On Monday, May 16, 2016, the Supreme Court of the United States issued its highly anticipated opinion in Spokeo, Inc. v. Robins, a case that examined the question of whether a plaintiff who ...25 May 2016
New Federal Court Decision Affirms the Standing Doctrine as a Critical Hurdle to Data Breach Actions
The court rejected the plaintiffs’ argument that their increased risk of becoming victims of fraud, identity theft, or phishing at some point in the future was sufficient to constitute “injury-in-fact.” Relying on the Supreme Court’s decision last year in Clapper v. Amnesty International USA, the court found that plaintiffs’ theory of future harm failed to meet the standing requirement that the threatened injury be “certainly impending.” In a statement with important implications for data breach claimants, the court found that “the speculative nature of the injury is further evidenced by the fact that its occurrence will depend on the decisions of independent actors,” specifically those unidentified persons who might misuse the plaintiffs’ PII. The court cited prior decisions “rejecting risk of harm as an injury in fact in the context of data breaches,” and found unpersuasive contrary authority that preceded Clapper.
The court similarly rejected plaintiffs’ argument that cognizable injury resulted from the costs they incurred in attempting to mitigate the increased risk of identity fraud through credit monitoring and the like, characterizing the argument as an attempt to “manufacture” standing based on mitigation of a hypothetical future harm. The court also rejected plaintiffs’ argument that they lost the value of their PII when they failed to plead how the value of that information had been diminished.
The inability to establish standing not only undermined most of the plaintiffs’ common law causes of action, but it also derailed their claims under the Fair Credit Report Act (FCRA). Plaintiffs alleged that Nationwide violated section 1681(b) of FCRA, which sets forth the statutory purpose as requiring consumer reporting agencies to adopt certain procedures for handling information “in accordance with the requirement of th[e] subchapter.” The court found such allegation insufficient to demonstrate standing because plaintiffs never asserted that Nationwide transgressed any particular requirement of FRCA. “To hold otherwise,” the court explained, would confer standing “on any plaintiff who alleges a defendant violated the purpose of a statute regardless of whether the defendant took or failed to take an action the statute prohibited or required.”
This finding has important implications for plaintiffs seeking to plead sufficient injury under Article III. Simply alleging that conduct ran afoul of a statute’s purpose is not enough; a plaintiff must show that defendant transgressed a specific statutory provision the violation of which constitutes a cognizable injury. It remains to be seen whether plaintiffs will be successful in asserting such an injury in future data breach suits.
The benefits of using Unmanned Aircraft Systems (UAS) for tasks from catastrophe response to infrastructure inspection to construction site monitoring, and everything in between, are great. ...19 May 2016
The health sector is under siege with cybersecurity threats. Some of the largest announced cyber attacks in U.S. history have targeted organizations in the health industry. Regulators have...02 May 2016