Frank v. Gaos: Remand, but Little Guidance.Today, the Supreme Court sent Frank v. Gaos back to the Ninth Circuit to address the issue of standing under Spokeo.

Frank involved allegations of privacy violations. Plaintiffs brought class action claims against Google for alleged violations of the Stored Communications Act. The complaints alleged that when an Internet user conducted a Google search and clicked on a hyperlink to open one of the webpages listed on the search results page, Google transmitted information including the terms of the search to the server that hosted the selected webpage.

After three motions to dismiss (none of which disposed of the whole case), the parties negotiated a settlement requiring Google to include certain disclosures on some of its webpages and distribute more than $5 million to cy pres recipients, more than $2 million to class counsel, and no money to absent class members. Objectors appealed the settlement’s approval, arguing that cy pres relief to third-party charities was an improper basis for settlement. (The use of cy pres in this context, which involves remitting class settlement payments to non-parties – often charities – when it is difficult or expensive to make such payments directly to class members, has been the subject of criticism by courts and commentators.)

We were originally watching Frank in the hope that it would give a clear rule on whether and when it is permissible to have cy pres distributions in class-action settlements, but that hope shifted when the Court on its own called for additional briefing on whether the plaintiffs had a concrete injury necessary to confer standing. We then turned our focus to seeing if the Court would provide more guidance on exactly when a mere statutory violation confers standing under Spokeo, a question that has divided lower courts.

Today’s remand provides no real guidance at this point. The Court declined to rule on either the cy pres issue or the standing issue. Despite having raised the standing issue in the first place, the Court punted on its own question, stating that “we are a court of review, not of first view.” Because the Ninth Circuit and District Court had never analyzed the arguments regarding standing under Spokeo, the Court simply called a do-over. It vacated the Ninth Circuit’s judgment in a per curiam opinion and sent the case back to the lower courts for a review of standing. The Court cautioned “[n]othing in our opinion should be interpreted as expressing a view on any particular resolution of the standing question.”

Despite the lack of fireworks and despite the Supreme Court’s caution that we should not read anything in its standing ruling, there is an important takeaway here: the standing question presented was serious enough to require review. If the Court could comfortably say that standing did exist, it presumably would have addressed the cy pres question for which it granted certiorari in the first place. Its decision to vacate the judgment and send the case back to the lower courts signals how serious the standing question is, especially in these kinds of statutory violation cases.

What’s important to the Supreme Court should be important to practitioners. Arguing about standing has its risks (as we have noted), but federal courts are policing standing – especially in the class-action space – more than ever before. Class settlements designed to bring peace and resolve a line of litigation are attractive, but these settlements can be vulnerable to attack by objectors challenging subject matter jurisdiction. That is, after all, what happened in Franks: two objectors challenged a class settlement on jurisdictional grounds and pressed their objections all the way to the Supreme Court.

If we were placing bets, the odds are now against Franks returning to the Supreme Court anytime soon, if ever. But presumably, the Court will look to identify another case raising the cy pres questions that were present in Franks, and we continue to watch for the Court to grant certiorari on the Spokeo questions that ultimately caused Franks to be remanded. So, we wait. Ironically, however, the cases in which the parties resort to cy pres are often those where class members suffered little or no actual harm. So, don’t be surprised if both issues are presented next time the Supreme Court takes on this issue. Let’s hope that when that time comes, the trial court will have already addressed both issues itself.

Almost one year ago, we wrote  about the impact of Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) on Fair and Accurate Credit Transaction Act (FACTA) class actions and offered practical pointers for defendants confronting FACTA class claims. As we explained, because often the only “harm” from alleged FACTA violations is a theoretical increase in the risk of a potential future injury, such as identity theft, FACTA plaintiffs have difficulty meeting Article III’s injury-in-fact requirement. On March 8, 2019, the Third Circuit Court of Appeals issued its highly anticipated decision in another FACTA case, Kamal v. J. Crew Group, Inc., 2019 WL 1087350, which continues the post-Spokeo trend of requiring a plaintiff to allege more than some speculative, theoretical threat of future harm to establish Article III standing from a FACTA violation.

Third Circuit Reinforces That FACTA Class Actions Remain Ideal Targets for Spokeo ChallengesFACTA strictly—which is to say, draconically—forbids merchants from printing more than the last five digits of a credit or debit card number on any electronically printed receipt provided to the card holder at the point of sale, and provides potentially onerous penalties for violations. Ahmed Kamal, the putative class representative, alleged that J. Crew printed the first six and last four digits of his cards on three separate transactions in 2014 and 2015. After his original complaint was dismissed for failure to allege a concrete injury, Kamal asserted in an amended complaint that he was injured by J. Crew’s disclosure of his private information and by a resulting increased exposure to future identity theft or credit card fraud.  The district court, relying on Spokeo, dismissed the case, ruling that Kamal failed to identify an injury-in-fact sufficient to confer Article III standing. Kamal’s privacy concerns, in the court’s eyes, fell short of recognized privacy interests and instead amounted to a “bare procedural violation divorced from any concrete harm,” and the court determined that J. Crew’s actions had not materially increased Kamal’s risk of identity theft or fraud. Kamal disagreed and appealed.

On appeal, the Third Circuit, following the Supreme Court’s instruction in Spokeo, analyzed whether Kamal’s alleged injuries of disclosure of private information and increased risk of identity theft or fraud enjoyed a “close relationship” to any harms that traditionally have provided a basis for common law privacy torts and breach of confidence. Kamal argued that he faced a real risk of identity theft because the first six digits identified his issuing bank and card type and that the receipts further identified his card issuer by name. The court declined to exalt this possibility of future events into a present injury. It noted that the information was not disclosed to a third party. Indeed, it appeared only on a printed receipt provided to Kamal. The Third Circuit recognized that receiving a printed copy of your own credit card number is not an injury that bears a “close relationship” with harms that traditionally provide a basis for analogous common law claims. Similarly, the court found Kamal’s argument that J. Crew created a risk of identity theft or card fraud unpersuasive. Notably, the risk could only be material if the receipts fell into a nefarious third party’s hands, and only if that third party would be able to obtain the remaining card digits and the expiration date, security code or other information needed to use the card—none of which had occurred in that case. The court declined to find a concrete injury from this “speculative chain of events.”

The lack of a “close relationship” between the alleged injuries and the harms associated with analogous common law claims led the Third Circuit to hold that Kamal lacked Article III standing to bring the FACTA class action. But there is a procedural wrinkle worth highlighting: The Third Circuit vacated the district court’s order dismissing the lawsuit with prejudice—even though Kamal had requested the order with prejudice as a final order for appeal—and remanded the case for the limited purpose of entering an order of dismissal without prejudice. The Third Circuit reasoned that because Kamal did not have standing, the district court lacked subject matter jurisdiction over decisions on the merits over the case and, therefore, it was improper to grant a dismissal for lack of standing with prejudice.

Kamal reinforces several of the main takeaways for defendants that we set forth in our previous post:  (1) Class actions based on federal statutory violations may be vulnerable to concrete injury, Article III standing challenges, particularly where, as in Kamal and many other FACTA class actions, the alleged harm is a theoretical, conjectural increase in the risk of future injury; and (2) even if the court does not ultimately dismiss the case, contesting plaintiffs’ allegations of injury on Spokeo grounds may result in individualized allegations of harm ultimately helpful to oppose class certification. But Kamal also shows the limits of a successful jurisdictional challenge, as the Third Circuit’s decision to remand the case shows. Several conflicting strategic considerations inform how companies can best challenge federal statutory class actions, and there is no one-size-fits-all solution.

Injury-in-Fact vs. Actual Damages –– Avoiding a Jurisdictional Sideshow in Data Breach Class Actions by Challenging Damages, Not InjuryFollowing the Supreme Court’s ruling in Spokeo v. Robins, which held that federal plaintiffs alleging a statutory violation must have suffered a real, concrete injury in order to have Article III standing, many defendants began to assert lack of standing as a defense in data breach class actions in federal court. Data breach cases are particularly good candidates for Article III standing arguments, because data breach plaintiffs often allege a risk of future injury, but do not allege  that the breach has caused them any immediate harm. Nevertheless, some courts have found that the threat of future injury is a sufficiently concrete injury under Article III. Even when defendants succeed with a Spokeo standing argument, the result may simply be that the case gets litigated in (an often less friendly) state court. This is the “Spokeo trap” we have addressed before.

Instead of attacking standing, defendants may be better off attacking a plaintiff’s lack of damages through a Rule 12(b)(6) motion. After all, most data breach claims at least include state law negligence claims that require plaintiffs to prove actual damages in order to recover. Although there is definitely overlap between the damages element of a tort claim and the injury-in-fact requirement of Article III, many courts have drawn a distinction between the two and dismissed cases for failing to allege the former—and not on mere jurisdictional grounds that create problems for defendants down the road.

The prime example is a case that the plaintiffs’ bar considered one of its early successes: Pisciotta v. Old National Bancorp. That case disagreed with the district court’s jurisdictional analysis and concluded that the plaintiffs’ allegations of future injury gave them Article III standing—but the court still affirmed the district court’s dismissal of the case because the plaintiffs could not satisfy the actual damages element of their negligence claim.

Other more recent cases have followed in this line. Attias v. CareFirst, Inc., a case out of D.C., saw the district court initially dismiss a data breach class action because the plaintiffs could not establish Article III standing on the alleged risk of future harm (such as an increased risk of identity theft). The D.C. Circuit reversed. On remand, the defendant focused on its 12(b)(6) arguments, and the district court dismissed with prejudice, finding that “while plaintiffs’ alleged injuries may be enough to establish standing at the pleading stage of the case, they are largely insufficient to satisfy the ‘actual damages’ element of nine of their state-law causes of action.”

The defendant in a District of Minnesota case, In re: SuperValu, Inc., Customer Data Security Breach Litigation, was met with a similar scenario after the Eighth Circuit reversed the district court’s order granting dismissal without prejudice on standing grounds. Following remand, the defendant renewed its 12(b)(6) motion, arguing that the plaintiffs failed to allege actual damages. The district court granted the motion and dismissed the negligence claims––with prejudice, no less.

Focusing on 12(b)(6) motions instead of standing arguments under 12(b)(1) can, in some instances, save time and money for defendants—and not just in data breach class actions, but in any statutory class action. In the data breach context, that strategy also can avoid a budding circuit split as to whether a future risk of identity theft confers Article III standing in data breach cases. Presently, the D.C. Circuit, and the Sixth, Seventh, and Ninth Circuits have all said it does, while the First, Third, Fourth, and Eighth Circuits have said it doesn’t. The issue is before the Eleventh Circuit now in I Tan Tsao v. Captiva MVP Restaurant Partners, LLC.

As a matter of doctrine, we agree that many data breach theories should not confer Article III standing, and we believe that it is often appropriate to challenge standing in data breach cases. Indeed, the Supreme Court may be addressing that very question soon. But, as courts continue to wrestle with jurisdictional questions, some data-breach defendants can take a practical approach and bypass the standing arguments in favor of attacking the elements of the plaintiff’s claims instead of the court’s jurisdiction.