The world has been rocked by data breaches in recent years. Sony Pictures Entertainment, JP Morgan Chase & Co., Home Depot, Target, Michael’s Stores, Inc., Premera Blue Cross, UPS, Staples, Barnes & Noble, Starbucks, Anthem Health Insurance, CVS- each of these companies has been implicated by a data breach within the past two years, and the list goes on. In 2014, the JPMorgan Chase Co. data breach alone affected 76 million households and seven million small businesses,[1] and this year 80 million patient records were hacked in the Anthem Health Insurance breach.[2] What happens, though, when the information is merely exposed but there is no proof of any actual harm? Spokeo Inc. v. Robins, a case pending on the Supreme Court, addresses whether plaintiffs can sue companies merely based on harm with no visible economic consequences.
On November 2, the Supreme Court heard oral argument in Spokeo, where plaintiff, Robins, claimed that, Spokeo, the people search website, disseminated false information about him including the fact that he is married, wealthy and employed.[3] Robins claimed that Spokeo violated the provisions of the FCRA, by failing to notify him, and alleged that the erroneous material adversely affecting his credit, insurance and employment prospects. It is important to note that there were no demonstrable adverse affects, simply the fear that the falsified information would harm him. Spokeo sought dismissal based on the fact that Robins did not suffer any “real world harm.”[4] The district court ultimately granted Spokeo’s motion to dismiss, due to the absence of concrete injuries, but the Ninth Circuit reversed this holding on appeal.
To bring these suits in the first place, plaintiffs must satisfy Article III standing and demonstrate that they have suffered an “injury in fact” that is concrete and particularized, actual or imminent, fairly traceable to the challenged action of the defendant, and that will likely be redressed by a favorable decision, as opposed to mere speculation.[5] Typically, to prove an injury in fact, plaintiffs must show some actual harm in order to claim monetary damages. Yet, sometimes, actual damages are either nonexistent or difficult to prove. Congress has enacted numerous statutes to remedy this problem and award statutory damages in such circumstances.
Although Spokeo deals with the unauthorized disclosure of information and the FCRA, it is important to note that the Supreme Court’s ruling in this case will have widespread ramifications. By ruling in favor of Robins, SCOTUS would confer Article III standing on plaintiffs based on a bare statutory violation.[6] Although this is problematic on its face for plaintiff lawsuits, the real issue is the repercussions for class action lawsuits; it essentially opens the doors for class actions suits brought by plaintiffs who cannot point to any identifiable financial injury for statutory damages. Among these statutes are the Telephone Consumer Protection Act, Truth In Lending Act, Electronic Fund Transfer Act, Fair Debt Collection Practices Act, Fair Housing Act, Fair Credit Reporting Act, and Real Estate Settlement Procedures Act.
The last time the Supreme Court addressed injury sufficiency for standing was in the 2013 landmark case, Clapper v. Amnesty International USA,[7] challenging the Foreign Intelligence Surveillance Act. Justice Alito, writing for the majority, held that “respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” If Clapper is any indication, it seems that the Ninth Circuit’s holding could be reversed.
In a 2015 Cost of Data Breach Study, Ponemon Institute found that the average cost for a data breach was $3.79 million.[8] Given the prevalence of data breaches in the past years and the multi million dollar settlements that have resulted, it is no surprise that some of the largest tech companies are among those who have filed amicus brief’s in support of Spokeo’s petition to the Supreme Court. Companies including Facebook, Ebay, Google, Yahoo, Netflix, Twitter, LinkedIn and other business groups have already joined in on the action, fearing Spokeo will pave the way for a flood of class actions from plaintiffs without a concrete injury or clear liability.[9]
Board of directors and senior executives may have been more relaxed about the risks posed by data breaches in the past. However, with Spokeo pending, companies now should be concerned with reputational damage and the threat of even more class action lawsuits as a result of these breaches. While directors may not have much control over the Supreme Court Justices, they do retain control of their corporation and there are measures they can take to reduce the costs of the breach upfront. The Ponemon Study found that business continuity management, quicker identification of the breach, board involvement and the purchase of insurance are all factors that can reduce the cost of a data breach.
If Robins is denied standing, it is unclear what other recourse individuals will have against companies when actual harm is speculative. Companies should watch out for the Court’s ruling to ensure they can adequately guard themselves from impending liability.
[1] Ponemon institute “2015 Cost of data Breach Study: Global Analysis” available at http://nhlearningsolutions.com/Portals/0/Documents/2015-Cost-of-Data-Breach-Study.PDF
[2] http://www.bustle.com/articles/105636-the-biggest-data-breaches-of-2015-so-far-in-one-incredibly-alarming-infographic
[3] Spokeo, Inc. v. Robins, 2015 WL 4148655 (U.S.), 51 (U.S.,2015)
[4] Id. at 2.
[5] Valerie B. Barnhart, Employee Data Privacy Issues: Risk and Responsibility in Cyberincidents, 22 Westlaw Journal Class Action 2 (2015).
[6] See paragraph 2, supra for a list of statutes.
[7] 133 S. Ct. 1138 (2013)
[8] See supra note 1.
[9] Spokeo, Inc. v. Robins, 2014 WL 2582797 (U.S.), 5