Standing Your Ground: Supreme Court to Consider Standing Question Important in Data Breach Class Action Litigation

April.28.2015

Yesterday, the United States Supreme Court granted certiorari in Spokeo, Inc. v. Robins, to consider a question critical to the viability of data breach class actions:  standing.  Since the Court’s most recent standing decision in Clapper v. Amnesty Int’l USA, a majority of lower courts have dismissed data breach claims for failing to satisfy Article III’s injury-in-fact requirement; however, a growing chorus of lower courts have sanctioned such actions.  As the Supreme Court prepares to wrestle with that split of authority during oral argument this fall, it will be tasked with deciding whether a plaintiff’s allegations concerning violations of statutory rights under the Federal Credit Reporting Act (“FCRA”) are sufficient to establish standing irrespective of any tangible injury.  The ramifications of that determination are deeply significant, as the decision may either open or close the floodgates to data breach litigation throughout the country. 

In Clapper v. Amnesty Int’l USA, the Supreme Court reaffirmed that Article III standing is not a speculative or conjectural concept; mere concern or fear of future harm does not suffice to confer standing.  Rather, a plaintiff must demonstrate she has suffered a “concrete, particularized, and actual or imminent” injury, meaning the harm has either occurred or is “certainly impending.”   

Following Clapper, plaintiffs’ lawyers have experienced significant challenges surviving motions to dismiss in data breach class action cases because the putative plaintiffs often have not suffered an identifiable injury, nor is one clearly imminent.  This is especially true in cases involving compromised credit card information, login/password combination information, e-mail addresses, and location information, to name a few.  In general, even though it may be possible to use such information to compromise an individual’s identity,  reviewing courts have routinely held that a mere risk of identity theft (as opposed to actual theft or misuse of personal information) does not qualify as a “certainly impending” harm so as to confer standing upon plaintiff class members.[1]  However, a minority of courts (some in several high-profile data breach cases) have come to the opposite conclusion, holding that the elevated risk of misuse is sufficient to qualify as “certainly impending” and that unauthorized acquisition of personal information on its own constitutes an adequate injury for Article III purposes.[2] 

Spokeo presents an important and related standing question that may impact data breach class actions.  Similar to data breach class action members who allege that compromised personal information puts them at risk of future identity theft, Thomas Robins, a private plaintiff purporting to sue on behalf of a class of millions of others, alleged only that Spokeo’s publication of inaccurate information would adversely affect his future employment prospects, not that it caused him an actual or concrete present harm.[3]  The district court dismissed the claims, and the Ninth Circuit reversed, holding that Robins’ contention that his individual FCRA rights were violated was itself a sufficient basis to confer standing, even though the risk of any tangible harm lay in the future.[4]  Unlike in failed data breach class actions, the Ninth Circuit held that the violation of statutory rights constituted a “concrete de facto injur[y].”

The stage is now set potentially to resolve the split among the lower courts and to define minimum standards for Article III standing in data breach and privacy class actions.  Can a violation of a statutory right confer standing, even though there has been no tangible harm to the plaintiff?  Given the high stakes nature of the issue in Spokeo—indeed, class plaintiffs sometimes assert damages north of $1 billion—the case has already attracted considerable attention, with nearly a dozen amicus briefs filed in support of the certiorari request itself. 

This is an important development for all organizations in developing cybersecurity and data breach risk mitigation strategies.  Should the Court uphold the Ninth Circuit’s decision, the cost of data breaches will certainly increase, counseling companies to consider heavier investments in proactive cybersecurity assessments and an increase in cyber insurance coverage.  These developments are also likely being closely monitored by state and federal legislators who are already considering enacting additional consumer-friendly laws relating specifically to data privacy and security.  Consumers currently have statutory private rights of action for data breaches in only a handful of states, but they are focused on violations of the breach notification provisions, as opposed to substantive security requirements.  Depending on which way Spokeo comes out, states may be more proactive in creating substantive statutory rights, like in FCRA, that plaintiffs can use to, at least, establish standing in class-based claims against organizations that do not adequately protect their information. 

[1] See, e.g., Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 655-60 (S.D. Ohio 2014); In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 26-28 (D.D.C. 2014); In re Barnes & Noble Pin Pad, 2013 U.S. Dist. LEXIS 125730, at *8-9, 12 (N.D. Ill. Sept. 3, 2013).  Nor do unauthorized credit charges flowing from the breach where the credit card company declines the charges or reimburses the card holder—the injury, if any, is to the credit card company.  See, e.g., Lewert v. P.F. Chang’s China Bistro, Inc., 2014 U.S. Dist. LEXIS 171142, at *7-8 (N.D. Ill. Dec. 10, 2014); Remijas v. Neiman Marcus Group, LLC, 2014 U.S. Dist. LEXIS 129574, at *9-10 (N.D. Ill. Sept. 16, 2014).  

[2] See In re Adobe Sys. Privacy Litig., 2014 U.S. Dist. LEXIS 124126, at *27-28 (N.D. Cal. Sept. 4, 2014); Moyer v. Michaels Stores, Inc., 2014 U.S. Dist. LEXIS 96588, at *19 (N.D. Ill. July 14, 2014); In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 962 (S.D. Cal. 2014); see also Memorandum and Order, In re Target Corp. Customer Data Sec. Breach Litigation, No. 14-mdl-2522, slip op. at 3-4 (D. Minn Dec. 18, 2014); cf. Tierney v. Advocate Health & Hosps. Corp., 2014 U.S. Dist. LEXIS 158750, at *4-6 (N.D. Ill. Sept. 4, 2014) (conferring standing upon plaintiffs who demonstrated they were notified of identity fraud but not as to those plaintiffs who simply speculated that such fraud could occur).

[3] See Robins v. Spokeo, Inc., No. 10-cv-05306, 2011 WL 597867, at *1 (C.D. Cal. Jan. 27, 2011). 

[4] Robins v. Spokeo, Inc., 742 F.3d 409 (9th Cir. 2014).​