Almost one year ago, we wrote  about the impact of Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) on Fair and Accurate Credit Transaction Act (FACTA) class actions and offered practical pointers for defendants confronting FACTA class claims. As we explained, because often the only “harm” from alleged FACTA violations is a theoretical increase in the risk of a potential future injury, such as identity theft, FACTA plaintiffs have difficulty meeting Article III’s injury-in-fact requirement. On March 8, 2019, the Third Circuit Court of Appeals issued its highly anticipated decision in another FACTA case, Kamal v. J. Crew Group, Inc., 2019 WL 1087350, which continues the post-Spokeo trend of requiring a plaintiff to allege more than some speculative, theoretical threat of future harm to establish Article III standing from a FACTA violation.

Third Circuit Reinforces That FACTA Class Actions Remain Ideal Targets for Spokeo ChallengesFACTA strictly—which is to say, draconically—forbids merchants from printing more than the last five digits of a credit or debit card number on any electronically printed receipt provided to the card holder at the point of sale, and provides potentially onerous penalties for violations. Ahmed Kamal, the putative class representative, alleged that J. Crew printed the first six and last four digits of his cards on three separate transactions in 2014 and 2015. After his original complaint was dismissed for failure to allege a concrete injury, Kamal asserted in an amended complaint that he was injured by J. Crew’s disclosure of his private information and by a resulting increased exposure to future identity theft or credit card fraud.  The district court, relying on Spokeo, dismissed the case, ruling that Kamal failed to identify an injury-in-fact sufficient to confer Article III standing. Kamal’s privacy concerns, in the court’s eyes, fell short of recognized privacy interests and instead amounted to a “bare procedural violation divorced from any concrete harm,” and the court determined that J. Crew’s actions had not materially increased Kamal’s risk of identity theft or fraud. Kamal disagreed and appealed.

On appeal, the Third Circuit, following the Supreme Court’s instruction in Spokeo, analyzed whether Kamal’s alleged injuries of disclosure of private information and increased risk of identity theft or fraud enjoyed a “close relationship” to any harms that traditionally have provided a basis for common law privacy torts and breach of confidence. Kamal argued that he faced a real risk of identity theft because the first six digits identified his issuing bank and card type and that the receipts further identified his card issuer by name. The court declined to exalt this possibility of future events into a present injury. It noted that the information was not disclosed to a third party. Indeed, it appeared only on a printed receipt provided to Kamal. The Third Circuit recognized that receiving a printed copy of your own credit card number is not an injury that bears a “close relationship” with harms that traditionally provide a basis for analogous common law claims. Similarly, the court found Kamal’s argument that J. Crew created a risk of identity theft or card fraud unpersuasive. Notably, the risk could only be material if the receipts fell into a nefarious third party’s hands, and only if that third party would be able to obtain the remaining card digits and the expiration date, security code or other information needed to use the card—none of which had occurred in that case. The court declined to find a concrete injury from this “speculative chain of events.”

The lack of a “close relationship” between the alleged injuries and the harms associated with analogous common law claims led the Third Circuit to hold that Kamal lacked Article III standing to bring the FACTA class action. But there is a procedural wrinkle worth highlighting: The Third Circuit vacated the district court’s order dismissing the lawsuit with prejudice—even though Kamal had requested the order with prejudice as a final order for appeal—and remanded the case for the limited purpose of entering an order of dismissal without prejudice. The Third Circuit reasoned that because Kamal did not have standing, the district court lacked subject matter jurisdiction over decisions on the merits over the case and, therefore, it was improper to grant a dismissal for lack of standing with prejudice.

Kamal reinforces several of the main takeaways for defendants that we set forth in our previous post:  (1) Class actions based on federal statutory violations may be vulnerable to concrete injury, Article III standing challenges, particularly where, as in Kamal and many other FACTA class actions, the alleged harm is a theoretical, conjectural increase in the risk of future injury; and (2) even if the court does not ultimately dismiss the case, contesting plaintiffs’ allegations of injury on Spokeo grounds may result in individualized allegations of harm ultimately helpful to oppose class certification. But Kamal also shows the limits of a successful jurisdictional challenge, as the Third Circuit’s decision to remand the case shows. Several conflicting strategic considerations inform how companies can best challenge federal statutory class actions, and there is no one-size-fits-all solution.

Injury-in-Fact vs. Actual Damages –– Avoiding a Jurisdictional Sideshow in Data Breach Class Actions by Challenging Damages, Not InjuryFollowing the Supreme Court’s ruling in Spokeo v. Robins, which held that federal plaintiffs alleging a statutory violation must have suffered a real, concrete injury in order to have Article III standing, many defendants began to assert lack of standing as a defense in data breach class actions in federal court. Data breach cases are particularly good candidates for Article III standing arguments, because data breach plaintiffs often allege a risk of future injury, but do not allege  that the breach has caused them any immediate harm. Nevertheless, some courts have found that the threat of future injury is a sufficiently concrete injury under Article III. Even when defendants succeed with a Spokeo standing argument, the result may simply be that the case gets litigated in (an often less friendly) state court. This is the “Spokeo trap” we have addressed before.

Instead of attacking standing, defendants may be better off attacking a plaintiff’s lack of damages through a Rule 12(b)(6) motion. After all, most data breach claims at least include state law negligence claims that require plaintiffs to prove actual damages in order to recover. Although there is definitely overlap between the damages element of a tort claim and the injury-in-fact requirement of Article III, many courts have drawn a distinction between the two and dismissed cases for failing to allege the former—and not on mere jurisdictional grounds that create problems for defendants down the road.

The prime example is a case that the plaintiffs’ bar considered one of its early successes: Pisciotta v. Old National Bancorp. That case disagreed with the district court’s jurisdictional analysis and concluded that the plaintiffs’ allegations of future injury gave them Article III standing—but the court still affirmed the district court’s dismissal of the case because the plaintiffs could not satisfy the actual damages element of their negligence claim.

Other more recent cases have followed in this line. Attias v. CareFirst, Inc., a case out of D.C., saw the district court initially dismiss a data breach class action because the plaintiffs could not establish Article III standing on the alleged risk of future harm (such as an increased risk of identity theft). The D.C. Circuit reversed. On remand, the defendant focused on its 12(b)(6) arguments, and the district court dismissed with prejudice, finding that “while plaintiffs’ alleged injuries may be enough to establish standing at the pleading stage of the case, they are largely insufficient to satisfy the ‘actual damages’ element of nine of their state-law causes of action.”

The defendant in a District of Minnesota case, In re: SuperValu, Inc., Customer Data Security Breach Litigation, was met with a similar scenario after the Eighth Circuit reversed the district court’s order granting dismissal without prejudice on standing grounds. Following remand, the defendant renewed its 12(b)(6) motion, arguing that the plaintiffs failed to allege actual damages. The district court granted the motion and dismissed the negligence claims––with prejudice, no less.

Focusing on 12(b)(6) motions instead of standing arguments under 12(b)(1) can, in some instances, save time and money for defendants—and not just in data breach class actions, but in any statutory class action. In the data breach context, that strategy also can avoid a budding circuit split as to whether a future risk of identity theft confers Article III standing in data breach cases. Presently, the D.C. Circuit, and the Sixth, Seventh, and Ninth Circuits have all said it does, while the First, Third, Fourth, and Eighth Circuits have said it doesn’t. The issue is before the Eleventh Circuit now in I Tan Tsao v. Captiva MVP Restaurant Partners, LLC.

As a matter of doctrine, we agree that many data breach theories should not confer Article III standing, and we believe that it is often appropriate to challenge standing in data breach cases. Indeed, the Supreme Court may be addressing that very question soon. But, as courts continue to wrestle with jurisdictional questions, some data-breach defendants can take a practical approach and bypass the standing arguments in favor of attacking the elements of the plaintiff’s claims instead of the court’s jurisdiction.

Practical Effects of the Rule 23 Amendments – Really, Not Very MuchThe December 2018 revisions to Rule 23 are relatively minor, and early cases applying the amended rule confirm that no major changes have occurred. The Southern District of Iowa summed up the theme in Swinton v. SquareTrade, Inc.: The amendments are “mostly form over substance” and “largely [a] codif[ication of] existing case law” that are useful primarily to “focus the Court’s analysis.”

As an initial matter, courts have been applying the new rules even to cases pending when they took effect. The Supreme Court’s order formally amending the rules provides that the rules apply to all actions filed December 1, 2018, and later “and, insofar as just and practicable, all proceedings then pending.” So far, every court to consider the question has applied the amended rule. Again, given the incremental nature of the changes, this result is expected. Absent some prejudice to a party—say, an objector who appeared before the new rules raising the stakes for objections came into effect—parties should expect that the amended rules will apply to their action regardless of the filing date.

The amendments primarily address issues arising in settling class actions, and the available opinions arise in that context. Courts are certainly citing amended Rule 23(e) to evaluate the fairness of settlements, but they are likewise continuing to use pre-amendment standards as well:

  • Hefler v. Wells Fargo & Company, 2018 WL 6619983 (N.D. Cal. Dec. 18, 2018), is one example of the court applying the Rule 23(e) standards and the existing Ninth Circuit rule.
  • Hale v. State Farm Mutual Auto. Ins. Co., 2018 WL 6606079 (S.D. Ill. Dec. 16, 2018) comes from the Seventh Circuit. That case decides that the amended Rule 23(e) “considerations overlap with the factors previously articulated by the Seventh Circuit.”
  • Hays v. Eaton Group Attorneys, LLC, 2019 WL 427331 (M.D. La. Feb. 4, 2019) applies the old Fifth Circuit standard alongside the new Rule 23(e) standard.
  • Becker v. Bank of New York Mellon Trust Co., N.A., 2018 WL 6727820 (E.D. Pa. Dec. 21, 2018) from the Third Circuit notes that the amended Rule 23(e) “factors overlap substantially with the factors identified by the Court of Appeals in Girsh and Prudential.”

In addition to addressing standards for settlement, the amendments impose more explicit standards for objections and place electronic and other alternative means of delivering notice on equal footing with first-class mail in the judicial search for “the best notice practicable” in apprising class members of class certification and settlement. As of yet, no cases have applied these new standards, but we suspect that courts will continue the ever-growing trend of using electronic means to provide class notice.

We will continue to monitor these developments, but—truth be told—we are not holding our breath for any major changes.