In a case that could have important implications for plaintiffs attempting to establish data breach and privacy claims, the United States Supreme Court, by a narrow 5-4 majority held that assertions of reasonable likelihood of future injury or of costs incurred to avoid potential future harm are insufficient to establish standing by plaintiffs to assert a claim in federal court. The Supreme Court rejected a challenge to the constitutionality of a federal electronic surveillance statute in Clapper v. Amnesty International, and held that fears of government interception of electronic communications were simply too speculative to confer legal standing on a plaintiffs’ group to bring suit.

The Court’s refusal to recognize standing based on fears of future harm will likely be useful to defendants in data breach and privacy cases, where the standing issue also frequently arises. Like the plaintiffs in Clapper, plaintiffs in such cases could have difficulty showing concrete harm flowing from a data breach because they often bring suit before suffering any real harm from the stolen or misused data.

If the standing principles discussed in Clapper are applied to privacy and data breach cases, the absence of concrete harm in those circumstances may very well become a significant obstacle for plaintiffs bringing suit for such claims – at least until enterprising plaintiffs can find novel ways to demonstrate more immediate impacts flowing from data breaches.

It also remains to be seen how the lower courts will apply this decision to privacy and data breach cases, and there is some contradictory law in other contexts. As reported by Edwards Wildman, the United State Supreme Court, for example, earlier elected not to consider the Ninth Circuit’s decision in Edwards v. First American Financial, wherein the Ninth Circuit held that statutory damages could be sufficient to confer Article III standing (injury in fact) for plaintiffs in June 2012.

Background of Clapper v. Amnesty International

In 2008, Congress enacted Section 1881a of the Foreign Intelligence Surveillance Act, authorizing the government to monitor communications of foreign nationals abroad. Under the statute, the government may intercept electronic communications of foreign nationals without establishing probable cause. Surveillance, however, may not be targeted at any person in the United States or any US person located abroad.

The plaintiffs, consisting of various groups that routinely communicated with foreign nationals, brought suit challenging the constitutionality of Section 1881a. Lawyers representing clients abroad (some of whom included terrorism suspects), media organizations, and human rights activists all alleged that the government would very likely monitor their communications under Section 1881a. These groups further alleged that Section 1881a compromised “their ability to locate witnesses, cultivate sources, obtain information, and communicate confidential information to their clients.” Those impacts, according to plaintiffs, caused them sufficient harm to confer standing to challenge the constitutionality of the statute.

The Court’s Decision Rejecting Plaintiffs’ Standing

In an opinion written by Justice Alito, a 5-4 majority of the Court found that plaintiffs lacked constitutional standing to sue. According to the Court, standing exists only where an injury is “concrete, particularized, and actual or imminent.” (Slip op. at 10.) Injuries that are remote or merely speculative, according to the Court, fail to establish the needed concrete injury to confer standing.

In the case before it, the Court found that plaintiffs’ alleged injury rested entirely upon their perception that the government would use the statute to intercept their communications at some point in the future. These arguments rested on a series of highly attenuated future events, none of which the Court said could be predicted with any degree of certainty. This generalized fear, the Court found, failed to show “certainly impending” harm or injury needed for standing.

One distinction between the Clapper claims and that of most privacy and breach related claims is that the Clapper plaintiffs were challenging a federal statute. The Court noted that “our standing inquiry has been especially rigorous” when the challenge is an action of another branch of the federal government, and did note that in other instances, it has found standing based on a “substantial risk” that harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.

The standing issue will likely be an important quiver in the arrow of defense counsel seeking to cripple or dismiss claims that allege only speculative or imagined future injuries. And, while this may seem welcome news to potential defendants faced with these claims, it by no means suggests that companies handling consumer data can become lax in safeguarding that data or maintaining consumer privacy.

Further, the California Attorney General very recently released an influential report calling for companies and app developers to take more stringent steps in protecting consumer privacy. See Edwards Wildman Client Advisory – CA State AG Issues Broad Report on Mobile Apps – More Obligations and Enforcement Coming (January 2013). Despite the Clapper decision, therefore, the trend is clearly toward more responsibility and regulation for companies managing consumer data. In this environment, companies would be well-advised to expect more potential liability exposure for privacy and data breach claims, not less.