In ruling that is likely to have significant impact on privacy litigation, the Ninth Circuit determined on Tuesday that a plaintiff’s claim that the Fair Credit Reporting Act (FCRA) had been violated was sufficient “injury” for the case to proceed. Nearly 15 months after the United States Supreme Court asked the Ninth Circuit on remand to determine whether plaintiff Thomas Robins suffered a concrete injury sufficient to justify Article III standing, the Ninth Circuit ruled 3-0 in favor of the plaintiff. See Robins v. Spokeo, Inc. No. 11-56843 (9th Circuit, Aug. 15, 2017). While this decision appears limited in scope to lawsuits specifically alleging violations of FCRA, it is likely that a plaintiff’s counsel will argue that the rationale of this opinion should be extended to other privacy statutes in an effort to dilute the “concrete and particularized” injury requirements to bring a claim under those laws.
Initially Robins’ case was dismissed at the district court in 2010 for lack of standing, which was later overturned by the Ninth Circuit in 2014 and then appealed to the Supreme Court. While ultimately remanding the case, the Supreme Court’s May 2016 opinion emphasized that a plaintiff must allege a statutory violation that causes him to suffer some harm that “actually exist[s]”; an injury that is “real” and not “abstract” or merely “procedural.” 136 S. Ct. at 1548-49. However, the Court also noted the importance of congressional judgement in the concreteness inquiry, stating that “Congress may elevate to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate in law.” Id. at 1549 (internal citations omitted).
Ninth Circuit Opinion: “Concrete Interest” and “Material Risk of Harm” Analysis
Drawing a distinction between Clapper v. Amnesty International USA, 133 S. Ct. 1338, 1147-48 (2013), which explained that a plaintiff cannot show injury-in-fact unless the “threatened injury [is] certainly impending”, the Ninth Circuit held that “in the context of FCRA, this alleged intangible injury is itself sufficiently concrete.” slip op. at 20. Finding that FCRA’s procedures are designed to protect consumers’ “concrete interest in accurate credit reporting about themselves,” the Ninth Circuit turned its focus to whether the alleged FCRA violation created a “material risk of harm” to the concrete interest. slip op. at 11, 15.
Echoing the Supreme Court’s sentiment that not every minor inaccuracy reported in violation of FCRA will cause any material risk of real harm, the Ninth Circuit concluded that there must be “some examination of the nature of the specific alleged reporting inaccuracies to ensure that they cause a real risk of harm to the concrete interests.” Id. at 16-17. However, the Ninth Circuit also declined to “conduct a searching review for where that line should be drawn,” concluding that Robins’ allegations that Spokeo falsely reported his marital status, age, employment, education, and wealth level are “substantially more likely to harm his concrete interests than the Supreme Court’s example of an incorrect zip code” and are not a “mere technical violation” of FCRA. Id. at 17-18.
In sum, the latest decision in the Spokeo progeny seems to suggest that at least in the Ninth Circuit, a violation of FCRA suffices to demonstrate a concrete injury – however, a court will still weigh the specific nature of the violation to determine if there has been a material risk of harm. Allegations that only rise to the level of “mere technical violation” may not survive the Article III inquiry. Following the Supreme Court, the Ninth Circuit also declined to comment or provide any guidance as to “what varieties of misinformation should fall into the harmless category, beyond the example of an erroneous zip code,” meaning that there is no bright line test. Id. at 17.
The Ninth Circuit’s decision comes on the heels of a recent decision in the D.C. Circuit finding that a plaintiff’s heightened risk of future identity theft is sufficient to show standing at the pleading stage. See Attias v. CareFirst, Inc., Case No. 16-7108. Armed with these recent decisions, companies will have a more difficult time challenging their standing in data breach actions and potentially other privacy litigation, which may increase a plaintiff’s ability to survive the motion to dismiss phase and move more quickly to class certification and discovery. This, in turn, will result in such actions becoming more expensive to defend.