Tarullo v. Defense Contract Audit Agency

Full title: Vincent J. TARULLO, Plaintiff, v. DEFENSE CONTRACT AUDIT AGENCY, United…

Court: United States District Court, D. Connecticut

Date published: Mar 4, 2009

600 F. Supp. 2d 352 (D. Conn. 2009)

Opinion

No. 3:06CV01418(DJS).

March 4, 2009

Michelle N. Holmes, Law Office of Michelle N. Holmes, Waterbury, CT, for Plaintiff.

Alan M. Soloway, U.S. Attorney's Office, New Haven, CT, for Defendant.

MEMORANDUM OF DECISION AND ORDER

DOMINIC SQUATRITO, District Judge

The plaintiff, Vincent J. Tarullo ("the Plaintiff") brings this single count action against the defendant, the Defense Contract Audit Agency, United States Department of Defense ("the Defendant"), alleging that the Defendant violated the Privacy Act of 1974, as amended, 5 U.S.C. §§ 552 et seq. ("the Privacy Act"). Pursuant to Rule 56 of the Federal Rules of Civil Procedure, the Defendant has filed a motion for summary judgment. For the reasons that hereafter follow, the Defendant's motion for summary judgment (dkt. # 21) is GRANTED.

I. FACTS

The Defendant, an agency of the United States Department of Defense ("DoD"), is responsible for performing all of the DoD's contract auditing and providing accounting and financial services on contracts and subcontracts to all DoD components. The Plaintiff works as an auditor for the Defendant and currently is employed as a Technical Specialist. As an auditor in the position of Technical Specialist, the Plaintiff must travel to contractors' facilities to assist in the auditing of those contractors. In order to perform the duties of his position with the Defendant, the Plaintiff must be able to travel and gain access to those facilities. He is required to maintain a minimum level of competence to perform his duties. As a result, he must complete a minimum number of hours of continuing professional education.

Under the DoD's Financial Management Regulation, all DoD personnel are required to use a government-sponsored, contractor-issued travel charge card for all expenses arising from official government travel. (See dkt. # 21, Ex. 4 § 030301A.)¹ On August 30, 2004, the Plaintiff completed, in his own handwriting, a Bank of America ("BoA") travel card application entitled "Individually Billed Card Account Application Form For New Accounts." The BoA travel card application contains a section for the DoD employee to complete, a section for the Agency Program Coordinator to complete, and an agreement between the DoD employee and BoA. The application form indicates that the information contained therein will be used to establish an individually billed cardholder travel card account. The attached agreement states that, by signing the application form, the DoD employee is providing written consent to the disclosure of account information as described in the agreement. The agreement also contains a Privacy Act notice stating, among other things, that the information requested was not mandatory, but failure to provide the information will nullify the application, meaning that no charge card would be provided to the DoD employee. In the portion of the application labeled "SSN/Tax ID Number," the Plaintiff wrote his so-called credential number with the Defendant. He also scratched out a sentence on the application for that stated: "By signing below, I acknowledge I have read, understand and agree to be bound by the terms and conditions of the agreement." In addition, the Plaintiff indicated on the form that he did not authorize BoA to obtain a credit report. On September 1, 2004, the Plaintiff's supervisor signed his application, which was faxed that same day to the Defendant's Northeast Regional Program Coordinator, Lorna Maglathlin ("Maglathlin").²

1 There are some exemptions to this requirement. ( See dkt. # 21, Ex. 4 § 030302.)

2 At the time, Maglathlin's name was "Lorna Maguire," which she subsequently changed.

The parties dispute what occurred next. The Defendant maintains that sometime between September 1, 2004 and September 9, 2004, Maglathlin informed the Plaintiff that his travel card application could not be processed, and the BoA would not approve his application, unless he provided his Social Security Number ("SSN"). According to the Defendant, Maglathlin received the Plaintiff's consent to insert his SSN, which she obtained directly from the Plaintiff himself, into the application form. The Defendant further maintains that Maglathlin placed correction tape over the number the Plaintiff had written in the application, wrote in the Plaintiff's SSN, and sent the application to BoA.

The Plaintiff, for his part, denies the Defendant's version of the facts. The Plaintiff claims that on September 9, 2004, he opened an email (dated September 9, 2004) from Maglathlin asking the Plaintiff to let her know when he got his BoA card so that she could activate it. The Plaintiff also claims that, at the same time, he opened another email (dated September 2, 2004) from Maglathlin asking the Plaintiff how he wanted his name to read on the BoA card, and informing him that the split disbursement to the card was to be paid by a linking with his SSN. The Plaintiff further asserts that, after reading these emails, he spoke with Maglathlin via telephone, and that during this conversation, she informed him that she gave his SSN to BoA because it was required. The Plaintiff maintains that he expressed his displeasure and disapproval with the release of his SSN to BoA. According to the Plaintiff, at no time did he give Maglathlin his SSN, nor did he authorize her to release his SSN to BoA.

On February 28, 2005, the Defendant notified all its employees that the DoD Travel Program Management Office had provided notice that there had been a loss of cardholder information, including Privacy Act data, when the Boa backup tapes containing the customer and account information were lost during a shipment. In a memorandum dated March 18, 2005, the Deputy Director of the Defense Finance and Accounting Service indicated that the Secret Service had found no evidence of any loss or compromise of the data.

In January 2006, the Plaintiff was required, as a part of his regular duties, to visit Raytheon Defense Systems Northeast ("Raytheon"), where he would assist in performing audits. The Defendant maintains that Raytheon required any employee of the Defendant to submit a visitor request form prior to that employee's visit of Raytheon's facilities. The Defendant also maintains that Raytheon required that the employee's SSN be included on the form.

Thus, on December 30, 2005, in advance of the Plaintiff's visit, the security officer for the Defendant's Northeast Region, Cynthia Piotte ("Piotte"), prepared a visit request form for the Plaintiff's visit to Raytheon. The Defendant claims that, at the time Piotte prepared the form, she was unaware of any objection the Plaintiff may have had to disclosing his SSN to Raytheon. The Defendant further claims that Piotte, who followed her regular procedures for preparing visit request forms, prepared the Plaintiff's form from information contained in an Access and Eligibility Certificate ("AEC"), which she regularly maintained for each employee at the Regional Office, including the Plaintiff. An AEC is a document prepared by the Defendant's Headquarters Security Office from information maintained in The Enhanced Access Management System ("TEAMS") of records. The visit request form asked for the visitor's name, date and place of birth, security clearance, ID number, title, and grade. Piotte inserted the information she obtained from the Plaintiff's AEC, including his SSN, which, according to the Defendant, Raytheon required. The Defendant claims that if this information had not been provided, the Plaintiff would not have been permitted to enter Raytheon's facilities without an escort. The Plaintiff, for his part, alleges that the neither the visitor request form nor Raytheon requires submission of a visitor's SSN, and that Piotte provided his SSN to Raytheon without his consent.

All of the Defendant's auditors are required to complete eighty hours of professional training or development courses (Continuing Professional Education, or "CPE") during each two-year reporting period. At least twenty of the eighty CPE credit hours of CPE credits must be earned each fiscal year, and at least twenty-four of the eighty CPE credit hours must be earned in subjects directly related to the Government environment and to Government auditing. Auditors may meet these requirements by attending courses offered by non-Government vendors. It is the Defendant's policy to pay for salary and travel costs when an employee is participating in approved training at a non-Government facility during official duty time. The Defendant will also pay for tuition and matriculation fees that are directly related to the approved training. The employee must qualify for the proposed training, which must be approved before the training begins. Thus, an employee must submit a request for training form when requesting training at a non-Government facility. This form must be reviewed and signed by the employee, supervisor, financial officer, regional training officer, and authorizing official. The form contains a Privacy Act notice stating that, although the disclosure of information is voluntary, the failure to provide the requested information may result in the employee's ineligibility to participate in the training.

In August 2006, the Plaintiff was at least twenty-eight hours short of his mandatory biannual requirement of eighty CPE credit hours. He needed to meet this requirement by September 30, 2006. Sometime before August 17, 2006, he submitted a handwritten form requesting permission to attend the "Process Flow Auditing-OAP311" course from September 6, 2006 through September 8, 2006, at the MIS Training Institute ("MIS") in New York City. The tuition for the course was $1495.00, and the Plaintiff estimated his travel costs would be approximately $1200.00. In filling out the form, the Plaintiff wrote his SSN. The Plaintiff's supervisor signed the authorization on August 17, 2006, and the regional training officer and authorized official signed the form on August 18, 2006. The financial officer provided a fund cite and authorized an expenditure of Government funds of up to $3895.00. In accordance with the Defendant's established procedures, a copy of the Plaintiff's form was forwarded to MIS on August 22, 2006, and sent by facsimile to MIS on August 23, 2006. The Plaintiff attended the MIS course from September 6, 2006 through September 8, 2006. He received a certificate of completion from MIS for twenty-two credits. This certificate was then submitted to the Defendant.

In addition to requesting the MIS training in New York City, the Plaintiff also submitted a handwritten request to train via an online course offered by MIS entitled "IT Auditing and Controls." The tuition for this course was $395.00. The Plaintiff again wrote his SSN on the form. The authorizing official signed the request on August 30, 2006, and the Regional Training Coordinator signed the form on September 1, 2006. In accordance with the Defendant's established procedures, this form was sent to MIS on September 5, 2006. The Plaintiff took the online course from September 20, 2006 through September 21, 2006. He received a certificate of completion from MIS for nine credits. This certificate was then submitted to the Defendant.

II. DISCUSSION

The Defendant now moves for summary judgment, arguing that the Plaintiff's Privacy Act allegations fail as a matter of law. The Plaintiff argues that there are genuine issues of material fact precluding summary judgment.

A. SUMMARY JUDGMENT STANDARD

A motion for summary judgment may be granted "if the pleadings, depositions, answers to interrogatories, and admissions on file, together with the affidavits, if any, show that there is no genuine issue of material fact and that the moving party is entitled to judgment as a matter of law." Fed.R.Civ.P. 56(c).

Summary judgment is appropriate if, after discovery, the nonmoving party "has failed to make a sufficient showing on an essential element of [its] case with respect to which [it] has the burden of proof." Celotex Corp. v. Catrett, 477 U.S. 317, 323, 106 S.Ct. 2548, 91 L.Ed.2d 265 (1986). "The burden is on the moving party `to demonstrate the absence of any material factual issue genuinely in dispute.'" Am. Int'l Group, Inc. v. London Am. Int'l Corp., 664 F.2d 348, 351 (2d Cir. 1981) (quoting Heyman v. Commerce Indus. Ins. Co., 524 F.2d 1317, 1319-20 (2d Cir. 1975)).

A dispute concerning a material fact is genuine "`if evidence is such that a reasonable jury could return a verdict for the nonmoving party.'" Aldrich v. Randolph Cent. Sch. Dist., 963 F.2d 520, 523 (2d Cir. 1992) (quoting Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986)). The Court must view all inferences and ambiguities in a light most favorable to the nonmoving party. See Bryant v. Maffucci, 923 F.2d 979, 982 (2d Cir. 1991). "Only when reasonable minds could not differ as to the import of the evidence is summary judgment proper." Id.

B. THE PRIVACY ACT³

3 In the Court's view, the applicable two-year statute of limitations, see 5 U.S.C. § 552a(g)(5), would have barred a Privacy Act claim based on the circumstances surrounding the BoA card. It appears that the application form for the Plaintiff's BoA card was sent to BoA on September 9, 2004. The complaint in this case was filed on September 11, 2006. Thus, even if the Court were to accept as true all of the Plaintiff's assertions, the BoA transaction would be time-barred because the Defendant's alleged wrongful act (i.e., providing BoA with his SSN) occurred more than two years prior to the filing of this case. Nevertheless, "[t]he statute of limitations is an affirmative defense under Fed.R.Civ.P. 8(c) that must be asserted in a party's responsive pleading at the earliest possible moment and is a personal defense that is waived if not promptly pleaded." Davis v. Bryan, 810 F.2d 42, 44 (2d Cir. 1987) (internal quotation marks omitted). Additionally, "[i]f a defendant fails to assert the statute of limitations defense, the district court ordinarily should not raise it sua sponte." Id. For whatever reason, the Defendant did not raise this affirmative defense in its answer to the complaint or in any other submission to the Court. Thus, the Defendant has waived any statute of limitations defense, and it would be improper for the Court sua sponte to bar any allegations on that basis.

The Privacy Act states that "[n]o agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains[]. . . ." 5 U.S.C. § 552a(b).⁴ It also provides a private cause of action against any agency that "fails to comply with any other provision of this section, or any rule promulgated thereunder, in such a way as to have an adverse effect on an individual[]. . . ." Id. § 552a(g)(1)(D). "To state a Privacy Act claim a plaintiff must show that: 1) the information at issue is a record contained within a system of records; 2) the agency violated the Act with respect to that record; 3) the disclosure had an adverse effect on the plaintiff; and 4) the violation was willful or intentional." Int'l Union, Sec., Police, and Fire Prof'ls of Am. (SPFPA) v. U.S. Marshal's Serv., 350 F.Supp.2d 522, 528 (S.D.N.Y. 2004) (citing Quinn v. Stone, 978 F.2d 126, 131 (3d Cir. 1992); Mandel v. U.S. Office of Pers. Mgmt., 244 F.Supp.2d 146, 150 (E.D.N.Y. 2003); Germosen v. Cox, No. 98 Civ. 1294(BSJ), 1999 WL 1021559, at *18 (S.D.N.Y. Nov. 9, 1999)). A plaintiff in an action under the Privacy Act bears the burden of proof for each element of his claim. See Krieger v. U.S. Dep't of Justice, 529 F.Supp.2d 29, 40 (D.D.C. 2008).

1. Relief Requested "Adverse Effect"

In the Court's view, summary judgment must be granted in favor of the Defendant for two reasons that the parties, including the Defendant, did not expressly address.⁵ To begin with, the Plaintiff does not request the proper relief for the type of Privacy Act violations alleged here. In the complaint, the Plaintiff seeks "injunctive relief, declaratory relief, attorney's fees, and any other relief that the Court deems equitable and just." (Dkt. # 1 ¶ 9.) The Privacy Act, however, expressly provides for injunctive relief only when an agency either wrongful withholds a plaintiff's documents or wrongful refuses to amend a plaintiff's record. See 5 U.S.C. § 552a(g)(2) (3); see also Doe v. Stephens, 851 F.2d 1457, 1463 (D.C. Cir. 1988); Kursar v. Transp. Sec. Admin., 581 F.Supp.2d 7, 19 (D.D.C. 2008).⁶ "In so doing, . . . the [Privacy] Act precludes other forms of declaratory and injunctive relief[]. . . ." Doe, 851 F.2d at 1463; see Haase v. Sessions, 893 F.2d 370, 374 (D.C. Cir. 1990); Clarkson v. IRS, 678 F.2d 1368, 1375 n. 11 (11th Cir. 1982); Kursar, 581 F.Supp.2d at 19; Foncello v. U.S. Dep't of Army, No. 3:04-CV-604 (JCH), 2005 WL 2994011, at *3 n. 3 (D.Conn. Nov. 7, 2005).

5 On summary judgment, the Court does not habitually seek or address issues for which the parties have not provided substantive analyses. Nonetheless, "a district court `may grant summary judgment on any legal ground the record supports.'" Glenn K. Jackson Inc. v. Roe, 273 F.3d 1192, 1202 (9th Cir. 2001) (quoting 6 James W. Moore, Walter J. Taggart and Jeremy C. Wicker, Moore's Federal Practice ¶ 56.14[1] (1994)); see Lane v. Dep't of the Interior, 523 F.3d 1128, 1140 (9th Cir. 2008). In the Court's view, these issues not addressed by the parties are glaring and conspicuous after a review of the record.

6 A prevailing plaintiff may also recover litigation costs and attorney fees. See 5 U.S.C. s 552a(g)(3)(B) (4)(B).

The bases for the Plaintiff's complaint are the allegations that the Defendant, on three occasions, wrongfully disclosed his SSN. By their nature, these allegations must be brought pursuant to the Privacy Act's "catchall" civil remedy provision, 5 U.S.C. § 552a(g)(1)(D), under which the Plaintiff would be entitled only to damages, ⁷ not the injunctive relief requested in the complaint. In this way, the Plaintiff has failed to state a claim upon which the Court can grant relief, and summary judgment must be granted.

7 The Plaintiff would also be entitled to attorney fees, but the awarding of such fees presupposes that the Plaintiff prevailed on the substance of his wrongful disclosure claim.

In addition, as noted above, a plaintiff has a cause of action under § 552a(g)(1)(D) only if he can show that the defendant's violation of the Privacy had an "adverse effect" on him. The Supreme Court has held that the "adverse effect" requirement "acts as a term of art identifying a potential plaintiff who satisfies the injury-in-fact and causation requirements of Article III standing, and who may consequently bring a civil action without suffering dismissal for want of standing to sue." Doe v. Chao, 540 U.S. 614, 624, 124 S.Ct. 1204, 157 L.Ed.2d 1122 (2004). A plaintiff does not meet this burden simply by demonstrating a statutory violation (e.g., a wrongful disclosure of protected information). See id. at 620, 124 S.Ct. 1204. Instead, "[t]he statute guarantees [monetary relief] only to plaintiff's who have suffered some actual damages." Id. at 627, 124 S.Ct. 1204.

Upon review of the record, there is absolutely no evidence that any disclosure of the Plaintiff's SSN had any adverse effect on him. As seen in the complaint, the Plaintiff does not even allege that he suffered any adverse consequences from the disclosures involved here. Moreover, here on summary judgment, the Plaintiff has neither argued nor demonstrated that he suffered any adverse consequences from the Defendant's alleged conduct. Even the Plaintiff's own affidavit, which was submitted in support of his summary judgment opposition, is devoid of any reference whatsoever to an adverse effect (such as a pecuniary loss or emotional suffering⁸) the Plaintiff has endured. Indeed, the record as a whole contains no evidence that the disclosures of the Plaintiff's SSN had an adverse effect on the Plaintiff other than the displeasure he felt because these disclosures were against his wishes. At most, the Plaintiff has demonstrated statutory violations only. As the Supreme Court has held, this is not enough for a Privacy Act claim. See id. at 620, 627, 124 S.Ct. 1204; see also Lane, 523 F.3d at 1140 (upholding the district court's granting of summary judgment in favor of the defendant because the plaintiff "has not provided evidence in her pleadings, depositions, answers to interrogatories, or affidavits to show. . . . damages"). Consequently, the Defendant's motion for summary judgment is granted.

8 There is a split among the courts of appeals as to whether a plaintiff can recover under the Privacy Act for non-pecuniary losses, compare Fitzpatrick v. IRS, 665 F.2d 327, 331 (11th Cir. 1982) (actual damages are restricted to pecuniary loss), with Johnson v. Dep't of Treasury, IRS, 700 F.2d 971, 972-974 (5th Cir. 1983) (actual damages can include adequately demonstrated mental anxiety even without any out-of-pocket loss), and the Supreme Court in Chao left the question open, see Chao, 540 U.S. at 627 n. 12, 124 S.Ct. 1204. There is some indication that the Second Circuit would allow emotional distress to qualify as "actual damages" under the Privacy Act. See Mandel v. U.S. Office Pers. Mgmt., 79 Fed.Appx. 479, 481-82 (2d Cir. 2003) (affirming summary judgment in favor of defendant because the plaintiff had not demonstrated that the adverse effects alleged were caused by the disclosure of his records). Nevertheless, even assuming that non-pecuniary harms could qualify as actual damages, the Plaintiff's Privacy Act allegations fail. Mere allegations that one has suffered "anger, dismay, anxiety, and fear about what has occurred and what could happen . . . [are] cursory descriptions of emotional harm [that do not] support[] a finding of `actual damages' under the Privacy Act." Rice v. United States, 245 F.R.D. 3, 7 (D.D.C. 2007) (internal citations omitted). "Even in those courts holding that non-pecuniary emotional distress could qualify as actual damages, a level of severity beyond [such cursory descriptions] has been required." Id. (citing Johnson, 700 F.2d at 974 (the plaintiff suffered from mental depression, loss of sleep and appetite, and weight loss); Boyd v. Snow, 335 F.Supp.2d 28, 39 (D.D.C. 2004) (allowing the plaintiff to prove actual damages at trial because she had alleged "severe emotional and physical harm, stress, sleeplessness and nightmares")). Here, the Plaintiff has not brought general allegations of "distress," or "dismay," or "anger," let alone presented evidence demonstrating that he suffered distress severe enough to qualify as "actual damages" under the Privacy Act. In fact, the Plaintiff does not even claim that BoA's loss of his cardholder information caused him severe emotional harm, and there is no evidence that it caused him any pecuniary loss. Of course, if the Plaintiff had alleged that the BoA's loss of the information caused him severe distress, the Court is doubtful this would help the Plaintiff's claim here because the direct cause of such distress would have been BoA's conduct, not the Defendant's disclosure of his SSN.

2. Retrieval from a System of Records/Willful or Intentional Disclosure

The Court also points out that, even if summary judgment were not granted for the reasons discussed above, it would still be appropriate for other reasons. "The Privacy Act does not prohibit all nonconsensual disclosures of information found in an individual's records." Krieger, 529 F.Supp.2d at 47 (internal quotation marks omitted). "Instead, liability for nonconsensual disclosures is limited by the `rule of retrieval,' which requires that the information disclosed be directly or indirectly retrieved from a system of records." Id. (internal quotation marks omitted). Accordingly,

[the] application of the rule of retrieval means, in practical effect, that even if an agency official discloses information that exists in the agency's records, the disclosure is rarely actionable unless the official physically retrieved the information from those records. If the official's knowledge of the disclosed information derives from sources that are not protected "records," then the disclosure rarely implicates the Privacy Act.

Id. (internal quotation marks omitted).

With regard to circumstances surrounding BoA card, there are conflicting accounts, as seen in the affidavits of the Plaintiff and Maglathlin. Essentially, this is a he-said, she-said situation. On summary judgment, the Court must resolve such a conflict by accepting as true the nonmovant's, i.e., the Plaintiff's, version of the facts. The Plaintiff claims that he neither gave Maglathlin his SSN nor authorized her to provide his SSN to BoA. This, however, appears to be the extent of his knowledge in this matter. There is no evidence showing that Maglathlin retrieved the Plaintiff's SSN from the Defendant's system of records. In fact, Maglathlin, in her affidavit, has stated that she did not have any access to records containing employee SSNs. Simply because the Court must assume that Maglathlin did not receive the Plaintiff's SSN from the Plaintiff himself does not mean the Court must assume that Maglathlin retrieved the SSN from the Defendant's system of records. Because the Plaintiff presents no evidence rebutting Maglathlin's affidavit in this regard, he has not demonstrated the existence of an issue of fact for the jury to decide. Thus, if there is no evidence that Maglathlin retrieved the SSN from a system of records, the Plaintiff cannot prevail on his Privacy Act claim as it pertains to the BoA card.

With regard to the circumstances surrounding the MIS training, the Court believes that summary judgment clearly is appropriate. In filling out the forms requesting permission to attend the in-person and online training, the Plaintiff himself supplied his SSN. As a result, the source of the protected information was the Plaintiff, not the Defendant's system of records.

Furthermore, the Plaintiff's argument that these forms, wherein he provided his SSN, were part of the Defendant's system of records, and therefore should not have been disclosed, lacks merit. The Plaintiff has admitted that it was the Defendant's established procedure to send copies of these forms to the training facilities. Because this was an established procedure, the Plaintiff did know, or should have known, about it. Nevertheless, he voluntarily supplied his SSN on the forms.⁹

9 This, in turn, makes irrelevant the Plaintiff's assertion that MIS did not require his SSN for training approval.

Even if the Plaintiff were to argue that he did not know about the procedure of sending copies of these forms to training facilities, such an argument would be without merit. The forms in question have sections that must be filled out by training officers and school officials from the training facility; the forms also provide, inter alia, billing instructions for the training facility. ( See dkt. # 21, Exs. 17, 19 24.) Thus, the forms themselves put the Plaintiff on notice that they (and hence their contents) would be disclosed to MIS. Yet, the Plaintiff supplied his SSN. As a result, he voluntarily disclosed his SSN to MIS. Therefore, the Plaintiff cannot prevail on his Privacy Act claim as it pertains to the MIS training.

In addition, "[t]o prevail in a Privacy Act suit, a plaintiff must prove the agency acted in a manner which was intentional or willful." Dowd v. I.R.S., 776 F.2d 1083, 1084 (2d Cir. 1985). "[T]his standard [is] somewhat greater than gross negligence." Id. "An agency acts in an intentional or willful manner either by committing the act without grounds for believing it to be lawful, or by flagrantly disregarding others' rights under the Act. . . . [T]he violation must be so patently egregious and unlawful that anyone undertaking the conduct should have known it unlawful." Deters v. U.S. Parole Comm'n, 85 F.3d 655, 660 (D.C. Cir. 1996) (internal citation and quotation marks omitted).

In the Court's view, the Plaintiff has not satisfied this burden with any of the incidents involved in this case. Under DoD regulations, "[d]isclosure of personal records [to] a contractor for the use in the performance of any DoD contract by a DoD Component is considered a disclosure within the Department of Defense. . . . The contractor is considered the agent of the contracting DoD Component and to be maintaining and receiving the records for that Component." (Dkt. #21, Ex. 15, Part C1.3.4.) Given this provision of the DoD's regulations, both Maglathlin (when providing the Plaintiff's SSN to BoA) and Piotte (when providing the Plaintiff's SSN to Raytheon) had grounds for believing that their acts were legal. As a result, even if there had been any Privacy Act violations (which the Court does not find), they were not so patently egregious and unlawful that anyone undertaking such actions should have known they were unlawful.

With regard to the MIS training, the Plaintiff wrote his SSN on the forms, which he knew or should have known were to be sent to MIS; thus, he himself disclosed the information. In that circumstance, the Defendant did not act at all, let alone act in an intentional or willful way. Therefore, even if the Plaintiff's Privacy Act allegations did not fail because the relief requested is improper and because the Plaintiff has suffered no adverse effect, they would still fail because the Plaintiff has not satisfied all the elements of his prima facie case. Consequently, the Defendant's motion for summary judgment is granted.

III. CONCLUSION

For the foregoing reasons, the Defendant's motion for summary judgment (dkt. # 21) is GRANTED. Judgment in favor of the Defendant, the Defense Contract Audit Agency, United States Department of Defense, shall enter on Count One of the complaint. Because Count One was the only count in the complaint, the clerk shall close this file.