[BreachExchange] Life Just Got Harder For Class-Action Lawyers As Court Rejects 'No-Injury' Cases

[Audrey McNeil]

http://www.forbes.com/sites/danielfisher/2016/05/16/life-just-got-harder-for-class-action-lawyers-as-court-rejects-no-injury-cases/#44e47ceb40ad

Plaintiff lawyers who have built a lucrative business over the past few
decades suing companies over minor legal breaches that arguably harmed no
one may have a tougher time bringing cases following the U.S. Supreme
Court’s decision in Spokeo Spokeo v. Robins, requiring plaintiffs to plead
a “concrete” injury to proceed in federal court.

The decision wasn’t a complete win for corporate defendants as the court
left plenty of room for creative lawyers to craft complaints that allege
their clients suffered an injury, no matter how small, from miscues like
data breaches or incorrectly worded mortgage documents. But by stating
clearly that some injury is required under Article III of the Constitution,
the court may have ended the long-profitable business of suing companies
over nothing more than  statutory damages provided under laws like the
anti-robocalling Telephone Consumer Protection Act.

“Where this has impact is on virtually any consumer protection statute that
has purely statutory damages,” said Richard Gottlieb, a partner with
Manatt, Phelps & Phillips in Los Angeles who frequently represents
financial companies. “I would predict you will see motions to dismiss in
every TCPA class action where there is no allegation explaining how the
plaintiffs were injured.”

Tech giants including Facebook FB -0.47%, Google GOOGL -0.14%, PayPal and
eBay filed friend-of-the-court briefs urging the Supreme Court to rule
against no-injury suits, saying the risk of litigation over minor data
errors exposed them to tens of billions of dollars in potential damages.

The news wasn’t so good for companies facing lawsuits over data breaches.
Justice Samuel Alito, writing for the majority, said that while a wrong ZIP
code might not be sufficient, “the risk of real harm” may serve as as a
concrete injury in some cases. The word “risk” could support lawsuits
claiming consumers have suffered real damages from a data breach that
exposes them to the real risk of identity theft and financial loss.

“Some people are going to look at this  and say, `Well, Spokeo shut down
the idea of these suits,’” said Tom Rohback, a litigator with Axinn Veltrop
& Harkrider in New York. “I think Spokeo opened the door a little.”

Spokeo was sued by Thomas Robins, who claimed the online information site
was a credit-reporting site under the Fair Credit Reporting Act — a claim
Spokeo denied — and thus liable for statutory damages of $1,000 or more for
inflating his education credentials and making other errors that may have
caused him to have a harder time finding a job. I say “may have,” since it
is extremely unlikely any potential employers actually looked at his entry
on Spokeo and Robins didn’t provide any evidence supporting the idea he was
harmed.

“Had it happened it would be alleged in the complaint,” said Gottlieb. As
it is, the suit is “the functional equivalent of staring at a three-legged
chair and saying `look! somebody could be harmed.’”

Lawyers have been doing just that for years, and courts have wrestled with
the question of  whether lawsuits claiming only  statutory damages
represent a genuine “case or controversy,” which Article III requires for
federal courts to have jurisdiction to even hear a lawsuit.

“Statutory damages has been one of the most heavily litigated areas over
the past 30 years, with the defendants mostly losing,” Gottlieb said. “This
changes that dynamic.”

The decision isn’t exactly clear on what “concrete” injuries are, however.
Plaintiffs must state claims with particularity — they affect the
individual suing, not the public at large — and cite an injury that is more
than speculative, Alito wrote. The Ninth Circuit skipped the second part of
the analysis, the court ruled, so the case must be sent back for further
consideration of whether Robins actually suffered harm.

Beyond that, the decision doesn’t offer much guidance. An incorrect ZIP
code doesn’t suffice,Alito wrote, and neither does “a bare procedural
violation, divorced from any concrete harm.” But “concrete” doesn’t mean
tangible, he went on, and in some cases Congress can define an injury and
elevate it to a status conveying standing to sue.

“It’s good in that we have an announcement from the majority of the court
that just the fact you have  a statutory violation is not enough,” said
Mary-Christine Sungaila, a partner with Haynes & Boone in California. “The
challenge is the majority didn’t tell us exactly what they meant.”

Lawyers assembling a suit over bulk faxes, for example, could argue
plaintiffs suffered a concrete injury because of the extra toner they used
printing out an unsolicited fax. But that argument might not work in the
case of unsolicited calls to a cellphone, since most consumers today have
unlimited calling plans. One thing is certain: Courts will continue to
reach different conclusions on how to handle each sort of claim.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160517/72a0ca67/attachment.html>