Will Spokeo Impact Standing In Data Breach Cases?
Despite months of anticipation, the majority opinion in Spokeo, Inc. v. Robins reads more like a teacher (the Supreme Court) telling a student (the Ninth Circuit) to go back and show the work behind a long division answer before it gets graded. The question in Spokeo was whether a statutory violation of the Fair Credit Reporting Act (FCRA) satisfies the injury-in-fact prong of Article III standing. The Ninth Circuit Court of Appeals held that it did. However, a majority of the Supreme Court, while taking “no position” on the Ninth Circuit’s ultimate answer, remanded the case for further analysis of whether Spokeo’s alleged FCRA violations—disclosing inaccurate information about Robins—“entail a degree of risk sufficient to meet the concreteness” requirement of an Article III injury-in-fact. Spokeo, Inc. v. Robins, 478 U.S. ___ (2016). The majority was clear, however, that “Robins cannot satisfy the demands of Article III by alleging a bare procedural violation.” Id.
This issue bears directly on customer data breach cases where plaintiffs, whose personally identifiable information (PII) has been stolen, do not allege incurring fraudulent charges or account openings but instead allege lost time and effort spent monitoring accounts. For example, last month in Lewert v. P.F. Chang’s China Bistro, Inc., the Seventh Circuit Court of Appeals reiterated that “the increased risk of fraudulent charges and identity theft [that customers] face because their data has already been stolen… [constitute] injuries [that] are concrete enough to support a lawsuit.” 2016 WL 1459226 at *3 (7th Cir. Apr. 14, 2016). While P.F. Chang disputed “whether the plaintiffs’ [individual] data was exposed in the breach [,]” it had already admitted in its June 2014 breach announcement “that it did not know how many stores were affected.” Id. at *4. For the Seventh Circuit, this made it at least plausible that the plaintiffs’ own data had been stolen. Id.
Spokeo confirms that Seventh Circuit was correct to be “skeptical” that the mere theft of PII itself (akin to a mere FCRA violation) can support Article III standing. Id. at *4-5. Instead, plaintiffs must show “the risk of real harm” in order to satisfy “the requirement of concreteness” within an Article III injury-in-fact. Spokeo, 578 U.S. ____.