As we all know, the data privacy industry has been paying close attention to ongoing saga of Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), including this firm’s blog, most recently here, here and here. That spotlight is shining a little brighter on the Ninth Circuit in connection with a ruling earlier this month.
Earlier this month, the Ninth Circuit issued its most recent Spokeodecision, holding, on remand, that the plaintiff, Thomas Robins, satisfied the harm requirement for Article III standing in his FCRA claim against Spokeo. Writing for the Court, Judge Diarmuid F. O’Scannlain set forth a two-step inquiry to determine whether a plaintiff satisfies Article III standing:
(1) Was the statute at issue established to protect the plaintiff’s concrete rights?
(2) Did the specific procedural violations cause or present a material risk of actual harm to plaintiff’s concrete rights?
In regards to the first step, the Court concluded that the FCRA was intended to protect consumers from the dissemination of false information regarding credit ratings, and as such the statute was protecting a concrete right. Judge O’Scannlain reasoned that the information that was allegedly falsely reported by Spokeo is of the type that would be important to those reviewing a consumer report. Next, the Court determined that the alleged FCRA violations presented a legitimate and material risk of actual harm to the Plaintiff. It is important to note that Judge O’Scannlain’s opinion is similar to Justice Ginsburg’s dissent to the Supreme Court’s recent majority opinion, focusing its analysis on the potential harm to the plaintiff’s financial prospects in the workforce as a result of the allegedly false information.
Plaintiffs in data breach litigations are likely rejoicing in the Ninth Circuit’s most recent ruling. Judge O’Scannlain’s opinion effectively dilutes the requirement that concrete harm requirement to standing, and making it easier to maintain their litigation. Relying upon the opinion, an affected individual may argue that, similar to Robins, the potential harm to their financial prospects as a result of a data breach involving credit information is sufficient to satisfy Article III standing. The mere prospect of a harm may now be sufficient to maintain standing, at least before the Ninth Circuit.
However, it is not all bad news for defendants in data breach litigations as it is likely that application of the Ninth Circuit’s ruling will be limited. The fact-intensive analysis by the Ninth Circuit suggests that it will be difficult if not impossible to apply the ruling in a class action context. Further, the Ninth Circuit’s opinion clearly distinguished between threat of harm and threat of the statutory violation itself: while a threatened statutory violation would not satisfy standing requirements, the court concluded that an actual violation accompanied by a threatened harm was sufficient. This likely limits data breach plaintiffs until they can show an actual statutory violation by the defendant company. Finally, this opinion does nothing to bridge the significant circuit split interpreting Spokeo (see In Re: Horizon Healthcare Services Inc. Data breach Litigation, No. 15-2309 (3d Cir. 2017) v. Gubala v. Time Warner Cable, Inc., No. 16-2613 (7th Cir. 2017)).
Unfortunately, we likely wait for the inevitable petition to the U.S. Supreme Court for more guidance.
Remember, the Cyber, Data Security, and Privacy practice group attorneys are here to assist you in responding to data security incidents. Please contact Jonathan Romvary at [email protected] if you have any questions or would like more information on how this developing issue of standing may affect your company.