United States: Spokeo Speedwagon: Employers Forced To Take Privacy Breach Cases On The Run

Last Updated: October 10 2017
Article by Adam Bridgers and Meredith Weisler Norvell

By now, most everyone has heard it from a friend who, heard it from a friend who, heard it from another about the U.S. Supreme Court's 2016 decision in Spokeo, Inc. v. Robins. It is the case being cited across the country in privacy litigation cases – primarily data breach and Fair Credit Reporting Act (FCRA) class actions – to determine whether those impacted by data breaches and other privacy violations have proper "standing" to bring their claim in court. Depending on the court of appeals claiming jurisdiction, both plaintiffs and defendants have used this decision to their advantage.

 Now, however, another court has weighed in with a pivotal decision in this ongoing saga, and let's just say companies don't want it around. On remand from the Supreme Court, the 9th Circuit Court of Appeals recently gave a boost to individuals seeking to sue companies collectively for intangible harms in privacy cases. Although Thomas Robins did not suffer harm in the traditional sense when Spokeo published incorrect information about him on their online database, the 9th Circuit agreed on August 15 that Robins' allegations the company violated procedural requirements of the FCRA were sufficiently concrete to confer standing under Article III of the U.S. Constitution.

In privacy cases like those involving the FCRA and data breaches, demonstrating "actual or imminent" harm at the pleading stage proves difficult. Often, plaintiffs' information has not yet been used in a way that has caused any actual harm. Companies have successfully used this fact, along with the reasoning in the Supreme Court's Spokeo decision, to challenge plaintiffs' standing when they bring claims alleging intangible harms, such as those alleged by Robins.

Such quick wins save companies hundreds of thousands of dollars. The new decision from the 9th Circuit and cases like it, however, give plaintiffs a path to defeat such challenges. Now companies are certainly under the gun and must prepare to take it on the run.

Setting The Stage: Talk Is Cheap When The Story Is Good

Spokeo operates a "people search engine" that generates background reports about individuals upon request, using information it gathers from various public records, social media, and other online sources. You can search for people by name, social media account, phone number, and address. Spokeo's website states that it should be used for "research" and to "reconnect" with friends and family. 

Robins sued Spokeo after learning that one of the reports about him compiled by the company contained inaccurate information, including that he had completed a higher level of education and that he was wealthier than in reality. Robins filed the suit as a class action, hoping that anyone else who fell victim to misinformation could join his claim. Spokeo promptly moved to dismiss Robins' case for lack of standing. 

In order to bring suit in federal court, plaintiffs must have "standing" under Article III of the U.S. Constitution. Standing requires, among other provisions, a plaintiff to have suffered an "injury in fact." Here, Spokeo argued that Robins failed to adequately plead that he suffered any harm as a result of the inaccurate information contained on his report, and thus did not meet this requirement. The district court agreed and dismissed the case, but the 9th Circuit reversed the district court's decision, prompting Spokeo to appeal to the Supreme Court.

In its May 16, 2016 ruling, the Supreme Court punted on the ultimate question of whether Robins had standing, finding the 9th Circuit's analysis incomplete. The Court said that the appeals court's analysis failed to determine whether the alleged injury was particularized to Robins, and therefore sufficiently concrete. The Court vacated the 9th Circuit's opinion and remanded the case with instructions to determine whether Robins' alleged injuries met the concreteness standard imposed by Article III.

You Won't Believe It, Not For A Minute: The Latest Analysis

You may not believe it, but the 9th Circuit held on August 15, 2017 that Robins satisfied Article III's concrete harm requirement. To reach this conclusion, the court examined two questions: (1) Were the statutory provisions at issue established to protect his concrete (as opposed to purely procedural) rights? (2) Did the specific procedural violations alleged in this case actually harm, or present a material risk of harm, to those interests?

For the first step, the 9th Circuit found that the FCRA was, in fact, intended to protect consumers' concrete interest in accurate credit reporting about themselves. To reach this conclusion it looked to legislative history, comparing the interests protected by the FCRA to other reputational and privacy interests that have been historically protected, including protections against defamation and libel. Even if the harm protected by the FCRA is not the exact harm protected in defamation or libel claims, "Congress has chosen to protect against a harm that is at least closely similar in kind to others that have traditionally served as the basis for lawsuit."

As for the second step, the court found that Robins sufficiently alleged FCRA violations that constituted a legitimate and material risk of actual harm to him. The court reasoned that, in many cases, a plaintiff will be unable to show a concrete injury by alleging that a consumer reporting agency simply failed to comply with an FCRA procedure. A similar difficulty arises for a data breach plaintiff when his or her information has been stolen, but is not evidenced to have been used (yet).  

Because of this conundrum, the 9th Circuit stated that the specific alleged reporting inaccuracy must be examined to ensure it raises a real risk of harm to the concrete interest protected by FCRA. The court found that the alleged false information in the case – including the misstating of Robins' marital status, education, employment history, and wealth – was the type of false information that could cause a real harm. Accordingly, the court concluded that Robins' complaint sufficiently alleged he suffered a concrete injury, and therefore had standing to proceed.

The Tales Grow Taller On Down the Line

This latest case provides insight on how federal courts, especially those in the 9th Circuit (including California, Nevada, Washington, Oregon, Arizona, and other west coast states), may resolve standing challenges involving FCRA and other privacy claims. The decision also shows a trend in courts' leniency on standing requirements in privacy litigation in general. Take, for example, the D.C. Circuit's recent decision in Attias v. CareFirst, where the court found on August 1 that a plaintiff's heightened risk of future identity theft is sufficient to show standing.

Courts are still split, however, on whether plaintiffs can properly bring a claim based solely on the risk that hackers might misuse personally identifiable information. For instance, the 4th Circuit held earlier this year in Beck v. McDonald that a group of plaintiffs could not establish injury-in-fact to constitute standing under Article III allegations simply because they incurred costs to guard against identity theft and monitor their credit information. Similarly, in Fero v. Excellus Health Plan, Inc., the Western District of New York determined that standing exists if customer data is stolen and misused, but a plaintiff will not have standing if there are no actual allegations of the misuse.

On the other hand, the 6th Circuit held in a similar case that plaintiffs satisfied the injury-in-fact requirement and had Article III standing based solely on the theft of their personal data because it placed them at an increased risk of identity theft.

So What Should Companies Do? Take It On the Run

The Spokeo saga will likely not end here, as the 9th Circuit's decision does little to clear up the confusion surrounding standing in privacy litigation. The case evidences an even greater split among the federal courts of appeal, and will likely result in another petition to the Supreme Court. One thing, however, is clear; the latest decision gives privacy plaintiffs yet more case law to use to show standing.

Do not fear, however. The 9th Circuit's focus on the particular facts alleged in Spokeo leaves room for companies to run with their standing arguments. Both the Supreme Court and the 9th Circuit noted that "mere technical violation[s]" may not be enough to confer standing. They declined, however, to offer any guidance as to what varieties of misinformation should fall into the harmless category, beyond the example of an erroneous zip code. As such, there is no precise inquiry to determine what sort of information tips the scales. Thus, in any case, you should still be able to argue the violations alleged against you are harmless and do not rise to the same level as those in Spokeo

Nonetheless, companies everywhere must pay attention, as data breach and FCRA cases are increasingly brought as large, expensive class actions. Take the recent Equifax data breach, for example, which has impacted over 143 million people. Moreover, the trend among the federal courts of appeal suggests that an increasing number of jurisdictions are finding intangible harms sufficient to withstand standing challenges in privacy litigation. Thus, these sorts of cases are more apt to survive a motion to dismiss and move more quickly to class certification and discovery, which means increased litigation and settlement costs to companies.

You can hedge against the increased costs associated with cases like Spokeo through the design and implementation of effective privacy programs. For example, by identifying and categorizing data based on its requisite sensitivity level, you can design privacy programs that work to ensure sensitive information is accurate and properly protected. This, in turn, reduces the probability of such information falling into the wrong hands or being of the type that could cause harm in the hands of a third party, regardless of whether a minor technical statutory violation or massive data breach has occurred.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Adam Bridgers
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions