Just days after the Supreme Court’s ruling in Spokeo v. Robins, the highly anticipated decision is already impacting data breach class actions across the country. The defendant in the Spokeo case contended that the plaintiff had suffered no concrete injury, and that a mere statutory violation is not enough of an injury to give plaintiffs constitutional standing to sue in federal court. The Supreme Court agreed that plaintiffs must show more than a technical violation of consumer protection law to establish standing, but also that, in certain circumstances, the violation of a “procedural right” amounts to a concrete injury.
Recently, a federal judge in Maryland remanded a putative class action in Khan v. Children’s National Health System, No. 8:15-cv-02125, May 19, 2016 (U.S.D.C. of Maryland) [link to Maryland decision]. The action alleged that the company violated state privacy laws by allowing a data breach to occur in 2014, during which patient personal information was released.
In his opinion, Judge Chuang decided that the plaintiff patient failed to show how the hackers’ possession of her personal information “has diminished its value” or that she suffered a loss of privacy that is in itself an injury. Citing to Spokeo, Judge Chuang held that the plaintiff had not suffered a concrete injury (that is required even in the context of a statutory violation), and thus, lacked Article III standing in federal court. Notably, the opinion pointed out that the majority of district courts faced with the issue of Article III standing in data breach actions follow the same pattern of finding that, where there is no specific misuse of the data in question, the increased risk of identity theft does not confer standing. As the case had been removed from state court, Judge Chuang remanded it.
Although lower courts have just started to apply Spokeo, there’s no doubt that we will see an increasing number of data breach class action defendants wielding the high court’s recent decision to their benefit.