By Thomas S. Markey / McNees Wallace & Nurick LLC
Privacy lawsuits, including consumer class actions and data breach cases, often live or die early in litigation when defendants seek dismissal based on plaintiffs’ lack of standing. In federal courts, where many privacy actions are filed, plaintiffs have standing only if they can establish a “personal stake” in the litigation.
In May 2016, the U.S. Supreme Court decided Spokeo, Inc. v. Robins, a decision that attempted to clarify its interpretation of the federal standing doctrine. In the year since Spokeo, however, a split has emerged among federal appellate courts regarding standing in consumer class-action lawsuits. Recent federal court decisions interpreting Spokeo, along with the well-publicized disclosures of data breaches at Yahoo! Inc., offer insight into how companies can strengthen their cybersecurity programs and minimize their exposure to data breach liability.
Standing in Federal Courts
The concept of standing is rooted in the U.S. Constitution, which empowers federal courts to decide “cases” and “controversies.” Under Supreme Court jurisprudence, a plaintiff must show injury, causation and redressability to have standing. Put differently, to survive a motion to dismiss in federal court, a plaintiff must plausibly allege an injury caused by defendant’s conduct that can be redressed through judicial action.
When data breaches occur, individuals’ personal information is often accessed, exposed or compromised. Those individuals, however, do not in each instance suffer tangible harm, such as identity theft, economic loss or a diminished credit rating. Nevertheless, those individuals may be at an increased risk of having their personal information misused in the future. Additionally, corporations sometimes engage in practices that technically violate federal consumer protection statutes, but do not cause immediate, tangible harm. The question therefore arises: Does the exposure or mishandling of an individual’s personal information confer standing upon the individual absent additional economic harm? This was the question the Supreme Court addressed in Spokeo.
Spokeo, Inc. v. Robins
The case was a putative class action stemming from alleged violations of the Fair Credit Reporting Act (FCRA). Plaintiff Thomas Robins claimed that Spokeo, an online “people search engine,” was a consumer reporting agency that violated the FCRA by reporting inaccurate information about his age, education and familial status. Aside from the reporting of inaccurate information, Robins did not claim any additional injury or economic harm.
In considering whether Robins had standing to advance his claims against Spokeo, the Supreme Court emphasized that, to have standing, a plaintiff must allege “concrete and particularized” harm. The Supreme Court held that Robins alleged a particularized injury – that is, an injury that affected him individually and not merely the public at large. The court, however, returned the case to the U.S. Court of Appeals for the Ninth Circuit for further consideration of whether the alleged injury was concrete.
In reaching its conclusion, the court observed that a “bare” procedural violation of a statute does not necessarily reach the level of concrete harm. The court opined, for example, that publishing an incorrect ZIP code would not create a concrete harm sufficient to confer standing. But in some cases, the risk of “real” harm may satisfy the concreteness requirement. Whether the inaccurate information about Robins’s age, education and familial status created a concrete injury remains an issue for the Ninth Circuit to decide.
Federal Courts Split on Meaning
Federal courts have applied Spokeo in a diverse array of contexts. For example, the Fifth Circuit recently affirmed dismissal of a case in which an attorney claimed that the Mississippi state flag, which includes the Confederate battle emblem, violated his constitutional right to equal protection. The court found no standing because the attorney failed to identify a constitutional right to be free from anxiety related to the flag.
Spokeo has also impacted consumer privacy and data security litigation, and federal courts in such contexts disagree as to its proper interpretation. In the wake of the decision, the Seventh Circuit considered a case involving the Fair and Accurate Credit Transactions Act (FACTA), Meyers v. Nicolet Restaurant of De Pere, LLC. In Meyers, a restaurant printed the expiration date of plaintiff’s credit card on his receipt in violation of FACTA. Meyers discovered the error immediately, but nobody else ever saw the receipt. Because Meyers did not suffer any additional harm, and the violation did not create any “appreciable risk of harm,” the court dismissed Meyers’s case for lack of standing. The Fourth, Fifth, Eighth, Eleventh and D.C. Circuits have reached similar results in cases involving violations of different consumer-protection statutes.
In contrast, the Third Circuit reached the opposite conclusion in a case involving children who alleged that Viacom and Google unlawfully collected their personal information on the internet. In In re Nickelodeon Consumer Privacy Litigation, the Third Circuit held that plaintiffs had standing to advance their claims under the Video Privacy Protection Act, which prohibits the disclosure of personal information related to viewers’ use of video-related services. The Third Circuit had previously ruled that violation of a statute protecting privacy may give rise to standing, and Spokeo did not alter that analysis. Although intangible, the alleged disclosure of children’s personal information was a concrete harm sufficient to establish standing. In a case involving claims under the FCRA, the Sixth Circuit reached a similar outcome.
Meanwhile, following the Supreme Court’s decision, the Ninth Circuit once again heard oral arguments in Spokeo but has not yet ruled on whether Robins alleged a concrete injury.
Yahoo Data Breaches
As post-Spokeo cases made their way through the courts, Yahoo disclosed in late 2016 that it had suffered a series of data breaches. The breaches, which actually occurred in 2013 and 2014, are estimated to have compromised the personal information of 1.5 billion users and cost Yahoo $350 million in its acquisition by Verizon Communications Inc. – not to mention the costs associated with responding to a data breach of this scale. Moreover, an investigation by an independent committee of Yahoo’s board of directors concluded that, at the time of a 2014 breach, senior executives did not properly investigate or act upon the information known by the company’s information security team.
Yahoo’s delayed response surely contributed to the number of users whose personal information was compromised. Following Yahoo’s disclosure of the breaches, dozens of class-action lawsuits were filed and subsequently consolidated under the supervision of a federal court in California. Some plaintiffs allege that hackers filed false tax returns, fraudulently opened credit card accounts in their names or had their government benefits stolen. Other plaintiffs, however, likely had their personal information exposed but may not have suffered any tangible harm to date. Thus, the role that standing will play in the Yahoo data breach litigation remains to be seen, and the Ninth Circuit’s decision in Spokeo may influence the class of plaintiffs who can maintain claims against Yahoo.
Spokeo and Yahoo Offer Guidance for Limiting Exposure
The Yahoo example and recent federal court decisions on standing offer guidance for companies in strengthening their data security programs and limiting their exposure to privacy lawsuits and liability.
First, to protect against statute-based claims, businesses should make every effort to comply with “procedural” requirements in federal statutes. The FCRA, FACTA, Video Privacy Protection Act, Fair Debt Collection Practices Act and Telephone Consumer Protection Act are among the federal statutes that commonly give rise to privacy-related class-action litigation. Although federal courts remain split as to whether procedural violations rise to the level of concrete injuries – and the line between procedural requirements and substantive rights is often blurry – complying with statutory mandates will help avoid being sued in the first place. Companies should therefore review the statutes applicable to their operations and industries and implement controls to maximize compliance and minimize the risk of errors.
Second, to protect against negligence claims, companies should review their policies related to privacy and data security. At a minimum, policies should follow industry standards. Importantly, companies must adhere to their own policies, and companies should implement practices to monitor and ensure compliance. Taking these steps may not prevent a data breach lawsuit from being filed, but will help a company show that it acted reasonably in protecting customers’ privacy, thereby minimizing the risk of liability for negligence.
Third, businesses should review their data breach response plans – or create a data breach response plan if they don’t already have one. Timely detection and an effective response can limit the harm done to subjects of a data breach, which in turn limits a company’s exposure to liability and large damages awards. For instance, if Yahoo had acted on information known in 2014, the data breaches it suffered probably would not have affected as many users. And as time passes, the number of users who suffer actual, economic harm – and therefore have indisputable standing to sue – is likely to increase.
In a business environment where data breaches are inevitable, companies can minimize the risk of being sued and incurring data-breach liability by complying with applicable laws and proactively implementing effective policies and programs related to privacy, cybersecurity and data breach response.
[Author’s Note: The citations to cases discussed in this article are as follows: Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016); Meyers v. Nicolet Restaurant of De Pere, LLC, 843 F.3d 724 (7th Cir. 2016); In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262 (3d Cir. 2016); Moore v. Bryant, 2016 U.S. Dist. LEXIS 121414 (S.D. Miss. Sept. 8, 2016), affirmed, 2017 U.S. App. LEXIS 5637 (5th Cir. Mar. 31, 2017); and In re: Yahoo! Inc. Customer Data Breach Security Litigation, No. 16-MD-02752-LHK, Consolidated Class Action Complaint (Apr. 12, 2017).
Thomas S. Markey is an associate in the litigation and privacy and data security groups at the law firm McNees Wallace & Nurick LLC. In his practice, he assists clients in becoming “compromise ready” and responding to data breaches. He can be reached at email@example.com.