In a highly anticipated decision, the Ninth Circuit ruled that violations of the Fair Credit Reporting Act (FCRA) can give rise to a concrete injury that provides grounds for standing under Article III1; however, the holding’s fact-sensitive analysis may undermine its broad applicability.
On August 15, 2017, on remand from the U.S. Supreme Court, the Ninth Circuit ruled in Robins v. Spokeo (Spokeo III) that the violation of a consumer’s statutory rights under the FCRA was sufficiently concrete and particularized to satisfy the standing requirement under Article III. Following a review of the FCRA’s text, purpose and legislative history, the Ninth Circuit found that the statutory harms alleged by the plaintiff were sufficiently concrete to meet Article III’s injury-in-fact requirement.
Spokeo Procedural Background
In 2011, Thomas Robins sued Spokeo, a “people search engine” that, in response to user-generated requests, searches a wide array of sources to collect and report information about an individual, such as their address, phone number, marital status, age, occupation, hobbies and finances. In a putative class action, Robins claimed that a profile on Spokeo stated that he was married with children, in his 50s, relatively wealthy, and had a graduate degree and a job — all of which Robins asserted were inaccurate. Under the FCRA, Robins claimed that Spokeo willfully failed to comply with the requirement that consumer reporting agencies follow reasonable procedures to assure maximum possible accuracy of consumer reports. A district court in the Ninth Circuit heard the case and held that Robins had not pleaded an injury-in-fact necessary to establish Article III standing. On appeal, the Ninth Circuit reversed, stating that “the violation of a statutory right is usually a sufficient injury-in-fact to confer standing.” The Ninth Circuit’s decision (Spokeo I) further held that Robins’ “personal interests in the handling of his credit information [was] individualized rather than collective.” On appeal, the case was granted a writ of certiorari by the Supreme Court, which issued a decision (Spokeo II) in May 2016.
The Supreme Court vacated and remanded the Ninth Circuit’s decision in Spokeo I, holding that the circuit court used an “incomplete” analysis when it ruled that consumers can sue companies for statutory violations without alleging an actual injury. In a 6-2 decision, the Supreme Court held that when determining whether a plaintiff has standing to sue for statutory violations, courts must address both aspects of the injury-in-fact standing requirement — namely, whether the plaintiff suffered an injury that is both particular and concrete.
Businesses and consumer advocates alike hailed the Spokeo II decision as a win. Businesses facing “no-injury” class actions — those in which the alleged injury is simply a violation of a statute or regulation without an actual or imminent harm — embraced the decision, expecting it would make it easier for defendants to have such claims dismissed. Consumer advocates claimed the decision as a victory as well, commenting that the decision did not eliminate outright the ability to establish an Article III standing claim for intangible harms or a material risk of harm. Rather, the decision merely clarified the need to consider concreteness and particularization.
Ninth Circuit Reversal in Spokeo III
In reaching its decision on remand, the Ninth Circuit adopted a two-part test to determine whether the plaintiff’s claim satisfied the “concrete” prong of Article III’s injury requirement: (1) whether the statutory provisions at issue were established to protect the plaintiff’s concrete interests as opposed to purely procedural rights; and (2) whether the specific procedural violations alleged actually harm, or present a material risk of harm, to such interests.
In applying the first part of the test, the court found that there is a “close relationship” between the harms contemplated by the FCRA and those traditionally protected by Congress, which has historically protected individuals against “untruthful disclosures.” In reaching this conclusion, the court relied on two factors: (1) the ubiquity and importance of consumer reports in modern life and (2) the resemblance of FCRA’s protections to “other reputational and privacy interests that have long been protected in the law.” Moreover, the court opined that “it ma[de] sense” that Congress would not require “any additional showing of injury” beyond a violation of the FCRA. By drawing on the spirit and legislative history of the FCRA, the court concluded “that the [statute’s] procedures at issue in this case were crafted to protect consumers’ (like Robins) concrete interest in accurate credit reporting about themselves” and that his interests were “real, rather than purely legal creations” and “patent on their face.”
In applying the second part of the test, the Ninth Circuit found that Robins alleged a “specific procedural violation” that actually harmed or presented a material risk of harm to his interests. While the Supreme Court in Spokeo II held that not all inaccurately reported information would create concrete harm under the FCRA, the Ninth Circuit found that in this case the nature of the alleged reporting inaccuracies were “substantially more likely to harm [Robins’] concrete interests than the Supreme Court’s example of an incorrect zip code.” Unlike an inaccurately reported zip code, the nature of the information on Robins was “the type that may be important to employers or others making use of a consumer report;” thus, his allegations “present[ed] a sincere risk of harm to the real-world interest that Congress chose to protect with the FCRA.”
The ruling in Spokeo III provides guidance to litigants in identifying the types of procedural harms that satisfy standing requirements. However, the fact-sensitivity of the Ninth Circuit ruling and the reliance on the FCRA’s legislative history suggest that the Spokeo III holding may be read narrowly.
DC Circuit’s Reversal of Data Breach Case Deepens Circuit Split
In a decision that amplifies a circuit court split regarding standing in data breach lawsuits, the D.C. Circuit allowed a case to move forward against CareFirst BlueCross BlueShield (CareFirst) despite a lack of alleged actual identity theft by the plaintiffs2. This case joins a growing body of standing cases involving data breaches in the wake of the U.S. Supreme Court’s holding in Spokeo v. Robins.
The complaint arose out of a data breach experienced by CareFirst in June 2014, in which hackers accessed personal information of CareFirst policyholders, including names, birth dates, email addresses and health insurance policy subscriber numbers. The district court concluded that the complaint did not allege that the hackers accessed the plaintiffs’ Social Security and/or credit card numbers.3 Applying Spokeo, Inc. v. Robins, which requires that the “injury in fact” alleged in the complaint must be “concrete, particularized, and … ‘actual or imminent’ rather than speculative,” the district court found that the increased risk of identity theft due to the breach alleged in the complaint was not “actual or imminent” and dismissed the case.
On appeal, a unanimous three-judge D.C. Circuit panel reinstated the class action, finding that the plaintiffs’ allegation of a substantial risk of identity theft stemming from the breach was sufficient to confer standing. The circuit court concluded that the district court erred in its interpretation of Spokeo v. Robins and noted that, according to guidance under Clapper v. Amnesty International USA, an injury may be sufficiently imminent when there is a “substantial risk” that it will happen.
The circuit court found that the complaint alleged substantial risks of both financial identity theft and medical identity theft. Unlike the district court, the circuit court concluded that the complaint did allege that the hackers gained access to Social Security numbers and credit card information in addition to names, birth dates, email addresses and policy subscriber numbers. The circuit court used “experience and common sense” to find a substantial risk of financial identity theft arising out of the hackers’ access to this information. Importantly, the court did not solely rely on the exposure of Social Security and credit card numbers to reach its conclusion. It also found there to be substantial risk that an impostor could “impersonate the victim and obtain medical services in her name,” even if the impostor had access only to the victim’s non-financial information. These substantial risks of harm exist, according to the circuit court, “simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.”
With this decision, the D.C. Circuit joins a group of federal appeals courts, including the Third, Sixth, Ninth and Eleventh Circuits, that have smoothed the path to standing for data breach plaintiffs. The decision adds to the growing body of cases in which allegations of substantial risk of future injury are sufficient to confer standing. However, certain courts, including the Second Circuit and the Fourth Circuit, have refused to confer standing in arguably similar circumstances.