If you haven’t been closely following, you may be of the mistaken view that without evidence of actual harm, consumer plaintiffs in federal cyber breach cases have no standing. While that may have been roughly correct in 2016, the story in 2018 is more complicated, and getting better for plaintiffs.
On January 22, 2018, the U.S. Supreme Court denied Spokeo Inc.’s petition for writ of certiorari to review the Ninth Circuit’s most recent decision in Robins v. Spokeo, Inc., 867 F.3d 1108 (9th Cir. 2017) (Spokeo II). That case found that the plaintiff had Article III standing to sue Spokeo based on an alleged statutory violation of the Fair Credit Reporting Act (FCRA) and a finding that the nature of the violation raised a real risk of harm to the concrete interests that the statute protects. The plaintiff had alleged that Spokeo, a people search engine, reported inaccurate information regarding his wealth, age, marital status, educational background, and employment history. So Spokeo II won’t be the case where the Supreme Court provides additional guidance on what it meant by “intangible” yet “concrete” injuries, sufficient to meet the standing requirement set forth in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (Spokeo I). But another such opportunity exists in the near future.
Still pending before the Supreme Court is CareFirst’s cert petition to review a D.C. Circuit’s ruling that the risk of future harm is sufficient to meet the Spokeo I standing threshold. Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2016). CareFirst is advocating for a standard that would require plaintiffs to allege more than just inferred ill intentions of hackers; they would have to show that an alleged future injury is imminent in order to have standing. The case is scheduled to be argued on February 16, 2018, and presents another opportunity for the Supreme Court to resolve the current confusion over the standing issue.
To establish standing in federal court, a plaintiff needs to meet the constitutional minimum bar of demonstrating (1) injury-in-fact; ( 2) traceability; and (3) redressability. As the Court defined in Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992), the injury-in-fact needs to be “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” In Spokeo I, the Supreme Court found that the Ninth Circuit’s injury-in-fact analysis conflated the concreteness and particularity factors. Therefore, the Court remanded the case for the Ninth Circuit to address whether Spokeo’s procedural violations of the FCRA entailed “a degree of risk sufficient to meet the concreteness requirement.” Spokeo I, 136 S. Ct. at 1549. In what appeared to be further guidance on the matter, the Court explained that a concrete injury need not “necessarily [be] synonymous with [a] ‘tangible’ [injury].” Id. The Court pointed to both the “history and the judgment of Congress” as possible clues in determining whether an intangible harm constitutes injury-in-fact. While a per se statutory violation does not necessarily give rise to a concrete injury, “[t]his does not mean . . . that the risk of real harm cannot satisfy the requirement of concreteness.” Id. (emphasis added).
The Court’s elaboration has led to some confusion in the 20 months following Spokeo I. Various appellate cases have been interpreted to mean (1) a statutory violation could create a de facto injury sufficient to confer standing, see In re Horizon Healthcare Servs. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017); (2) a statutory violation giving rise to a substantial risk of harm to the concrete interests the statute is designed to protect could support standing, see Robins v. Spokeo, Inc., 867 F.3d 1108 (9th Cir. 2017); (3) an inference of substantial risk of future harm may be drawn where hackers targeted personal information in a breach, and such an inference could support standing, see Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x. 384 (6th Cir. 2016); see also Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015); and (4) only sufficient factual allegations evidencing a substantial risk of future harm or a showing that such a risk is certainly impending is able to support standing, Whalen v. Michaels Stores, Inc., 689 F. App’x. 89 (2d Cir. 2017) (summary order); Alleruzzo v. SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017); Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017).
It is unclear whether these differing articulations of the standing requirement reflect a real circuit split, or are the result of different factual circumstances giving rise to different risks of future injury.
One likely explanation for the confusion may be an increasing willingness by some courts in these cases to infer concrete harm, and thereby Article III standing. In the wake of public outcry over large data breaches, this trend is not surprising. Regulators, politicians, and consumers are increasingly calling for more accountability from companies that are perceived as not having taken reasonable steps to protect their clients’ confidential data, and it appears that some courts are answering the call.
We will continue to monitor the standing issue in cyber breach cases and report here on any significant future developments.
The listed lawyers gratefully acknowledge the assistance of law clerk Mengyi Xu in preparing this post.