Whether a plaintiff has standing to sue is a wellspring of dispute in the context of data breach cases, and in Spokeo, Inc. v. Robins, the U.S. Supreme Court recently made clear that the battle must be fought on two fronts. Whether suing individually or on behalf of a class, a plaintiff must allege an “injury-in-fact” — i.e., both a “concrete” and “particularized” injury — to have standing to bring a case before the courts. (Additionally, plaintiffs must show that the injury is “fairly traceable to the challenged conduct of the defendant” and “likely to be redressed by a favorable judicial decision”). In data breach cases, whether an injury is sufficiently concrete to support standing often is a point of contention.
In Spokeo, the Supreme Court made clear that the “concrete” injury requirement is not to be swept under the rug, bouncing a Fair Credit Reporting Act (“FCRA”) case back to the Ninth Circuit to determine whether the plaintiff’s allegations on that point were sufficient to keep him in court. The plaintiff sued Spokeo, which operates a “people search engine” that allows employers and other interested parties to gather information about a person, after the company allegedly performed a search on him which returned inaccurate results. The case was filed as a class action in federal court in California.
The trial court dismissed the complaint for lack of standing, but the Ninth Circuit reversed, finding that the plaintiff had sufficiently alleged a particularized injury by stating that “Spokeo violated his statutory rights, not just the statutory rights of other people” and that “Robins’s personal interests in the handling of his credit information are individualized rather than collective.” Spokeo appealed, arguing that the Ninth Circuit only analyzed half of the injury-in-fact issue, ignoring the equally important requirement that the plaintiff allege a “concrete” injury.
The Supreme Court agreed, vacated the Ninth Circuit’s decision, and remanded with instructions that the court “consider both aspects of the injury-in-fact requirement” (emphasis in original). The Supreme Court was careful to note, however, that an injury can be “concrete” without being “tangible” and that a “risk of real harm” could suffice under appropriate circumstances. On the other hand, the Court emphasized that a “mere procedural violation” will not get the job done.
The Spokeo decision is particularly significant in the context of data breach cases, where actual harm from the breach might not have materialized for any given plaintiff when a complaint is filed. Though the Supreme Court was careful to cabin its opinion, noting that it took no position on whether the Ninth Circuit was correct in determining that the “particularity” requirement was satisfied, its analysis will no doubt play a significant role in data breach litigation moving forward.
Matt has counseled clients on the evaluation of data privacy risks, responses and solutions, and he serves as a breach coach, providing analysis and advice to address data breach events, including forensics, notification pursuant to federal and state laws, credit monitoring, and public relations issues. In addition to breach response, Matt has counseled insurers on the underwriting of cyber/tech policies.
