In May, the U.S. Supreme Court issued its opinion in Spokeo v. Robins, providing guidance on the “injury-in-fact” aspect of the constitutional standing requirement for putative class action plaintiffs. 136 S. Ct. 1540 (2016), as revised (May 24, 2016). Spokeo was quickly hailed by both plaintiff- and defense-side lawyers as a major victory, but in truth provided something for everyone. It requires, for example, that a plaintiff allege “a concrete injury even in the context of a statutory violation . . .” and not merely a “bare procedural violation, divorced from any concrete harm.” Id. at 1543, 1549. Further, a “concrete” injury must “actually exist” and be “real, and not abstract.” Id. at 1548. On the other hand, a “concrete” injury is not “necessarily synonymous with ‘tangible.’” Id. at 1549. Ways to determine whether “intangible” harm qualifies as “concrete” include: (1) evaluating whether the alleged harm “has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit” and (2) looking to the judgment of Congress which “has the power to define injuries and articulate chains of causation that will give rise to a case or controversy where none existed before.” Id.
How has Spokeo affected decisions on data breach and data privacy class actions? Like Spokeo itself, subsequent decisions, including several from just the past few weeks, have been somewhat mixed.
Most recently, in Yershov v. Gannet Satellite Information Network, Inc., dba USA Today, a federal court in Massachusetts denied a motion to dismiss, allowing a putative privacy class action to continue. No. CV 14-13112-FDS, 2016 WL 4607868 (D. Mass. Sept. 2, 2016). Plaintiff Yershov alleged that each time he watched a USA Today video his location information and information about the video watched was sent to a third-party data analytics company, in violation of the Video Privacy Protection Act (“VPPA”). Id. at *1. Defendant Gannett, the app manufacturer, moved to dismiss for lack of standing, arguing under Spokeo that Plaintiff had alleged only a bare statutory violation and no concrete harm. Id. Judge Saylor of the District of Massachusetts denied the motion, finding that Plaintiff had alleged a concrete, though intangible harm – an invasion of his right to privacy in his video review history. Id. at *8. The decision, in part, relied on Spokeo’s guidance to look to “both history and the judgment of Congress” to determine whether an intangible harm “constitutes [a concrete] injury in fact . . . .” Id. at *8, (quoting Spokeo, 136 S. Ct. at 1549). “Congress, by enacting the VPPA, elevated an otherwise non-actionable invasion of privacy into a concrete, legally cognizable injury,” the Court held. Id. Injury in fact was thus sufficiently alleged. Id.
Just a few days before, in Braitberg v. Charter Communications, the 8th Circuit upheld dismissal of a data privacy class action for lack of standing. No. 14-1737, 2016 WL 4698283 (8th Cir. Sept. 8, 2016). There, plaintiff Braitberg claimed that his cable provider maintained, but had not disclosed, certain of his personally identifiable information (“PII”) well after cancellation of his cable service, in alleged violation of the Cable Communications Policy Act. Id. at *1. The 8th Circuit upheld dismissal of the case, stating that, under Spokeo, plaintiff had alleged only a bare violation of a statute, and not any actual, concrete harm. Id. at *4. Plaintiff, said the Court, “identifies no material risk of harm from the retention; a speculative or hypothetical risk is insufficient.” Id.
Just a week earlier, the 6th Circuit reversed a district court ruling granting a motion to dismiss for lack of standing in Galaria v. Nationwide Mutual Insurance Co., another data breach case. Nos. 15-3386/3387, slip. op. (6th Cir., Sept. 12, 2016). There, plaintiffs alleged no actual misuse of their stolen PII, but were found to have standing, based on: (1) a showing that they had a heightened risk of fraud and identity theft; and, (2) allegations that they had already spent time and money to mitigate the risk of fraudulent charges, including the monitoring of credit reports and the purchase of credit reporting services. Id. at 6-7. The court found that misuse of the data was sufficiently imminent given the likely bad intentions of the hackers: “There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals.” Id. at 6. In addition, the defendant had advised those affected by the breach that it would pay for bank statement and credit report monitoring, a seemingly good idea which ended up working against them: “Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year.” Id. Galaria follows the approach of two pre-Spokeo data breach cases from the 7th Circuit: (1) Lewert v. P.F. Chang’s China Bistro, 819 F.3d 963 (7th Cir. 2016) and (2) Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015). Both cases found standing based on allegations, respectively, of increased risk of fraudulent charges and identity theft, and of actual money and time spent to protect against fraudulent charges and identity theft. It can be expected that plaintiffs will continue to make similar allegations in future data breach class actions to withstand challenges based on lack of standing.
Look for many more decisions to come as the lower courts sort through the meaning of Spokeo in the data breach and data privacy context.