That's a good question.
At a minimum we would find that the transaction was not in accordance with privacy law. To the extent that it's not too late to remedy the situation, one could think about how to frame the order making to provide for that situation. I don't have a precise recommendation to make, but it may be that it's too late. If it's too late, our position would govern the future. We would acknowledge, would say to the department, “This was inconsistent with privacy law; you should govern yourself accordingly.”
Theoretically, you could think in terms of damages or things like that. I'd rather try to determine whether it is too late to remedy the situation. If it's too late, I would not jump to the issue of damages. I would try to find other remedies to protect the person in the situation before the transaction, which was inconsistent with privacy law.