Spokeo-based challenges are now common in class actions alleging statutory violations. But disagreements remain concerning when Spokeo mandates dismissal for lack of Article III standing. Last week, two different federal appellate courts reached seemingly different conclusions about whether lower courts properly dismissed putative privacy breach class actions for failure to satisfy Article III’s concrete injury requirement. In re: Horizon Healthcare Services Inc. Data Breach Litigation, No. 15-2309, 2017 WL 242554 (3d Cir. Jan. 20, 2017) (“Horizon”) (reversing dismissal); Gubala v. Time Warner Cable, Inc., No. 16-2613, 2017 WL 243343 (7th Cir. Jan 20, 2017) (“Gubala”) (affirming dismissal). Considered together, however, these decisions clarify when standing exists in a data breach case.
In Horizon, the named plaintiffs asserted Fair Credit Reporting Act (FCRA) claims based on allegations that their insurance carrier failed to maintain the confidentiality of their personal information, given that two of the insurer’s laptops housing their unencrypted customer data had been stolen. Rejecting a Spokeo-based challenge, the Third Circuit held:
In light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes. Even without evidence that the Plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury.
According to the majority, “Spokeo itself does not state that it is redefining the injury-in-fact requirement. Instead, it reemphasizes that Congress ‘has the power to define injuries.’” The Third Circuit concluded that Spokeo did not require dismissal because Congress exercised the power to define injury “with the passage of FCRA” to “establish that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself – whether or not the disclosure of that information increased the risk of identity theft or some other future harm.”
In Gubala, the named plaintiff asserted that his former cable provider (Time Warner) violated the Cable Communications Policy Act (CCPA) because Time Warner failed to destroy but continued to store his personal information long after he had cancelled his subscription. In an opinion authored by Judge Posner, the Seventh Circuit held that although retaining the data was an apparent but “not certain” violation of the CCPA, the plaintiff lacked standing because he asserted only that “the retention of the information, on its own, has somehow violated a privacy right or entailed a financial loss.” (The panel left unaddressed whether standing might exist if a plaintiff alleged fear that his personal information “might have been stolen from [the company] or sold or given away by it, and if so the recipient or recipients of the information might be using it, or planning to use it, in a way that would harm him.”)
According to the Seventh Circuit, the case failed under Spokeo because “while the [plaintiff] might well be able to prove a [statutory] violation . . . , he ha[d] not alleged any plausible (even if attenuated) risk of harm to himself from such a violation – any risk substantial enough to be deemed ‘concrete.’” The Seventh Circuit declined to find a concrete injury based on plaintiff’s right to privacy because he failed to allege an actual or threatened release or dissemination of his personal information.
Takeaway: Read together, Horizon and Gubala show that the mere retention of a consumer’s private information is insufficient to confer standing, but that the actual or imminent dissemination of that information likely does confer standing.