Two More Circuits Find Data Breach Standing without Proof that Plaintiffs’ Data Was MisusedData breaches have become commonplace. Despite the best efforts of many, identity thieves and hackers always seem to find a new vulnerability somewhere in the system of virtually every company that conducts business online. And, as the recent Facebook debacle reveals, sometimes data is even shared with legitimate third parties in ways customers neither realized nor anticipated.

The Battle for Standing

Standing is a hotly contested battleground when a data breach spawns class action litigation. After all, we regularly give our credit cards to waiters and store clerks; we regularly publicize our email addresses in all sorts of unsecure ways; and much of our other personal information is readily available in one public forum or another. In all likelihood, after years of recurring data breaches, each of us has probably had our personal information exposed in more than one of these privacy incidents. So, why should the compromise of personally identifiable information absent misuse of that data traceable to a specific breach confer standing on anyone to sue any particular data breach defendant?

Courts have struggled with this issue over the years. On the one hand, Article III requires concrete actual injury or at least impending actual injury in order for a plaintiff to have standing to invoke federal jurisdiction. On the other hand, though, there is a growing concern in America that those who collect customer data should pay a price for not properly safeguarding it.

These tensions are reflected in a wide variety of standing decisions in the data breach context.  Some courts (see decisions in Reilly v. Ceridian and Beck, et al. v. McDonald, et al.) have taken a dim view of the threat of future harm, i.e., an increased likelihood of future identity theft, as a proffered basis of Article III standing. Others (see decision in In re SuperValu, Inc. Customer Data Security Breach Litigation) have questioned the basis for standing where breaches only involve credit card information, but not enough information for bad actors to open new credit accounts. Still though, other courts have bent over backwards to find standing in the data breach context, arguing that time spent protecting oneself from a data breach (see Galaria/Hancox v. Nationwide Mut. Ins. Co.) or even the increased likelihood of data misuse (see Attias v. CareFirst, Inc.) is enough to confer Article III standing. Earlier this year, the Supreme Court declined to still the waters, denying CareFirst’s cert position challenging the D.C. Circuit’s conclusion that fear of future data misuse was enough to confer standing, despite clear circuit splits over that analysis.

So, the lower court disarray over standing continues to fester. In recent days, two more circuits have joined the side of class action plaintiffs in finding standing without data misuse.

The Ninth Circuit

The Ninth Circuit, in In re Zappos.com, found sufficient standing where plaintiffs’ allegations were based on an “increased risk of identity theft.” Early 2012, the servers of an online retailer were breached. During the breach, the personal information—names, account numbers, passwords, credit card information, etc.— of over 24 million customers was compromised. Several of the affected customers filed class actions, which were consolidated at the pretrial proceedings stage. Specifically, the plaintiffs involved with the recent ruling did not allege that they experienced any kind of financial loss from identity theft. Initially, the trial court dismissed the plaintiffs’ claim for lack of Article III standing. On appeal, the Ninth Circuit was tasked with deciding whether plaintiffs had standing based on the alleged risk of future harm.

Previously, the Ninth Circuit handled Article III standing of victims of data theft (see Krottner v. Starbucks Corp.). There, a laptop containing the personal information of almost 100,000 employees was stolen. Some of the affected employees sued, alleging that their harm was an “increased risk of future identity theft.” The Ninth Circuit held that the increased risk was enough to merit standing, finding that plaintiffs had “alleged a credible threat of real and immediate harm” due to the theft of the laptop containing their personally identifiable information.

In Zappos.com, the retailer asserted that the Supreme Court’s latest finding (see Clapper v. Amnesty International USA) meant that Krottner was inapplicable to the case at hand. The Clapper plaintiffs argued that for Article III standing, alleging that “there [was] an objectively reasonable likelihood that their communications [would] be acquired ‘at some point in the future.’” The Supreme Court ruled that “an objectively reasonable likelihood” of injury was insufficient where plaintiffs argument depended on a series of inferences that was “too speculative” to comprise a cognizable injury. In Krottner, unlike Clapper, no speculation was needed where the laptop thief already had all the information necessary to open accounts and cause financial harm to plaintiffs.

Accordingly, the Ninth Circuit, having decided that Krottner and Clapper were not irreconcilable, concluded that Krottner was applicable to the Zappos plaintiffs’ claims. The Zappos plaintiffs alleged both that the compromised information could be used to commit identity theft and that their credit card numbers had been breached, leading the Ninth Circuit to find that bad actors could immediately cause plaintiffs harm. The court also pointed to other plaintiffs within the case who had already suffered identity theft as a result of the breach. The court determined that the Zappos plaintiffs sufficiently alleged an injury in fact under Krottner.

The court assessed the remaining Article III requirements: whether the alleged risk of future harm is “fairly traceable” to the conduct challenged, and whether the injury will be redressed by the litigation. Relying on a case (see Remijas v. Neiman Marcus Group, LLC) where the Seventh Circuit ruled “[t]he fact that some other store might [also] have caused the plaintiffs’ private information to be exposed does nothing to negate the plaintiffs’ standing to sue” and their injury was nonetheless “fairly traceable” to the defendant’s data breach, the Ninth Circuit determined that even if plaintiffs suffered identity theft caused by data stolen in other breaches, those compromised would not negate their standing to sue in the case at hand. Further, the court found that the risk of identity theft was redressable by relief that could be obtained through this litigation and compensation through damages. Consequently, the Ninth Circuit reversed the trial court’s judgment as to plaintiffs’ standing and remanded the case for further consideration.

The Seventh Circuit

Similarly, the Seventh Circuit has reinstated a data breach class action filed against Barnes & Noble (see Dieffenbach v. Barnes & Noble, Inc.). The case was previously dismissed—three times— by the U.S. District Court for the Northern District of Illinois for lack of standing.

In 2012, “skimmers” breached the payment terminals in B&N stores, siphoning off customer information, e.g., names, payment card numbers, PINs, etc. Customer card information was stolen from terminals in over 60 B&N stores. Following the breach, plaintiffs filed a putative class action alleging (1) breach of implied contract (to secure payment card data); (2) violation of the Illinois Consumer Fraud & Deceptive Practices Act (ICFA); (3) violation of the California Security Breach Notification Act (DBNA); and (4) violation of the California Unfair Competition Act (UCA). In 2013, the district court first dismissed plaintiffs’ complaint without prejudice for lack of standing, ruling that plaintiffs failed to allege pecuniary harm.

In 2016, B&N submitted a motion to dismiss the amended complaint. Before the motion was submitted, however, the Seventh Circuit decided Remijas. Despite Remijas, the district court again dismissed the complaint, noting that while plaintiffs could merit standing based on the risk of future identity theft, plaintiffs still failed to allege “cognizable damages.” In 2017, the same district court, albeit a different judge, dismissed plaintiffs’ second amended complaint, finding that plaintiffs had not alleged any economic harm as a result of the breach.

The Seventh Circuit vacated the district court’s dismissal, finding that plaintiffs’ second amended complaint satisfied pleading standards relative to the injuries alleged from the breach. The court explained that alleging injury-in-fact for standing also meets the requirement of alleging a cognizable injury and entitlement to damages. Further, the court noted that “the federal rules [of civil procedure] do not require plaintiffs to identify items of loss (except for special damages).” Specifically, Federal Rule of Civil Procedure 8(a)(3) does not require plaintiffs to allege the details of their injury, and Rule 54(c) entitles plaintiffs to any legally available relief, regardless of whether the relief is pled in the complaint.

The court then looked to the injuries alleged by plaintiffs—loss of access to personal funds, time spent with law enforcement and banking representatives, deactivation of card, monthly charges for credit monitoring, etc.—determining that they were sufficient to meet the cognizable damages requirements under several of the plaintiffs’ claims.

Looking Forward

It appears that a new trend is emerging at least in some of the more class-friendly circuits: finding standing in data breach class actions despite the absence of actual financial harm suffered by the plaintiffs. Likely, courts are attempting to respond to the proliferation of larger, more costly data breaches, as well as to a paradigmatic shift in sensitivity and senses of ownership over individual data. Regardless of the reasoning, it is evident that more and more plaintiffs’ counsel in data breach suits will bring their actions in these more favorable venues so as to be more assured of surviving standing inquiries. Businesses need to consider how best to prepare themselves for more vigorous, involved litigation in the data breach context. This includes planning for data breach litigation long before the data breach hits. Businesses should start by identifying and retaining knowledgeable, reliable outside data breach counsel, working with counsel to identify and retain reliable outside data breach response vendors, and doing all of that in coordination with their cyber liability insurance carriers. Those who lack cyber liability coverage should look into the coverage currently available, as this is more of a buyer’s market than it once was. Data breaches are interdisciplinary; they require a comprehensive team of legal, forensic, technological, and marketing professionals to fully and accurately assess, respond to, and ultimately remediate the damage done. Businesses cannot afford to wait until after a breach has occurred to assemble their response teams. The cost of procrastination is simply too high.

FACTA Cases Continue to Present Ideal Targets for <i>Spokeo</i> Challenges—Eleventh Circuit Defendants Take Particular NoticeWe’ve already written about Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), in which the Supreme Court reaffirmed that all federal plaintiffs, even those alleging a statutory violation, must have suffered a real, concrete injury in order to have Article III standing. As we’ve noted in a past blog post, despite Spokeo’s clear guidance that a mere technical statutory violation, divorced from any concrete harm, is not enough to confer Article III standing, lower courts have divided on how to apply Spokeo to federal statutory class actions. Notwithstanding Spokeo’s inconsistent application in other contexts, many have been willing to use Spokeo as a basis to dismiss claims under the Fair and Accurate Credit Transaction Act or FACTA. One recent example is Kirchein v. Pet Supermarket, Inc.

A quick primer: FACTA prohibits the willful printing of more than the last five digits of a consumer’s credit card number on an electronically generated receipt provided at the point of sale. Even though there is basically no evidence suggesting that consumers’ identities are at any material risk if a FACTA violation occurs, FACTA is a severely punitive statute. Damages for each FACTA violation are between $100 and $1,000, either per customer or per receipt—courts are divided on that question—with no classwide statutory damage cap. The combination of high damages, relative ease of proving violations, and availability of class certification creates strong incentives for plaintiffs to bring FACTA claims as class actions. Plaintiffs asserting FACTA claims usually define the class to exclude consumers who have suffered any actual damages.  Those consumers can recover even more individually under the statute, but proving individual damages often precludes class certification. As a result, FACTA cases commonly feature a large number of unharmed class members.

Enter Spokeo. In that case, the Supreme Court held that Congress cannot declare non-injuries to be injuries for purposes of Article III:

Congress’ role in identifying and elevating intangible harms does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right. Article III standing requires a concrete injury even in the context of a statutory violation. For that reason, [the plaintiff] could not, for example, allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III.

Spokeo’s requirement of harm beyond a mere statutory violation has been very difficult for FACTA plaintiffs to overcome. As Judge Moreno of the Southern District of Florida put it, “the Seventh and Second Circuits, as well as multiple district courts, have held that under Spokeo, a plaintiff who has not suffered any actual harm or material risk of harm lacks standing to sue for violations of the Act” (see Tarr v. Burger King Corp.).  A similar case, Gesten v. Burger King Corp., suffered the same fate at the hands of Judge Scola in the Southern District of Florida.

The latest case to join this line is Kirchein, a FACTA case before Judge Scola that the parties had previously preliminarily settled. The defendant discovered through the course of the settlement process that there were more class members than expected, so it moved to vacate preliminary approval of the settlement. While the court did not directly vacate approval of the settlement, it went much further and dismissed the entire case for lack of subject matter jurisdiction. It noted that, even if it was possible that a FACTA violation could give rise to standing, the injury alleged by the plaintiff did not give rise to standing because the plaintiff did not even allege that his personal information had been involuntarily exposed to anyone.

These cases demonstrate that many garden-variety FACTA complaints are exactly what Spokeo forbids. Federal jurisdiction requires more than a pure procedural issue.

We’ll conclude with four takeaways:

  • First, Spokeo’s injury-in-fact requirement is an issue the defendants should continue to press in every class action seeking only statutory damages, notwithstanding the existence of a few less-than-favorable decisions. The Southern District of Florida’s recent FACTA decisions should give defendants renewed hope in their ability to challenge standing because these cases reflect a growing reversal of a trend of finding standing in similar cases.Many of the early post-Spokeo FACTA cases that found jurisdiction did so by relying on pre-Spokeo cases, particularly Hammer Sam’s East, Inc. While the Eleventh Circuit, in an unpublished opinion about the FDCPA, seemed to give Spokeo a narrow reading in Church v. Accretive Health, Inc., the court later upheld dismissals on Spokeo grounds in other statutory damage cases shortly thereafter (see Meeks v. Ocwen Loan Servicing, LLC,  and Nicklaw v. CitiMortgage, Inc.). Courts with FACTA claims had initially found shelter under Church to keep their cases, but time has proven that shelter far from leak proof. For its part, the Southern District of Florida has now recognized that Spokeo has often dispositive implications for FACTA class actions, and that the pre-Spokeo Hammer case is obsolete.
  • Second, on a related point, defendants may benefit from pressing a Spokeo challenge even if outright dismissal is unlikely. Plaintiffs can be forced into making individualized allegations about how they were personally harmed. Those allegations can then be used as a lever to upend class certification on commonality, typicality, and predominance grounds.
  • Third, while FACTA is particularly egregious in penalizing what looks to be harmless conduct, claims seeking statutory damages under other federal and state statutes are also vulnerable to Spokeo Alleged technical violations of notice provisions under the FDCPA can, in some instances, be pure touch fouls with no harm. Other kinds of data breach claims, such as state-law negligence or privacy claims arising from payment card hacking, are another context in which Spokeo may apply when plaintiffs allege nothing more than an increased risk of identity theft.
  • Fourth, watch out for removal issues. While FACTA raises a federal question and an automatic chance to remove a case, a motion under Spokeo can easily result in a remand. Burger King found this out the hard way: After Judge Scola dismissed the Gesten case, the plaintiff re-filed in state court. Burger King removed, but the district court remanded, noting that Burger King had previously successfully argued that federal jurisdiction does not exist.

Call Me, Maybe? The D.C. Circuit Says Your Smartphone Is Not an AutodialerThe nation breathed a little easier last Friday when the D.C. Circuit ruled that Americans can call or text from their smartphones without violating federal law. That’s because the D.C. Circuit has set aside the Federal Communications Commission’s definition of what constitutes an “autodialer,” a definition that, before last Friday, included the ubiquitous device half of you are using right now to read these words. And since we use these devices to keep in touch, the FCC’s definition – carried to its logical extreme – could have led to liability under the Telephone Consumer Protection Act (TCPA) for almost every unsolicited call or text using a smartphone.  The FCC’s overly expansive definition is no more, however, because the D.C. Circuit ruled in a long-awaited opinion that it was arbitrary and capricious.

The FCC had said that a device with the potential capacity to store and dial telephone numbers using a random number generator was an “automated telephone dialing system” covered by the TCPA. That definition caused the TCPA to “assume an eye-popping sweep,” wrote the D.C. Circuit, since just about every smartphone has the potential (either straight from the factory or when the right app is downloaded) to perform those functions. As a result, “nearly every American is a TCPA-violator-in-waiting, if not a violator-in-fact” because, under the FCC’s “autodialer” definition, “every uninvited communication from a smartphone infringes federal law.” The D.C. Circuit recognized that Congress never intended the TCPA to “constrain [the activities of] hundreds of millions of everyday callers,” so the FCC’s “autodialer” definition could not stand.

The FCC had also said that callers who violated the TCPA by autodialing a reassigned cell-phone number had one chance to learn that they were not actually reaching the person who consented to receiving such calls, whether or not that one call was answered or produced any information as to reassignment. The D.C. Circuit’s opinion also set aside this one-call “safe harbor” as arbitrary and capricious. Although the FCC permissibly interpreted the TCPA’s use of the term “called party” to mean the current subscriber, the court found no justification for why a caller’s “reasonable reliance” on prior consent should “necessarily cease to be reliable” after only one call (or text) regardless of the result of the call. A failure to respond to a text, the D.C. Circuit recognized, or a call that goes to a generic voicemail greeting (e.g., “you have reached XXX-XXX-XXXX, please leave a message”) gives “no indication whatsoever of a possible reassignment.”

The D.C. Circuit’s opinion also upheld the broad parameters permitting a consumer to revoke consent “through any reasonable means that clearly expresses a desire not to receive further messages.” Contracting parties are still free, however, to “agree upon particular revocation procedures.” That provides businesses with a clearer opportunity to achieve compliance with the TCPA revocation requirement than they had before. Without the opportunity to channel revocation contractually into specified methods, tracking revocation can be next to impossible.

The D.C. Circuit’s opinion contains several lessons for current TCPA class defendants and companies wishing to avoid TCPA issues. Among them:

  • If you are defending a case where the autodialer element (TCPA liability requires the use of an “automatic telephone dialing system”) depends on the equipment’s potential capacity, revisit whether the named plaintiff or any class member even suffered a TCPA violation. The FCC’s expansive definition having been set aside, the TCPA’s reference to the “capacity” of equipment arguably should be read to refer to its current capacity only.
  • If the equipment meets the statutory definition of an autodialer, but some of the calls at issue were made without using the autodialer functionality, consider raising a typicality defense. The TCPA prohibits “mak[ing] any call … using any [autodialer],” but class members who received a call because a machine randomly dialed their numbers suffer a different kind of harm than those who received a call because a human being typed their numbers into a device that could have dialed them randomly. Both calls are made using an autodialer – and thus both calls arguably violate the TCPA – but Congress was concerned about preventing only one of them.
  • Any putative (b)(3) class defined to include calls to reassigned numbers should be challenged on commonality and predominance grounds. Since there is no more one-call “safe harbor,” the reasonableness of a caller’s belief that it had consent to contact a particular class member at that number likely must be determined on an individual basis.
  • Contracts with consumers should now include particular revocation procedures; otherwise, the consumer can use “any reasonable means” to revoke consent and tracking revocation becomes a serious problem.

If the FCC again engages in rulemaking regarding the autodialer definition and any “safe harbor” under the TCPA, Chairman Ajit Pai, who as a Commissioner dissented from the 2015 order that was the subject of the D.C. Circuit’s opinion, will preside over the process.