Standing Your Ground: Supreme Court to Consider Standing Question Important in Data Breach Class Action Litigation

April.28.2015

Yesterday, the United States Supreme Court granted certiorari in Spokeo, Inc. v. Robins, to consider a question critical to the viability of data breach class actions: standing. Since the Court’s most recent standing decision in Clapper v. Amnesty Int’l USA, a majority of lower courts have dismissed data breach claims for failing to satisfy Article III’s injury-in-fact requirement; however, a growing chorus of lower courts have sanctioned such actions. As the Supreme Court prepares to wrestle with that split of authority during oral argument this fall, it will be tasked with deciding whether a plaintiff’s allegations concerning violations of statutory rights under the Federal Credit Reporting Act (“FCRA”) are sufficient to establish standing irrespective of any tangible injury. The ramifications of that determination are deeply significant, as the decision may either open or close the floodgates to data breach litigation throughout the country.

In Clapper v. Amnesty Int’l USA, the Supreme Court reaffirmed that Article III standing is not a speculative or conjectural concept; mere concern or fear of future harm does not suffice to confer standing. Rather, a plaintiff must demonstrate she has suffered a “concrete, particularized, and actual or imminent” injury, meaning the harm has either occurred or is “certainly impending.”

Following Clapper, plaintiffs’ lawyers have experienced significant challenges surviving motions to dismiss in data breach class action cases because the putative plaintiffs often have not suffered an identifiable injury, nor is one clearly imminent. This is especially true in cases involving compromised credit card information, login/password combination information, e-mail addresses, and location information, to name a few. In general, even though it may be possible to use such information to compromise an individual’s identity, reviewing courts have routinely held that a mere risk of identity theft (as opposed to actual theft or misuse of personal information) does not qualify as a “certainly impending” harm so as to confer standing upon plaintiff class members.^[1] However, a minority of courts (some in several high-profile data breach cases) have come to the opposite conclusion, holding that the elevated risk of misuse is sufficient to qualify as “certainly impending” and that unauthorized acquisition of personal information on its own constitutes an adequate injury for Article III purposes.^[2]

Spokeo presents an important and related standing question that may impact data breach class actions. Similar to data breach class action members who allege that compromised personal information puts them at risk of future identity theft, Thomas Robins, a private plaintiff purporting to sue on behalf of a class of millions of others, alleged only that Spokeo’s publication of inaccurate information would adversely affect his future employment prospects, not that it caused him an actual or concrete present harm.^[3] The district court dismissed the claims, and the Ninth Circuit reversed, holding that Robins’ contention that his individual FCRA rights were violated was itself a sufficient basis to confer standing, even though the risk of any tangible harm lay in the future.^[4] Unlike in failed data breach class actions, the Ninth Circuit held that the violation of statutory rights constituted a “concrete de facto injur[y].”

The stage is now set potentially to resolve the split among the lower courts and to define minimum standards for Article III standing in data breach and privacy class actions. Can a violation of a statutory right confer standing, even though there has been no tangible harm to the plaintiff? Given the high stakes nature of the issue in Spokeo—indeed, class plaintiffs sometimes assert damages north of $1 billion—the case has already attracted considerable attention, with nearly a dozen amicus briefs filed in support of the certiorari request itself.

This is an important development for all organizations in developing cybersecurity and data breach risk mitigation strategies. Should the Court uphold the Ninth Circuit’s decision, the cost of data breaches will certainly increase, counseling companies to consider heavier investments in proactive cybersecurity assessments and an increase in cyber insurance coverage. These developments are also likely being closely monitored by state and federal legislators who are already considering enacting additional consumer-friendly laws relating specifically to data privacy and security. Consumers currently have statutory private rights of action for data breaches in only a handful of states, but they are focused on violations of the breach notification provisions, as opposed to substantive security requirements. Depending on which way Spokeo comes out, states may be more proactive in creating substantive statutory rights, like in FCRA, that plaintiffs can use to, at least, establish standing in class-based claims against organizations that do not adequately protect their information.

^[1] See, e.g., Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 655-60 (S.D. Ohio 2014); In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 26-28 (D.D.C. 2014); In re Barnes & Noble Pin Pad, 2013 U.S. Dist. LEXIS 125730, at *8-9, 12 (N.D. Ill. Sept. 3, 2013). Nor do unauthorized credit charges flowing from the breach where the credit card company declines the charges or reimburses the card holder—the injury, if any, is to the credit card company. See, e.g., Lewert v. P.F. Chang’s China Bistro, Inc., 2014 U.S. Dist. LEXIS 171142, at *7-8 (N.D. Ill. Dec. 10, 2014); Remijas v. Neiman Marcus Group, LLC, 2014 U.S. Dist. LEXIS 129574, at *9-10 (N.D. Ill. Sept. 16, 2014).

^[2] See In re Adobe Sys. Privacy Litig., 2014 U.S. Dist. LEXIS 124126, at *27-28 (N.D. Cal. Sept. 4, 2014); Moyer v. Michaels Stores, Inc., 2014 U.S. Dist. LEXIS 96588, at *19 (N.D. Ill. July 14, 2014); In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 962 (S.D. Cal. 2014); see also Memorandum and Order, In re Target Corp. Customer Data Sec. Breach Litigation, No. 14-mdl-2522, slip op. at 3-4 (D. Minn Dec. 18, 2014); cf. Tierney v. Advocate Health & Hosps. Corp., 2014 U.S. Dist. LEXIS 158750, at *4-6 (N.D. Ill. Sept. 4, 2014) (conferring standing upon plaintiffs who demonstrated they were notified of identity fraud but not as to those plaintiffs who simply speculated that such fraud could occur).

^[3] See Robins v. Spokeo, Inc., No. 10-cv-05306, 2011 WL 597867, at *1 (C.D. Cal. Jan. 27, 2011).

^[4] Robins v. Spokeo, Inc., 742 F.3d 409 (9th Cir. 2014).

Authors

Daniel Dunne Senior Counsel, White Collar, Investigations, Securities Litigation & Compliance, Complex Litigation & Dispute Resolution

Seattle

See my bio

D:+1 206 839 4395
E: [email protected]

Practice:

Finance Sector
Technology & Innovation Sector
White Collar, Investigations, Securities Litigation & Compliance
Complex Litigation & Dispute Resolution
Securities Litigation, Class Actions and Shareholder Derivative Lawsuits
Internal Investigations
Corporate Governance
Whistleblower & Corporate Investigations
Trials

vCard

See full bio

Daniel Dunne Senior Counsel

Seattle

Chambers USA observed Dan’s “enviable client roster includes major corporates and financial institutions, as well as company directors, officers and accountants. He is particularly active in securities-related litigation, with additional experience in shareholder disputes. Adept in the courtroom, has tried more than a dozen cases to verdict in state and federal courts.” One client characterized his cross examination of a Nobel-Laureate economist as simply “amazing.”

Dan has enjoyed considerable success in high-profile national matters with the finest law firms in the country from coast to coast, from the Delaware Court of Chancery to New York Supreme Court to the Washington Supreme Court, where he recently argued an issue of first impression under the Washington State Securities Act. Dan has active matters advising Washington’s most sophisticated legal clients with respect to securities and shareholder matters.

Dan has also been a key part of the winning Orrick team leading the defense of Credit Suisse in against an avalanche of litigation related to claims involving residential mortgage-backed securities (RMBS). Dan has acted as co-lead partner on a number of successful constitutional challenges to state and local taxes and legislation.

Marc R. Shapiro Partner, Class Action Defense, Mass Torts & Product Liability

New York

See my bio

D:+1 212 506 3546
E: [email protected]

Practice:

Finance Sector
Class Action Defense
Mass Torts & Product Liability
Financial Services Litigation
Trials
Supreme Court & Appellate
Complex Litigation & Dispute Resolution

vCard

See full bio

Marc R. Shapiro Partner

New York

Marc represents clients in federal and state court at the trial and appellate levels with a particular focus on class actions, multi-district litigation, and mass joinders. Among Marc’s current engagements, he represents Johns Hopkins University and Teachers Insurance and Annuity Association of America in over a dozen class actions arising out of a data breach of the MOVEit file transfer software; University of Washington in a pandemic-related class action seeking refunds of tuition and fees on behalf of students; ZoomInfo Technologies LLC in a data privacy class action alleging unlawful disclosure of personal information under federal and state laws; Goldman Sachs in a pay and promotion gender discrimination class action; NCAA in concussion and injury-related cases throughout the country; Marathon Oil Corporation in nationwide climate change litigation; and multiple foreign defendants in a class action arising out of allegedly defective drywall.

Recently, Marc successfully prevailed at trial before the Delaware Chancery Court and earned Litigator of the Week recognition by Law.com for defeating claims by Netflix star Julia Haart that she owns half the shares of Elite World Group; secured dismissal of a dozen class actions against the University of California and Santa Clara University brought by students seeking refunds of tuition and fees due to COVID-driven transition to remote instruction; and defeated class certification and secured affirmance on appeal by the Ninth Circuit in an employment discrimination class action against Microsoft.

Marc served as a law clerk to Judge Betty B. Fletcher of the U.S. Court of Appeals for the Ninth Circuit. Prior to joining Orrick, Marc worked as an appellate and post-conviction attorney for the Equal Justice Initiative. In that capacity, he engaged in trial level and appellate representation of clients in both state and federal court, including two cases that were briefed and argued before the United States Supreme Court.

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.