Following several significant data breaches in 2014 and 2015, including one reported just last week by the IRS, organizations of all types are on high alert to safeguard against data breaches and to prepare incident response plans, recognizing that no one is immune. As organizations prepare for a future business climate in which consumers and government regulators alike expect proactive risk assessment and programs to address identified vulnerabilities, there is little question that such heightened expectations will lead to significant future regulatory action and litigation in the aftermath of data breaches.
At a May 11, 2015 event hosted by U.S. PIRG and the Center for Digital Democracy, representatives from the Federal Trade Commission and Consumer Financial Protection Bureau explained their respective agencies’ future approaches to regulating privacy and data security risks in light of the increasing ability by businesses to collect large swaths of consumer data. The FTC and CFPB representatives agreed that emerging technologies have not yet been met with enactment of comprehensive, updated legislation at the federal and state levels to regulate the maintenance, use, and protection of sensitive consumer data. But both agencies indicated nonetheless that they will pursue companies that misuse consumer data using older statutes, such as the Fair Credit Reporting Act and Section 5 of the FTC Act.
As government regulators are gearing up to address perceived consumer harms with any weapons at their disposal, it is widely expected that consumers will also continue to file lawsuits against companies in the aftermath of data breaches. Class action lawsuits in the wake of earlier massive data breaches have continued to hit roadblocks over issues of standing and class certification, however, thus far limiting the viability of these types of claims. But that could change in the near future, given the decision by the United States Supreme Court to hear an appeal in Spokeo, Inc. v. Robins. It is widely expected that this case will be argued this fall.
The case deals with the hotly contested standing issue in consumer class actions, particularly whether a class of consumers can sue for money damages without having any identifiable financial or personal injuries. Although Spokeo itself is not a data breach case, it involves the issue most often underlying data breach case – the alleged unauthorized disclosure of personal information. The plaintiff alleged that Spokeo, which gathers information from publicly available sources, disseminated inaccurate information about him on its website. The plaintiff alleged that this violates the Fair Credit Reporting Act because Spokeo failed to provide plaintiff with mandatory notices required under that statute before posting the allegedly inaccurate information. The plaintiff claims that Spokeo’s actions “caused actual harm” to his employment prospects. FCRA provides for statutory damages for certain failures to provide notice.
Spokeo sought dismissal, in part based on an argument that the plaintiff lacked standing to sue without proof of economic harm. Article III of the United States Constitution requires “concrete” injury – known as “injury-in-fact. The District Court agreed with Spokeo and dismissed the plaintiff’s complaint, despite the availability of statutory damages, because the plaintiff alleged no concrete injury. The Ninth Circuit disagreed and reversed, holding that statutory damages are sufficient to meet Article III’s injury-in-fact requirement. The Ninth Circuit, Sixth, Tenth and D.C. Circuits have held similarly. The Second and Fourth circuits have held directly to the contrary. The Supreme Court will aim to resolve the split.
The implications of the Supreme Court’s treatment of the fundamental issues in Spokeo are particularly compelling for companies evaluating litigation risk associated with data breaches. These types of no-damages lawsuits are often filed in the days immediately after a data breach is announced – and almost always before consumers have suffered any consequences of identity theft or fraudulent charges in their name. If the Supreme Court decides that consumers may bring suit in federal courts without having suffered particularized injuries at the time of filing plaintiffs’ attorneys may look to file class actions alleging claims for statutory damages under various federal or state laws without alleging any concrete injury, and those claims may survive a motion to dismiss – a major pitfall for would-be plaintiffs in many cases to date. The mere threat of millions of dollars in legal fees, even where there is no clear liability, has already resulted in multi-million dollar settlements in some of the largest data breach cases to date. Such settlements would likely proliferate, even in smaller cases, if the Spokeo case paves the way.
Many observers, however, anticipate that the Supreme Court might overturn the Ninth Circuit’s ruling in Spokeo – and thus close the courtroom’s door on consumer litigants who have not yet suffered identifiable consequences following a data breach. Thus, however the case comes out, its impact cannot be overstated. One need look no further than the 2013-14 Neiman Marcus data breach. Despite a significant data breach involving more than a million customers, a class action brought against Neiman Marcus in late 2014 in the Northern District of Illinois was dismissed because the plaintiff consumers could not demonstrate that they had suffered a sufficient “injury in fact” to maintain their lawsuit. The Neiman Marcus case is currently pending in the Seventh Circuit Court of Appeals.
Significant players in the Internet space have sided with Spokeo and filed amicus briefs, including Google, Facebook and eBay among others. These companies have expressed concern that affirming the Ninth Circuit’s decision would result in a flood of “no-injury” class actions under various statutes providing for statutory damages, such as FCRA, the Telephone Consumer Protection Act, the Video Privacy Protection Act and others. These industry giants are understandably interested in the outcome of this important case. Perhaps only plaintiffs’ lawyers have more to gain.