidential return information, allowing a contractor to disclose it unlawfully.The statutory framework is not ambiguous. Section 6103 of the Internal Revenue Code mandates strict confidentiality of tax return information, 26 U.S.C. § 6103 (2018), and § 7431 provides for civil damages for unauthorized disclosure, 26 U.S.C. § 7431 (2018). Those damages include statutory minimums, actual damages, punitive damages for willful disclosures, and attorneys’ fees. But nowhere does the statute contemplate a $10 billion valuation.So, how are damages calculated?The answer reveals the core instability in privacy law. Traditional tort principles look to actual injury—economic loss, reputational harm, emotional distress. But the disclosure of tax returns implicates something more amorphous: Loss of privacy itself, exposure of sensitive financial strategies, and the potential chilling effect on confidential communications with the government. Courts have struggled to analogize such harms to traditional causes of action. See, e.g., Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: A Theory of Data-Breach Harms, 96 Tex. L. Rev. 737 (2018), (arguing that courts should recognize risk and anxiety as cognizable harms in privacy cases).In the Trump litigation, the claimed damages appear to incorporate not only statutory remedies but also reputational harm, political consequences, and the asserted value of the confidentiality breached. Whether such a valuation is sustainable—or even cognizable—remains to be seen. But the mere assertion of such a figure reframes the debate: if privacy has value, how is that value measured?Complicating matters further is the obvious structural tension. The defendant is the federal government. The plaintiff, at least at the time of filing, was the sitting or former President. Any settlement implicates not only statutory interpretation but also questions of public fisc, executive influence, and institutional conflict of interest. The optics alone are fraught. This is not so much a compensation for damages as a literal money grab.Yet the implications extend far beyond one litigant or one leak.Consider the emerging controversy surrounding alleged data practices within the Social Security Administration and associated entities. Whistleblower reports and investigative findings suggest that personnel may have bypassed established IT controls, copying sensitive records—including bank account numbers, health information, and wage histories—onto unauthorized private cloud infrastructure. Reports further suggest that data relating to potentially hundreds of millions of Americans may have been aggregated into a virtual database without adherence to statutory or regulatory safeguards, and that such data may have been shared beyond authorized channels.If substantiated, such conduct would implicate a range of statutory regimes, including the Privacy Act of 1974, 5 U.S.C. § 552a (2018), the Federal Information Security Modernization Act (“FISMA”), 44 U.S.C. §§ 3551–3558 (2018), and potentially sector-specific protections depending on the nature of the data involved. The Privacy Act, in particular, provides for civil remedies where an agency fails to maintain records with the requisite level of accuracy or safeguards, and where such failure results in an adverse effect. See Doe v. Chao, 540 U.S. 614, 620–25 (2004), (holding that plaintiffs must prove actual damages to recover under the Privacy Act).Again, the same problem emerges. Even if millions of records are improperly accessed or disseminated, what is the value of that violation to any individual data subject? And who has standing to bring the claim? If we place a dollar value on the privacy of data, then we can calculate the cost of preventing the breach of that data.The Trump tax return litigation may provide an unexpected answer. A high-profile plaintiff asserting massive damages for a privacy violation—against the federal government itself—forces courts to grapple with valuation in a way that class actions involving anonymous consumers have not. If a court credits a substantial damages theory grounded in the intrinsic value of privacy, the precedent could reverberate across the entire data protection landscape.It could, for example, recalibrate the economics of Privacy Act litigation. It could influence how courts assess damages in cases involving large-scale data aggregation and misuse. It could even affect how agencies design and implement data governance frameworks, particularly where the potential liability is no longer nominal.At the same time, the doctrinal constraints of TransUnion remain. Plaintiffs will still need to demonstrate concrete harm. The challenge, then, is to articulate that harm in a way that satisfies Article III while capturing the real-world consequences of data exposure and misuse.Privacy, in this sense, resembles a form of intangible property—valuable, vulnerable, and difficult to price. The law has long recognized similar interests, from trade secrets to reputational rights, yet has struggled to develop consistent metrics for their valuation. Data privacy sits uneasily within this tradition, straddling statutory regimes, constitutional constraints, and evolving technological realities.What the Trump litigation underscores is not merely a political controversy, but a jurisprudential gap. If privacy is to be protected meaningfully, the law must grapple with its valuation. Otherwise, the incentives remain misaligned: organizations will underinvest in protection, plaintiffs will struggle to recover, and the cycle of breach and remediation will continue.The price of privacy, it turns out, is still very much up for negotiation.
About Author
