computer securityCourts and litigants find themselves standing on the precipice of Spokeo v. Robins, a monumental Supreme Court decision that could have potentially wide-ranging implications for data breach cases. Given the Court’s holding in Spokeo that a plaintiff must allege and prove more than just “a bare procedural violation” to satisfy the “concrete injury” component of standing’s injury-in-fact requirement, it may prove difficult for data-breach plaintiffs to survive challenges to their allegations of standing. For example, even if a consumer’s data has been stolen, a third party (such as a bank) may ultimately pay for any out-of-pocket losses (for instance, in the case of stolen credit card numbers). Thus, in the absence of any actual monetary losses, which is often the case, plaintiffs are forced to rely on allegations of an increased likelihood of fraud or identity theft. But as the initial influx of post-Spokeo cases make clear, plaintiffs must establish that their risk of future harm is more than speculative, a leap which some courts have been reluctant to take.

The Spokeo Decision

Spokeo operates a “people search engine,” which searches a wide spectrum of databases to gather and provide personal information about individuals to a variety of users, including prospective employers. When Thomas Robins realized that his Spokeo-generated profile contained inaccurate information, he filed suit for alleged violations of the Fair Credit Reporting Act. The district court dismissed Robins’s complaint for lack of standing, and the Ninth Circuit reversed, noting that Robins had alleged that “Spokeo violated his statutory rights, not just the statutory rights of other people” and that “Robins’ personal interests in the handling of his credit information are individualized rather than collective.” As such, the court held that Robins had adequately alleged an injury-in-fact because it concluded that his complaint alleged “concrete, de facto” injuries.

The Supreme Court vacated and remanded because it found the Ninth Circuit’s analysis to be incomplete, explaining that both of the court’s observations concerned whether the alleged injury was particularized, not whether it was concrete. For an injury to be “particularized,” it must affect the plaintiff in a personal and individual way. But for an injury to be “concrete,” the injury must be de facto; it must actually exist; it has to be “real,” and not “abstract.”

An injury does not have to be tangible to be “concrete,” however. As the Court previously explained in Lujan, Congress may “elevate to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate at law.” At the same time, however, a plaintiff cannot satisfy the injury-in-fact requirement based solely on “a bare procedural violation.”

As the Court noted, not all violations of the FCRA’s procedural requirements cause harm or present any material risk of harm. In particular, the Court found it “difficult to imagine how the dissemination of an incorrect zip code, without more, could work any concrete harm.” But because the Ninth Circuit’s decision did not address whether the particular procedural violations Robins had alleged entailed a risk of harm sufficient to meet the concreteness requirement, the Court remanded for it to make that determination.

Post-Spokeo Data Breach (and Related) Cases

Though not itself a data breach case, Spokeo’s reverberations have already been felt throughout the lower courts. In fact, four circuit courts have already considered post-Spokeo data breach (or data-breach-esque) cases, and the results thus far are evenly split.

First came In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262 (3d Cir. 2016), in which parents alleged that Viacom unlawfully disclosed to Google protected information about their children’s activities on Viacom’s websites, in violation of, among other things, the Video Privacy Protection Act, the Wiretap Act, and the Stored Communications Act. The defendants argued that, in light of Spokeo, the disclosure of information about the plaintiffs’ online activities did not constitute an injury-in-fact. The Third Circuit disagreed, concluding both that “[t]he purported injury here is clearly particularized, as each plaintiff complains about the disclosure of information relating to his or her online behavior,” and that despite being arguably “intangible,” the plaintiffs’ alleged harm was “also concrete in the sense that it involves a clear de facto injury, i.e., the unlawful disclosure of legally protected information.”

Shortly thereafter, the D.C. Circuit applied Spokeo’s rubric to a data-retention case. The plaintiffs in Hancock v. Urban Outfitters, Inc., 830 F.3d 511 (D.C. Cir. 2016), alleged that the defendants had violated two D.C. consumer protection statutes by asking the plaintiffs for their zip code in connection with credit card purchases they had made at two clothing stores. As the court explained, this case falls into Spokeo’s paradigmatic example of a no-injury procedural violation: “If, as the Supreme Court advised, disclosure of an incorrect zip code is not a concrete Article III injury, then even less so is [plaintiffs’] naked assertion that a zip code was requested and recorded without any concrete consequence.” In particular, the court noted that the plaintiffs “[did] not allege, for example, any invasion of privacy, increased risk of fraud or identity theft, or pecuniary or emotional injury.” Thus, “without any plausible allegation of Article III injury,” the court concluded that the plaintiffs lacked standing.

The Eighth Circuit reached the same conclusion in a similar case. In Braitberg v. Charter Communications, Inc., No. 14–1737, – F.3d –, 2016 WL 4698283 (8th Cir. Sept. 8, 2016), Charter was sued by its former customer for allegedly retaining his personal information “including his address, telephone number, and social security number,” after he had canceled his service. He claimed that Charter was therefore liable under the Cable Communications Policy Act, which provides that a cable operator must destroy personally identifiable information “if the information is no longer necessary for the purpose for which it was collected.” The court found that the plaintiff asserted nothing more than “a bare procedural violation, divorced from any concrete harm.” As the court explained, the plaintiff “[did] not allege that Charter has disclosed the information to a third party, that any outside party has accessed the data, or that Charter has used the information in any way during the disputed period.” In other words, like the plaintiffs in Hancock, he had “identifie[d] no material risk of harm from the retention.”

Meanwhile, the Sixth Circuit found that the plaintiffs had done just that in Galaria v. Nationwide Mut. Ins. Co., No. 15-3386, 2016 WL 4728027 (6th Cir. Sept. 12, 2016), a data breach case involving Nationwide Mutual Insurance Company. In reversing the district court’s dismissal for lack of standing, the court concluded that the “Plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, [were] sufficient to establish a cognizable Article III injury.” Although it should be noted that the plaintiffs’ common law claims did not involve a “bare procedural violation” of some statute, Galaria is nonetheless instructive as to what allegations are sufficient to constitute a substantial risk of harm sufficient to constitute a concrete injury. As the court explained, the plaintiffs in that case “allege[d] that the theft of their personal data places them at a continuing, increased risk of fraud and identity theft,” and “although it might not be ‘literally certain’ that Plaintiffs’ data will be misused, there is a sufficiently substantial risk of harm that incurring mitigation costs is reasonable.” Galaria is also notable in that it illustrates how a defendant’s response to a data breach may be used as evidence that the plaintiffs’ future injuries are more than speculative:

“There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals. Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year. Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints.”

As courts continue to grapple with Spokeo’s implications, it will be interesting to see what role, if any, a company’s remedial measures (some of which may be required by law) may play for purposes of determining whether plaintiffs can plausibly allege an “objectively reasonable likelihood” of eventual injury.

In the meantime, it also remains to be seen precisely what Spokeo portends in data-breach cases and other cases involving alleged statutory violations that may not result in any immediate harm to would-be plaintiffs. Only time will tell whether Spokeo will be another arrow in the quiver of defendants aiming to dismiss such cases for lack of standing, or whether parties still stand to risk falling off the precipice of standing and into the deep chasm of discovery.