When the United States Supreme Court decided Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), a little over a year ago, many lawyers believed the court’s decision would settle a rather simple question: if a defendant violates a statute, is that sufficient for a plaintiff to sue in federal court? Unfortunately, the Supreme Court’s decision has not provided the hoped-for clarity, as practitioners and courts still struggle with whether a statutory violation is—by itself—sufficient to confer standing. Two recent appellate court decisions highlight this issue.
In Gubala v. Time Warner Cable, Inc., — F.3d —, 2017 WL 243343 (7th Cir. Jan. 20, 2017), Time Warner failed to destroy personal information belonging to the named plaintiff. The facts were simple. Plaintiff subscribed to Time Warner’s cable services. When signing up, he gave Time Warner some personal information, including his date of birth, home address, phone number, social security number, and credit card information. Two years later, he canceled his subscription. Eight years after canceling his subscription, he discovered Time Warner still retained his personal information.
He sued Time Warner, claiming the company violated a federal statute that requires cable operators to destroy personal information when no longer necessary for the purpose for which it was collected. The district court dismissed plaintiff’s lawsuit on the ground that he lacked standing to sue. The Seventh Circuit affirmed.
Judge Posner explained that even if Time Warner violated the federal statute, nothing happened to plaintiff as a consequence. “[W]hile he might well be able to prove a violation of [the statute], he has not alleged any plausible (even if attenuated) risk of harm to himself from such a violation—any risk substantial enough to be deemed ‘concrete.’” Id. at *2. His information remained within Time Warner’s possession, and he failed to allege any plausible likelihood that Time Warner’s conduct was or would be harmful to him.
The court also rejected plaintiff’s contention that he suffered harm because Time Warner violated his privacy rights. “[T]here is no indication that Time Warner has released, or allowed anyone to disseminate, any of the plaintiff’s personal information in the company’s possession.” His information remained, at all times, in Time Warner’s possession.
The same day the Seventh Circuit released Gubala, the Third Circuit decided In re Horizon Healthcare Services Inc. Data Breach Litig., — F.3d —, 2017 WL 242554 (3d Cir. Jan. 20, 2017). There, two laptops containing personal information belonging to several plaintiffs and 839,000 others were stolen from Horizon Healthcare. Plaintiffs sued under the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq., claiming Horizon failed to take reasonable steps to safeguard their personal information from dissemination to third parties. The district court dismissed plaintiffs’ complaint for lack of standing. The Third Circuit reversed.
While the Third Circuit recognized that “there are some circumstances where the mere technical violation of a procedural requirement of a statute cannot, in and of itself, constitute an injury in fact,” the court was moved by the fact that plaintiffs’ information had been disclosed to someone not authorized to have it by a defendant alleged to be a consumer reporting agency. The information stolen was “highly personal” and the theft appeared directed toward the acquisition of such information. 2017 WL 242554 at *10 & n.19. Moreover, the laptops were unencrypted, making the personal information easily accessible. Id. On these facts, the Third Circuit had little trouble concluding that plaintiffs had standing to sue. They did not “allege a mere technical or procedural violation of [a statute]” but “instead the unauthorized dissemination of their own private information—the very injury that [the statute] is intended to prevent.”
The takeaway from Gubala and Horizon is that not all statutory violations are created equal. Some statutory violations are, by themselves, enough to create standing. Other statutory violations are not enough—either because they do not cause a harm traditionally viewed as sufficient to create standing or because they do not cause the harm that Congress was seeking to prevent by enacting the statute. Where, for example, a statutory violation results in the theft of personal information, jurisdiction may be found (Horizon), even if the information hasn’t been used to the victim’s detriment. On the other hand, a statutory violation that results in no dissemination of personal information, and, as a consequence, no risk of harm, jurisdiction is likely lacking (Gubala).