[BreachExchange] Update on Data Breach and Data Privacy Class Actions Post-Spokeo

Audrey McNeil audrey at riskbasedsecurity.com
Fri Oct 14 15:33:28 EDT 2016


http://www.natlawreview.com/article/update-data-breach-
and-data-privacy-class-actions-post-spokeo

In May, the U.S. Supreme Court issued its opinion in Spokeo v. Robins,
providing guidance on the “injury-in-fact” aspect of the constitutional
standing requirement for putative class action plaintiffs.  136 S. Ct. 1540
(2016), as revised (May 24, 2016).  Spokeo was quickly hailed by both
plaintiff- and defense-side lawyers as a major victory, but in truth
provided something for everyone.  It requires, for example, that a
plaintiff allege “a concrete injury even in the context of a statutory
violation . . .” and not merely a “bare procedural violation, divorced from
any concrete harm.”  Id. at 1543, 1549.  Further, a “concrete” injury must
“actually exist” and be “real, and not abstract.”  Id. at 1548.  On the
other hand, a “concrete” injury is not “necessarily synonymous with
‘tangible.’”  Id. at 1549.  Ways to determine whether “intangible” harm
qualifies as “concrete” include: (1) evaluating whether the alleged harm
“has a close relationship to a harm that has traditionally been regarded as
providing a basis for a lawsuit” and (2) looking to the judgment of
Congress which “has the power to define injuries and articulate chains of
causation that will give rise to a case or controversy where none existed
before.”  Id.

How has Spokeo affected decisions on data breach and data privacy class
actions?  Like Spokeo itself, subsequent decisions, including several from
just the past few weeks, have been somewhat mixed.

Most recently, in Yershov v. Gannet Satellite Information Network, Inc.,
dba USA Today, a federal court in Massachusetts denied a motion to dismiss,
allowing a putative privacy class action to continue.  No. CV 14-13112-FDS,
2016 WL 4607868 (D. Mass. Sept. 2, 2016).  Plaintiff Yershov alleged that
each time he watched a USA Today video his location information and
information about the video watched was sent to a third-party data
analytics company, in violation of the Video Privacy Protection Act
(“VPPA”).  Id. at *1.  Defendant Gannett, the app manufacturer, moved to
dismiss for lack of standing, arguing under Spokeo that Plaintiff had
alleged only a bare statutory violation and no concrete harm.  Id.  Judge
Saylor of the District of Massachusetts denied the motion, finding that
Plaintiff had alleged a concrete, though intangible harm – an invasion of
his right to privacy in his video review history.  Id. at *8.  The
decision, in part, relied on Spokeo’s guidance to look to “both history and
the judgment of Congress” to determine whether an intangible harm
“constitutes [a concrete] injury in fact . . . .”  Id. at *8, (quoting
Spokeo, 136 S. Ct. at 1549).  “Congress, by enacting the VPPA, elevated an
otherwise non-actionable invasion of privacy into a concrete, legally
cognizable injury,” the Court held.  Id.  Injury in fact was thus
sufficiently alleged.  Id.

Just a few days before, in Braitberg v. Charter Communications, the 8th
Circuit upheld dismissal of a data privacy class action for lack of
standing.  No. 14-1737, 2016 WL 4698283 (8th Cir. Sept. 8, 2016).  There,
plaintiff Braitberg claimed that his cable provider maintained, but had not
disclosed, certain of his personally identifiable information (“PII”) well
after cancellation of his cable service, in alleged violation of the Cable
Communications Policy Act.  Id. at *1.  The 8th Circuit upheld dismissal of
the case, stating that, under Spokeo, plaintiff had alleged only a bare
violation of a statute, and not any actual, concrete harm.  Id. at *4.
Plaintiff, said the Court, “identifies no material risk of harm from the
retention; a speculative or hypothetical risk is insufficient.”  Id.

Just a week earlier, the 6th Circuit reversed a district court ruling
granting a motion to dismiss for lack of standing in Galaria v. Nationwide
Mutual Insurance Co., another data breach case.  Nos. 15-3386/3387, slip.
op. (6th Cir., Sept. 12, 2016).  There, plaintiffs alleged no actual misuse
of their stolen PII, but were found to have standing, based on: (1) a
showing that they had a heightened risk of fraud and identity theft; and,
(2) allegations that they had already spent time and money to mitigate the
risk of fraudulent charges, including the monitoring of credit reports and
the purchase of credit reporting services.  Id. at 6-7.  The court found
that misuse of the data was sufficiently imminent given the likely bad
intentions of the hackers:  “There is no need for speculation where
Plaintiffs allege that their data has already been stolen and is now in the
hands of ill-intentioned criminals.” Id. at 6.  In addition, the defendant
had advised those affected by the breach that it would pay for bank
statement and credit report monitoring, a seemingly good idea which ended
up working against them: “Indeed, Nationwide seems to recognize the
severity of the risk, given its offer to provide credit-monitoring and
identity-theft protection for a full year.”  Id.  Galaria follows the
approach of two pre-Spokeodata breach cases from the 7th Circuit: (1)
Lewert v. P.F. Chang’s China Bistro, 819 F.3d 963 (7th Cir. 2016) and
(2)Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015).  Both
cases found standing based on allegations, respectively, of increased risk
of fraudulent charges and identity theft, and of actual money and time
spent to protect against fraudulent charges and identity theft.  It can be
expected that plaintiffs will continue to make similar allegations in
future data breach class actions to withstand challenges based on lack of
standing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161014/a51193c1/attachment.html>


More information about the BreachExchange mailing list