By Jeryn Crabb, Judge K.K. Legett Fellow at Washington Legal Foundation and a rising third-year student at Texas Tech University School of Law
With Spokeo v. Robins the US Supreme Court clarified the requirements necessary for plaintiffs to establish standing in federal court. Federal district courts are only beginning to explore those parameters, but the early applications are generally encouraging in one key area: data-breach class-action litigation.
In Spokeo, Mr. Robins alleged that Spokeo, a “people search engine,” violated the Fair Credit Reporting Act by inaccurately reporting that he was married, employed, and in good financial standing. The Court held that a plaintiff bringing suit under a federal law that defines a statutory violation as harm must allege the existence of a concrete and particularized injury in order to have standing to sue.
Writing for the Court, Justice Alito explained that for a plaintiff to establish injury-in-fact, he must “show that he … suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” The Court concluded that in its decision below, the US Court of Appeals for the Ninth Circuit only considered whether an injury was particularized (one which “affect[s] the plaintiff in a personal and individual way”) but failed to consider the other component of an injury-in-fact—whether the injury was concrete. Justice Alito clarified that “[a] ‘concrete’ injury must be ‘de facto;’ that is, it must actually exist” and the injury must be “‘real,’ and not ‘abstract.’” In other words, the injury must have real-world consequences. Instead of determining if Robins had standing, however, the Court remanded the case to the Ninth Circuit to determine if there was a “concrete injury.”
One area of litigation in which Spokeo could have a major impact is data-breach claims. Most data-breach lawsuits predicate their standing on the violation of a federal or state statute. Post-Spokeo, two federal trial courts have found such reliance on “injury-in-law” as insufficient to establish Article III standing in data-breach cases, while a third ruled the plaintiff had standing.
In the first case, a federal court in Maryland dismissed a class action for lack of standing. The plaintiff in Khan v. Children’s National Health System alleged that the defendant company violated state privacy laws by allowing a data breach to occur, during which patient information was released. The court determined that the plaintiff’s injury was not concrete because she failed to show how the hackers’ possession of her personal information amounted to a loss of her privacy in itself. It added that the mere risk of identity theft does not confer standing.
In another case, a federal court in Wisconsin also dismissed a suit for lack of standing. In Gubala v. Time Warner Cable, Inc., the plaintiff argued that Time Warner Cable violated the Cable Communications Policy Act when it retained his addresses, Social Security Number, and phone numbers after he had terminated his service contract. The court determined that though the plaintiff alleged a particularized injury, he did not suffer a concrete harm. The court noted that the facts before it were almost identical to those in Spokeo, and reasoned that the injury was not concrete because “the plaintiff … does not allege that the information the defendant retains is inaccurate, nor does he allege that the defendant published it, or made it available, to anyone.” The court also reasoned that the plaintiff does not allege that he has been contacted by marketers who obtained his information, nor does he allege that he is a victim of identity theft. He alleges only that the statute requires cable providers to destroy information at a certain point and that Time Warner hasn’t done it yet. The court even suggested that “the Spokeo plaintiff was a bit closer to alleging a concrete injury, because the defendant wasn’t just keeping his information; it was publishing … inaccurate information.”
The third decision in a data-breach claim post-Spokeo is Booth v. Appstack, Inc. The plaintiff filed suit in federal court in Washington alleging violations of the federal Telephone Consumer Protection Act, the Washington Dialing and Announcing Device Act, and the Washington Consumer Protection Act for the defendant’s use of automatic robocalls (prerecorded voice calls) to solicit business. The court determined that the plaintiff demonstrated a concrete injury because he was required “to waste time answering or otherwise addressing widespread robocalls.” The court additionally reasoned that because both Congress and Washington State’s legislature agreed that “such an injury is sufficiently concrete to confer standing,” waste of time sufficed as an Article III harm.
Even pre-Spokeo, in most data-breach cases, the risk of misuse of stolen information or identity theft was not sufficiently concrete to confer standing. As the district courts in Khan and Gubala explained, Spokeo confirmed that notion. The judge’s novel decision in Booth that wasted time is a sufficiently concrete injury post-Spokeo—even if Congress or the state legislature perhaps contemplated such a harm when passing the cited laws—is certainly debatable at best, and could be overturned on appeal.
The three rulings give data-breach defendants some early indications of Spokeo’s impact, but as noted above, there will be many more similar decisions to come as the plaintiffs’ bar continues to file lawsuits in this area.