Supreme Court Leaves Standing for Privacy and Cybersecurity Cases Unresolved

Guest Commentary


By Michelle Visser, a Partner, David Cohen, Of Counsel, and Nicole Gelsomini, an Associate, with Orrick

For a printer-friendly PDF of this commentary, click here

Two recent Supreme Court developments—within just a week of each other—highlight both the central role of Article III’s injury-in-fact requirement in privacy and cybersecurity cases and the still-fractured state of the law on the issue of what satisfies that requirement in this area.  First, on March 20, 2019 in Frank v. Gaos, the Court vacated and remanded the Ninth Circuit’s approval of a class action settlement between Google and a class of Google users, directing the lower courts to determine whether the named plaintiffs had suffered a sufficiently concrete injury before approving any settlement.  586 U.S. ___ (2019) (available here).  Frank reinforces that injury in fact is a requirement at all stages of a litigation, even class settlement, but declines to answer whether the plaintiffs, who alleged a statutory violation premised on Google’s sharing of their information but arguably no resulting harm, met that bar.

Five days later, the Court again declined to clarify the injury-in-fact standard in the privacy and cybersecurity context when it denied certiorari in v. Stevens.  Zappos had appealed a Ninth Circuit decision holding that consumers whose personal information was involved in a data breach, but who suffered no resulting financial losses, had Article III standing.  (We previously analyzed the Ninth Circuit’s Zappos decision here.)  A Supreme Court judgment in Zappos would have resolved a circuit split over whether the risk of identity theft or fraud in the wake of a data breach is sufficient to confer standing.  Unfortunately, that resolution will have to wait. Continue reading “Supreme Court Leaves Standing for Privacy and Cybersecurity Cases Unresolved”