With all the focus on data privacy, it is no surprise that courts are weighing in on this topic so that consumers can have more guidance about their legal options and organizations can tailor their breach response plans. On June 25, 2021, the issue of standing made it all the way up to the U.S. Supreme Court in TransUnion v. Ramirez, which was a limiting, business-friendly decision. With a 5-4 vote, the justices held that individuals who have their data compromised in a breach but cannot show tangible harm, lack class action standing. While this provides clarification on when it is appropriate to file consumer privacy and data breach claims in federal court, the floodgates are now open for state court filings. Class action litigators, state judges, and organizations handling private consumer data need to understand what this means going forward and take steps to prepare.
TransUnion is a credit reporting company that mistakenly put terrorist labels on some consumer files. A class comprised of 8,185 people sued the company under the Fair Credit Reporting Act (FCRA) and were awarded both statutory and punitive damages at trial amounting to around $60 million. The issue before the Supreme Court was whether standing existed, as most of the class action plaintiffs did not have their files sent to third parties. The court concluded that without any concrete harm, there was no standing. Only 1,853 of the Class Members had their inaccurate files sent out which the court found was reputational harm sufficient to establish standing. However, there was not standing for the remaining 6,332 individuals since all they could show was a mere statutory violation without concrete harm. The court also concluded the speculative harm was not enough, which referred to the potential risk that the files with terrorist designations could be shared in the future.
Based on the court’s ruling, Transunion has significantly lower liability and damages to payout as a result of this breach. Going forward, Class Members filing privacy and breach cases in federal court need to establish injury to their reputation or monetary loss to assert standing. This is a much higher bar to reach and leaves no room to merely assert an injury based on statutory violations under the FCRA or other laws that invoke consumer privacy rights.
Besides limiting the pool and scope of federal class actions, there are other repercussions that will stem from the Transunion decision. To understand what is to come, it is important to backtrack a few years to the Spokeo decision handed down in 2016 by the Supreme Court. This was the first time the court ruled that a concrete injury is necessary to file suit under the FCRA and only having a procedural violation is insufficient. Since then, privacy class actions have been popping up more in state courts, specifically those based on violations of biometric privacy laws, which has been a hot topic. The Transunion decision built on this principle further by clearly defining what constitutes a concrete injury and taking speculative harm out of the running.
Because of this, it is safe to say that consumers will be even more inclined to turn to state courts with their data breach and privacy matters, even when based on a federal statute, since state courts are generally more consumer friendly and lenient on standing. As such, organizations should not discount potential liability for individuals that cannot establish concrete harm and account for increased state court filings in their litigation readiness plans. While the litigation risk is reduced federally, the risk of state filings remains and will likely increase dramatically. An organization’s data breach response should remain expedient and thorough, regardless if the breach caused tangible harm. For breaches involving identity theft or grave mishandling of data resulting in widespread distribution of private information, it is important to still anticipate federal court filings that will pass standing requirements. In matters where a data breach response was fast and effective, it will be much easier for organizations to defend federal court class actions, limit liability, and achieve dismissal based on lack of standing.
Another thing to expect is further input from the courts, both at the federal and state levels, about harm that data breaches or inaccurate information like a terrorism designation can cause to someone down the road. While an organization can have a quick and effective response to a breach that greatly limits the fallout, this alone does not mean that a tidbit of false or personal information did not make it out into the digital sphere, which can have an endless reach. This is a very hard thing to measure, as the harm could result from nothing too serious reputationally or measurable losses if the inaccurate information resurfaces. It will be interesting to see if any courts allow for this speculative harm in future cases involving data privacy or if the Supreme Court revisits this principle again if and when there is a shift to a more consumer-friendly bench.
To learn more about responding to a data breach, click here.