[BreachExchange] Data Privacy Class Actions Post-Spokeo

[Audrey McNeil]

http://www.jdsupra.com/legalnews/data-privacy-class-
actions-post-spokeo-98102/


Earlier this year, the Supreme Court, in Spokeo, Inc. v. Robins, held that
a bare procedural violation of a statutory requirement, divorced from any
concrete harm, does not establish the injury-in-fact necessary to maintain
a lawsuit in federal court. As the year comes to an end, it is clear that
Spokeo has undoubtedly had an impact on class actions involving data
privacy.

Procedural Violations of Data Privacy Statutes Do Not Satisfy Article III
Following Spokeo

Given that many data privacy statutes provide for statutory damages and
attorneys’ fees, they have become prime targets for class action attorneys.
The class action claims, however, typically stem from technical or
procedural violations of these statutes without any actual harm suffered by
the plaintiffs, subjecting these lawsuits to fresh attacks following
Spokeo. The various Courts of Appeals that have faced such challenges in
data privacy actions in the wake of Spokeo have consistently found standing
lacking under Article III.

Most recently, on December 13, 2016, the Seventh Circuit examined Spokeo in
the context of the Fair and Accurate Credit Transactions Act (FACTA) in
Meyers v. Nicolet Restaurant of de Pere, LLC.  FACTA prohibits businesses
from printing more than the last five digits of a customer’s credit card
number or the expiration date on a receipt, providing a private right of
action with statutory damages up to $1,000 for any violation. In Meyers,
the plaintiff alleged that a restaurant violated FACTA by printing the
expiration date of his credit card on his sales receipt. In analyzing
whether the plaintiff suffered a concrete harm in accordance with Spokeo,
the Court noted that the plaintiff discovered the violation immediately,
nobody else saw the non-compliant receipt, and thus it was “hard to
imagine” how the expiration date could have increased the risk that the
plaintiff’s identity would be compromised. Accordingly, the Court held that
the plaintiff failed to establish any concrete harm, nor any appreciable
risk of harm, to satisfy the injury-in-fact requirement for Article III
standing under Spokeo.

The D.C. Circuit similarly held that a data privacy class action could not
even “get out of the starting gate” with respect to standing following
Spokeo. The plaintiffs in Hancock v. Urban Outfitters, Inc. alleged
violations of D.C.’s Use of Consumer Identification Information Act, which
prohibits retailers from asking for a customer’s address in connection with
a credit card transaction. The Court held that the plaintiffs failed to
allege that they suffered any cognizable injury as a result of defendants
requesting their zip codes, noting that the plaintiffs did not allege any
invasion of privacy, increased risk of fraud or identity theft, or
pecuniary or emotional injury.  Instead, the claim rested upon a bare
violation of the statute—the very theory of standing that the Supreme Court
rejected in Spokeo.

These cases suggest that purely technical violations of data privacy
statutes will not satisfy the injury-in-fact requirement under Article
III’s standing analysis after Spokeo.  Instead, plaintiffs will need to
show that a violation caused harm, likely through the actual disclosure to
a third party or some evidence of emotional injury.

Data Breaches Likely Satisfy Article III Standing

Spokeo, however, has had less of an impact on standing in data breach class
actions. This is because, as the Supreme Court in Spokeo acknowledged, an
alleged violation of a procedural statutory right can establish the
requisite concrete injury if the violation creates “a risk of real harm.”

The Sixth Circuit recently held that a data breach creates a sufficient
“risk of real harm” to satisfy Article III. In Galaria v. Nationwide Mutual
Insurance Company, some hackers allegedly broke into an insurance company’s
computer network and stole personal identifying information of the
customers. The plaintiffs brought a class action alleging violations of the
Fair Credit Reporting Act for the company’s alleged failure to adopt
procedures to protect against the wrongful dissemination of its customers’
data.  In evaluating standing, the Court found that where a data breach
targets personal information, a reasonable inference can be drawn that the
hackers will use the victims’ data for fraudulent purposes—creating a “risk
of real harm” to support standing. The plaintiffs also alleged that they
had to expend time and money to monitor their credit, check their bank
statements, and modify their financial accounts because of the data breach.
Thus, in addition to the substantial risk of harm, the plaintiffs had
reasonably incurred mitigation costs sufficient to establish standing under
Article III.

Looking Ahead to Future Standing Challenges

Cases involving data privacy claims arguably have seen the greatest impact
from the Supreme Court’s ruling in Spokeo.  Although the line drawn between
standing and the absence of standing seems clear at the moment, plaintiffs’
attorneys are sure to create new theories of harm to attempt to satisfy
Article III’s standing requirement.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161230/01c9630f/attachment.html>