Skip to main content
Top Button
Data Breach Standing: U.S. Supreme Court Declines to Revisit Data Breach Injury Debate Data Breach Standing: U.S. Supreme Court Declines to Revisit Data Breach Injury Debate

Data Breach Standing: U.S. Supreme Court Declines to Revisit Data Breach Injury Debate

Over the past few weeks, the U.S. Supreme Court has twice declined to revisit a highly contested issue common in data security litigation: Whether a data breach or unauthorized disclosure, without more, constitutes an injury sufficient for standing to sue? The Supreme Court’s recent decision to remand in Frank v. Gaos,[1] and subsequent refusal to decide the issue in Zappos.com, Inc. v. Stevens, Theresa, et al.,[2] indicates not only its reluctance to review this issue, but also the growing pressure on it to do so.

Data Breach Standing Overview

Standing to sue is a doctrine rooted in our constitutional understanding of a “case or controversy.”[3] The doctrine limits the category of litigants who can sue in federal court to seek redress for a legal wrong. To show standing, litigants must (1) have suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.[4]

For plaintiffs suing after a data breach, proving injury in fact can be difficult. Between the three elements, injury in fact has been the primary focus in data breach standing disputes. In particular, litigants debate whether a mere breach of someone’s personal data—without evidence of the subsequent misuse of that data—satisfies the injury in fact element. Plaintiffs previously argued that the unauthorized use of consumer data automatically constitutes injury, if the act violates a statutory right. For example, in cases where a statute prohibits the unauthorized disclosure of data and provides victims with a right to sue when the statute is violated, plaintiffs previously argued that violating such statute automatically satisfied the injury in fact requirement. In 2016, however, the Supreme Court rejected this argument in Spokeo v. Robbins by finding that “standing requires a concrete injury even in the context of a statutory violation.”[5] In essence, the Supreme Court held that more was required to show the plaintiff suffered an injury in fact.

Since Spokeo, federal district and appellate courts have been split on whether data breaches or unauthorized disclosures alone satisfy the injury prong of standing.[6] The Ninth, Sixth, Seventh, and D.C. Circuits have all found that a mere data breach may be a sufficient injury, for purposes of standing, if the breach results in an “increased risk of future harm” even without evidence of actual financial loss.[7] Conversely, the Fourth and Eighth Circuits have found that a mere increased risk of future harm, without more—such as an actual financial harm—is not enough to confer standing.[8] Notwithstanding this circuit split, the Supreme Court has appeared reluctant to revisit this issue.
 
Supreme Court Reaffirms Spokeo Injury in Fact Standard in Frank
 
On March 20, the Supreme Court reiterated its ruling in Spokeo that a statutory right to sue does not automatically prove injury in fact. In Frank v. Gaos, the Supreme Court vacated the Ninth Circuit’s decision concerning a settlement for Google’s unauthorized disclosure of consumer data and remanded the case for the lower courts to determine whether the plaintiffs had in fact showed injury necessary to confer standing.
The case arose from a class action brought against Google for allegedly violating the Stored Communications Act (SCA) by sharing individuals’ search terms with websites the individuals visited. Google argued before the lower courts that the plaintiffs failed to show any injury resulting from the SCA violation notwithstanding the statutory right to sue provided under the Act. Both the district court and Ninth Circuit disagreed and found that the SCA automatically satisfied the injury in fact requirement by granting a statutory right to sue when violated. After accepting the appeal on a separate issue, the Supreme Court found the lower courts had erred by relying on a pre-Spokeo ruling which provided standing automatically under a statutory right to sue. In vacating the lower court’s decision, the Supreme Court explained that, under the Spokeo standard, a mere statutory grant to vindicate one’s rights under the SCA did not satisfy the injury in fact standing requirement. 
 
Supreme Court Rejects Review of Data Breach Injury in Zappos
 
Five days after its decision in Frank, the Supreme Court declined to review the Ninth Circuit’s ruling in Zappos.com, Inc. v. Stevens, Theresa, et al. In Zappos, plaintiffs brought a class action against the online company for privacy breaches resulting from hackers gaining access to and allegedly stealing over 24 million online customers’ names, email addresses, billing and shipping addresses, phone numbers, credit card numbers, and passwords. Many of the plaintiffs, however, claimed they were harmed by the hacking incident itself without showing any subsequent misuse of their data.
 
At trial, Zappos argued the plaintiffs lacked standing to sue, because they had failed to show any concrete injury in fact, such as financial loss. However, the district court and the Ninth Circuit found the “increased risk of future harm” resulting from the data breach was sufficient to establish injury and confer standing.
 
On March 25, having considered Zappos’s appeal, the Supreme Court declined to review the data breach injury issue and to resolve the circuit split. 
 
Conclusion

In data security litigation, standing remains a significant threshold issue. Litigants continue to debate whether a data breach or unauthorized disclosure alone constitutes sufficient injury to confer standing. Although the circuits are split, the Supreme Court has yet to provide additional clarification since its 2016 decision in Spokeo. However, the recent appeals in cases like Frank and Zappos indicate the growing pressure on the Supreme Court to revisit the data breach standing issue.

As companies become more engaged in online services and e-commerce, their exposure to data breach and unauthorized disclosure claims have increased. However, in handling such claims, individuals and businesses should be aware of how courts in their jurisdictions view standing to sue. For guidance on responding to data breaches to minimize the risk or litigation and handling such litigation if it occurs, please contact Stephen Reynolds, Jenny Buchheit, Derek Molter or Christian Robertson. Stephen, a former computer programmer and IT analyst, is a partner and co-chair of Ice Miller’s Data Security and Privacy Practice. Jenny is a senior counsel in Ice Miller’s Litigation and Intellectual Property Groups who represents clients at both the trial and appellate levels and focuses much of her work on defending companies in both state and national putative class actions. Derek is a partner in in Ice Miller’s Litigation and Appellate Practice Groups. Christian is an associate in Ice Miller’s Litigation Practice.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
 
[1] Frank v. Gaos, 586 U.S. –––– (March 20, 2019).
[2] Zappos.com, Inc. v. Stevens, Theresa, et al, ––– U.S. ––––, 2019 WL 1318579 (March 25, 2019).
[3] See U.S. Const. art. 3, § 2, cl. 1.
[4] See Lujan v. Defenders of Wildlife, 504 U.S. 555, 560, 112 S.Ct. 2130, (1992).
[5] See Spokeo, Inc. v. Robbins, ––– U.S. ––––, 136 S.Ct. 1540, 1544 (2016).
[7] See In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018); see also Galaria v. Nationwide Mut. Ins. Co., 663 Fed. App’x. 384 (6th Cir. 2016); see also Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015); see also Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2017).
[8] See In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017); see also Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), cert. denied sub nom. Beck v. Shulkin, ––– U.S. ––––, 137 S.Ct. 2307, 198 L.Ed.2d 728 (2017).
View Full Site View Mobile Optimized