Ostergren v. Cuccinelli
Concerning the Publication of Social Security Numbers
On July 26, 2010, the Fourth Circuit issued an opinion upholding First Amendment protection for Ostergren’s publication of government documents containing unredacted SSNs on her website. Ostergren v. Cuccinelli, 615 F.3d 263, 272 (4th Cir. 2010). Under Supreme Court precedent from Smith v. Daily Mail Publishing Co.,443 U.S. 97 (1979), the court further found that applying the revised provision of PIPA to Ostergren’s protected speech was unconstitutional. Id. at 286-87. Despite Virginia’s "state interest of the highest order" in protecting the privacy of SSNs, the court found that Ostergren had published "lawfully obtained, truthful information about a matter of public significance" and the PIPA provision was not narrowly tailored to the state interest. Id. at 276, 286-87. Indeed, the court noted that "the First Amendment does not allow Virginia to punish Ostergren for posting its land records online without redacting SSNs when numerous clerks are doing precisely that." Id. at 286-87. The court also reversed the lower court’s injunctive relief as not properly tailored to fit PIPA’s constitutional violation. Id. at 290.
- Appeals Court Considers Case that Aligns Privacy and FOI + (Jul. 13, 2017)
- EPIC Urges Court to Protect Individual Privacy in Releases of Government Docs + (Mar. 16, 2017)
- Privacy Watchdog Receives Broad Protection for Publishing Public Records + (Apr. 15, 2011)
- Appeals Court Protects Free Speech for Privacy Advocate + (Jul. 26, 2010)
- Federal Appeals Court to Hear Arguments in SSN Free Speech Case + (Mar. 22, 2010)
- EPIC Urges Court to Protect Speech of Privacy Advocate + (Oct. 19, 2009)
More top news
Virginia provides "secure remote access" to certain public records, including court records that contain "several hundred million documents with SSNs." Any person who provides basic registration information, signs an agreement, and pays a fee may use the service and gain remote access to the records. By statute, court clerks are required to redact SSNs from records before making them available for secure remote access; however, that provision did not go into effect because the redaction process was unfunded. Going forward, the Virginia legislature has dedicated approximately $7 million towards the redaction of SSNs from secure remote access records, with a goal of complete redaction by the end of 2010.
The plaintiff in this case, Betty Ostergren, is a privacy advocate who maintains a website calling for improved privacy rights and the removal of private information from public records. Ostergren obtained unredacted public documents through Virginia's secure remote access system and posted the documents on her website. Ostergren argued that posting the records informs the public about the online availability of personal information, and increases transparency and oversight.
The publication of the SSNs exposed Ostergren to liability under a revised provision of Virginia’s Personal Information Privacy Act (PIPA) that states that “a person shall not . . . [i]ntentionally communicate another individual’s social security number to the general public.” The previous version of the statute provided an exception for "records required by law to be open to the public." Before the revised provision went into effect, Ostergren filed a complaint in the United States District Court for the Eastern District of Virginia, alleging that the revised provision was unconstitutional under the First Amendment and applicable Supreme Court precedent.
The court agreed that the provision was unconstitutional as applied to her website. The court found that Ostergren's website addressed a matter of public concern, and that Virginia did not appear to regard the protection of SSNs as an "interest of the highest order" because it made some records available online and did not fund the redaction of the records. The court found that it was not an interest of the highest order even though the SSNs on Ostergren's website have been used at least twice for criminal activity. One individual has admitted to using the SSNs to fraudulently obtain credit cards, and another confessed to using the SSNs to attempt to blackmail people.
The court entered a permanent injunction against enforcement of the provision against “any iteration of [plaintiff]’s website that simply republished publicly obtainable documents containing unredacted SSNs of Virginia [state officials].” The Virginia Attorney General filed a notice of appeal on June 30, 2008, and filed its Opening Brief before the Fourth Circuit on September 8, 2009.
EPIC has also routinely urged lawmakers, regulators, and courts to take meaningful steps to curb identity theft. Specifically, EPIC has advocated for increased privacy of SSNs and has argued repeatedly that the unwarranted disclosure of SSNs, even if truncated, can lead to identity theft. However, privacy and transparency are not a zero sum game. In this case, EPIC believes that the transparency and oversight interests advanced by Ostergren's disclosures will lead to greater protection of privacy, even if she discloses SSNs in order to do so.
- Opinion in Ostergren v. Cuccinelli, No. 09-723 (4th. Cir. July 26, 2010)
- EPIC's Amicus Brief, EPIC, October 19, 2009
- Appellee's Brief by the ACLU of Virginia, 4th Circuit, October 13, 2009
- Appellant's Brief by the Virginia Attorney General, 4th Circuit, September 8, 2009
- Memorandum Opinion Granting Permanent Injunction, U.S. District Court, June 2, 2009
- Permanent Injunction Order, U.S. District Court, June 2, 2009
- Memorandum Opinion, U.S. District Court, August 22, 2008
- Complaint, U.S. District Court, June 11, 2008
- Judge Lets Privacy Advocate Keep Social Security Numbers on Web Site, ComputerWorld (August 27, 2008)
- Collect Them All: Politicians' Social Security Numbers, Washington Post, Opinion (August 25, 2008)
- Judge Supports Right to Post Social Security Numbers on Web Site, Richmond Times-Dispatch (June 2, 2008)
- Online Records May Aid ID Theft, Washington Post (January 2, 2008)
- A Matter of Public Record, Washington Post (May 25, 2005)
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.