Last summer, the U.S. Supreme Court seemed to make it much harder to bring privacy lawsuits, including data breach class actions, in federal court. But after about eight months of lower court decisions, the picture seems to be one of complexity rather than certainty.
A quick primer on standing, for lawyers and non-lawyers alike
The Supreme Court has been strict in holding that plaintiffs in federal court must have “standing” to sue. To establish standing, plaintiffs must show that they have suffered an “injury in fact” that is concrete, particularized, and actual or imminent. An intangible injury, such as harm to reputation, can be concrete, and, until last summer, it seemed that future injury could qualify if it was “certainly impending” or there was a “substantial risk that the harm will occur.”
This was all particularly important in data breach cases: Plaintiffs usually have strong evidence that their data was stolen (frequently in the form of a notification letter directly from the breached company), but quite often they cannot say that all (or even any) of the data subjects had personally experienced fraudulent charges or identity theft. Instead, plaintiffs often allege that they face a risk of ID theft or other future harm from misuse of their data. The courts seemed to be warming to future harm as satisfying the injury-in-fact requirement. Indeed, in April 2021, the federal Court of Appeals for the Second Circuit, in a case called McMorris, said that no court of appeals had explicitly foreclosed plaintiffs from establishing standing based on a risk of future identity theft. The appellate panel then held explicitly that “plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.” (The court went on to rule that standing was not established based on the facts alleged before it.)
A few weeks later, on June 3, 2021, the Eleventh Circuit found standing based on risk in the massive Equifax case: “Given the colossal amount of sensitive data stolen, including Social Security numbers, names, and dates of birth, and the unequivocal damage that can be done with this type of data, we have no hesitation in holding that Plaintiffs adequately alleged that they face a ‘material’ and ‘substantial’ risk of identity theft that satisfies the concreteness and actual-or-imminent elements.” This was on top of earlier decisions in at least four other circuits finding standing in data breach cases based on risk of future harm.
TransUnion v. Ramirez: An apparent game changer
All that seemed to change June 25, 2021, when the Supreme Court handed down its decision in TransUnion v. Ramirez. The case arose under the Fair Credit Reporting Act, which requires credit reporting agencies to follow reasonable procedures to assure maximum possible accuracy in consumer reports. The act specifies that any person who willfully fails to comply with the act “is liable to that customer” for damages. In its credit reports, TransUnion had incorrectly tagged thousands of law-abiding Americans as being on the government’s list of terrorists, drug traffickers and serious criminals. For 1,853 people, the company had provided the incorrect reports to third parties. The court had no trouble finding injury in fact and standing for them. The court said the injury caused by the dissemination of the inaccurate information bore a close relationship to a harm traditionally recognized as providing a basis for a lawsuit in American courts — namely, the reputational harm associated with the tort of defamation — and therefore satisfied the constitutional requirement.
But as to the 8,185 class members who had been falsely tagged but whose credit reports had never been disseminated, the court ruled that the mere existence of inaccurate information in a database is insufficient to confer standing, even though Congress had said that consumers could sue a credit reporting agency that failed to assure the accuracy of its reports. Plaintiffs argued that they were at risk of future harm, in that the inaccurate reports could be disseminated at any time. That’s where the Court dropped the hammer, stating that, “in a suit for damages, the mere risk of future harm, standing alone, cannot qualify as a concrete harm.”
The court left open several avenues to standing. It suggested that a plaintiff’s knowledge that he or she is exposed to a risk of future physical, monetary or reputational harm could cause its own current emotional or psychological harm, which might suffice. It also said that disclosure to a third party, even “accidental disclosure,” might give rise to standing. After all, it granted standing to the 1,853 persons whose credit reports had in fact been sent out.
All in all, however, TransUnion looked like the death knell for data breach standing based on risk of future ID theft or other fraud.
In reality, a complex picture
I’ve complied and summarized online many of the data breach standing cases after TransUnion. I’ll continue to update the list, so let me know if I missed any and I will add them to my website as a resource. Overall, four trends stand out:
Some federal courts are reading TransUnion narrowly to still find standing for future harm. TransUnion’s rejection of future harm as the grounds for standing seemed pretty categorical. But some lower courts have found ways to avoid TransUnion’s holding. In one case, In re: Blackbaud, the district court emphasized that TransUnion was decided after a jury trial that allowed full development of the facts, but was not applicable at earlier stages of a case when courts must accept the factual assertions of the plaintiff as true. A federal district court in Florida, in Cotter v. Checkers Drive-In, said that TransUnion did not apply to a case seeking compensatory damages because TransUnion involved a suit for statutory damages. Note, however, that in both those cases, the plaintiffs alleged that some members of the proposed class had actually experienced ID theft or fraudulent charges as a result of the breach. One way to read these opinions is that the district courts were saying, “Let’s wait and see what emerges as the case progresses.” Ultimately, though, as the Supreme Court said in TransUnion, “[e]very class member must have Article III standing in order to recover individual damages.”
The McMorris factors continue to be influential, meaning that the alleged details of the breach still matter. In April 2021, in McMorris v. Carlos Lopez & Assoc., the Second Circuit identified three non-exclusive factors for deciding if the risk of future harm was great enough to create standing in a data breach case: (i) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (ii) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (iii) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.
Even though, as one court put it, the “TransUnion Court’s rejection of the mere risk of future harm calls into question the continuing validity of McMorris,” courts continue to apply the McMorris factors. Thus, in February 2022, in the PracticeFirst litigation, a federal magistrate judge in New York applied the McMorris factors and found no standing where the allegations in a ransomware case did not satisfy the first factor (attack targeted at data) or the second (actual misuse of the data of any class member). In January, in Cooper v. Bonobos, another federal trial court in New York applied McMorris and found that, where plaintiffs had not alleged any misuse of their — or any other class members’ — data, they failed to meet the second factor and, because the type of data exposed (name, address, email address, order history, IP address, encrypted password and the last four digits of his credit card number) was not susceptible to misuse, they failed the third factor, resulting in dismissal. Both courts, however, seemed to assume that risk of future harm was still a valid basis for standing, if the facts aligned with the McMorris factors. In fact, that’s exactly what another federal court in New York concluded, in a case against GE and a third party service that began with a successful phishing attack, holding that there was standing based on risk of future injury where the first and second McMorris factors pointed strongly in favor of standing.
Litigants, brush up on your legal history. In its 2015 Spokeo v. Robins decision, the Supreme Court said that, in order to decide what constitutes standing, it is “instructive to consider whether an alleged harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” In TransUnion, the court said that intangible harms traditionally recognized as providing a basis for lawsuits included reputational harms (including the reputational harm associated with the tort of defamation), disclosure of private information and intrusion upon seclusion.
This means that modern day plaintiffs need to show that their claim is the same as or similar to a traditional cause of action. For example, in privacy cases alleging improper data collection, the analogy to intrusion upon seclusion might work very well. Defamation won’t work in data breach unless the data disclosed is defamatory (as it was in TransUnion, but isn’t in many breaches). The traditional tort of public disclosure of private facts might not work either because it requires, as the name suggests, disclosure to the public. However, at least two district courts, in Bohnak v. Marsh & McLennan and Griffey v. Magellan Health, held post-TransUnion that plaintiffs’ injury in a data breach case was analogous to that associated with the public disclosure of private information and therefore sufficed to create standing. This is especially interesting because, before TransUnion, courts in data breach cases had not granted standing just on the basis of the breach itself.
Ransomware does not cause injury in fact to consumers. If risk of future harm is ever to suffice, there must be some solid allegations that the data stolen is very likely to be used for identity theft or other fraud. The best way to do that, short of allegations that at least some victims’ data has already been misused, is to allege that the attack was undertaken by criminals seeking to acquire sensitive data that could be used for ID theft or other fraud. That may not be possible in garden-variety ransomware case where the data may be stolen and held for ransom but is not otherwise used by the criminals. As the court in the PracticeFirst case said in denying standing, “the primary purpose of a ransomware attack is the exchange of money for access to data, not identity theft.” In a trend beginning before TransUnion, and continuing since, Federal courts in New York, Puerto Rico, Pennsylvania and Arizona have denied standing in cases arising out of ransomware attacks.
There’s more to breach litigation than standing. Defendants facing data breach lawsuits have multiple bites at the apple in their efforts to keep cases from going before a jury. In at least one case (Bohnak v. Marsh & McLennan) where the court held, after TransUnion, that plaintiffs did have standing based on risk of future harm, the court went to dismiss the lawsuits because the harm alleged was not adequate to support the damages element of the claim being asserted. (In order to maintain a claim for negligence, for example, you need to allege damages, and risk of future harm, even if good enough to establish standing, is not good enough to allege compensable damages.)
Plaintiffs lawyers have been very inventive in advancing other theories of standing that do not depend on risk of future injury, including lost property value of compromised personal information (a theory accepted, for example, in a case against Marriott in the federal court in Maryland); lost benefit of the bargain (where the plaintiffs allege they turned over the data only because of defendant’s implied promise to protect it); and restitution for unjust enrichment. More recent cases seem to be rejecting those theories, but it is probably too soon to declare the issue settled for all federal courts.
Eight months after the Supreme Court’s ruling in TransUnion, the only thing that is clear is the lack of clarity: despite a string of Supreme Court rulings against standing, the contours of standing in federal courts for privacy or data breach remain unsettled.
Photo by Kelly Sikkema on Unsplash
The emergence of cybersecurity as a major corporate and public policy concern has also spawned a body of cybersecurity law that is rapidly evolving and far from systematic. This book serves both as a reference volume for cybersecurity practitioners and a primer for generalists and newcomers to the field.
If you want to comment on this post, you need to login.