Several recent federal court decisions have shed additional light on the still-unsettled question of when a plaintiff has Article III standing to sue based on a data breach or other data security or privacy event. These cases—Attias v. CareFirst, Inc. (D.D.C.), Wood v. J. Choo USA, Inc. (S.D. Fla.), and Guarisma v. Microsoft (S.D. Fla.)—offer somewhat mixed guidance for defendants in privacy-related class action lawsuits looking to use a standing challenge as a quick escape.
We previously reported on the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins, in which the Court remanded to the Ninth Circuit to consider the concreteness of the plaintiff’s alleged injury—requiring plaintiffs to plead more than a particularized violation of a statutory right. We also reported on Lewart v. P.F. Chang’s and Remijas v. Neiman Marcus, in which the Seventh Circuit found that customers whose credit card information had been compromised had standing to sue retail establishments. These high-profile cases provide some guidance for district courts, but leave open the questions of whether increased risk of harm or an alleged statutory violation, without actual financial harm or identity theft, is sufficient to establish Article III standing. The more recent district court decisions address these questions.
In Attias v. CareFirst, Inc., class action plaintiffs sued health insurer CareFirst after it suffered a data breach that compromised the personal information of approximately 1.1 million customers, including names, birth dates, email addresses, and subscriber identification numbers. Applying the standard from Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), the District Court for the District of Columbia assessed whether the risk of identity theft to the plaintiffs was “certainly impending” or “substantial.” Distinguishing Remijas, the Attias court noted that (i) the information allegedly stolen from CareFirst did not include social security numbers or credit card information, both of which are more easily and directly used to commit fraud, and (ii) there were no plausible allegations in the complaint that the stolen information had actually been used to commit fraud. The court dismissed the action for failure to plead the existence of a “substantial risk that stolen data has been or will be misused in a harmful manner.” Essentially, the court concluded that too many assumptions had to be made before plaintiffs would suffer a concrete injury sufficient to confer Article III standing.
The Attias court also rejected the plaintiffs’ argument that they had standing based on a violation of their statutory rights under D.C.’s Consumer Protection Act, which prohibits misleading representations or promises. Citing Spokeo and other Supreme Court precedent, the court held that “statutory rights cannot confer article III standing on a plaintiff who does not have it otherwise,” because Article III standing requires concrete injury. Attias closely parallels the post-Spokeo analysis in Khan v. Children’s National Health System, 2016 U.S. Dist. LEXIS 66404 (D. Md. May 18, 2016), where the court also concluded that the plaintiff lacked standing because the threat of identity theft was too speculative and a mere statutory violation did not amount to a concrete injury.
Unlike Attias and Khan, two recent cases in the Southern District of Florida relied on Spokeo to find that plaintiffs do have standing based on alleged statutory violations. In Wood v. J. Choo USA, Inc., Case No. 15-cv-81487, 2016 WL 4249953 (S.D. Fla. Aug. 10, 2016), and Guarisma v. Microsoft, Case No. 1:15-cv-24326 (S.D. Fla. July 26, 2016), courts held that plaintiffs had standing based on allegations that they had been given credit card receipts listing more information about their credit cards than is permitted under the Fair and Accurate Credit Transactions Act (“FACTA”). In both cases, the court found that the alleged FACTA violation “constitutes a concrete injury in and of itself because Congress created a substantive right for individuals to receive printed receipts that truncate their personal credit card information, in order to decrease the ever-present threat of identity theft.” These cases seize on language in Spokeo distinguishing “procedural” rights—such as the right to notification by consumer reporting agencies of certain information—from instances where Congress has chosen to “‘elevate to the status of legally cognizable injuries, concrete, de facto injuries that were previously inadequate in law.’”
Although the law in this area will continue to develop post-Spokeo, these recent decisions suggest that courts will focus on (1) the nature of information that was compromised, (2) whether that information has been used or could imminently be used to cause harm such as identity theft, and (3) whether any alleged statutory violation is substantive or procedural.
We will continue to monitor and report on significant developments in this area of privacy law.
