September 29, 2020

Volume X, Number 273

September 28, 2020

Subscribe to Latest Legal News and Analysis

Update on Data Breach and Data Privacy Class Actions Post-Spokeo

In May, the U.S. Supreme Court issued its opinion in Spokeo v. Robins, providing guidance on the “injury-in-fact” aspect of the constitutional standing requirement for putative class action plaintiffs.  136 S. Ct. 1540 (2016), as revised (May 24, 2016).  Spokeo was quickly hailed by both plaintiff- and defense-side lawyers as a major victory, but in truth provided something for everyone.  It requires, for example, that a plaintiff allege “a concrete injury even in the context of a statutory violation . . .” and not merely a “bare procedural violation, divorced from any concrete harm.”  Id. at 1543, 1549.  Further, a “concrete” injury must “actually exist” and be “real, and not abstract.”  Id. at 1548.  On the other hand, a “concrete” injury is not “necessarily synonymous with ‘tangible.’”  Id. at 1549.  Ways to determine whether “intangible” harm qualifies as “concrete” include: (1) evaluating whether the alleged harm “has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit” and (2) looking to the judgment of Congress which “has the power to define injuries and articulate chains of causation that will give rise to a case or controversy where none existed before.”  Id.

How has Spokeo affected decisions on data breach and data privacy class actions?  Like Spokeo itself, subsequent decisions, including several from just the past few weeks, have been somewhat mixed.

Most recently, in Yershov v. Gannet Satellite Information Network, Inc., dba USA Today, a federal court in Massachusetts denied a motion to dismiss, allowing a putative privacy class action to continue.  No. CV 14-13112-FDS, 2016 WL 4607868 (D. Mass. Sept. 2, 2016).  Plaintiff Yershov alleged that each time he watched a USA Today video his location information and information about the video watched was sent to a third-party data analytics company, in violation of the Video Privacy Protection Act (“VPPA”).  Id. at *1.  Defendant Gannett, the app manufacturer, moved to dismiss for lack of standing, arguing under Spokeo that Plaintiff had alleged only a bare statutory violation and no concrete harm.  Id.  Judge Saylor of the District of Massachusetts denied the motion, finding that Plaintiff had alleged a concrete, though intangible harm – an invasion of his right to privacy in his video review history.  Id. at *8.  The decision, in part, relied on Spokeo’s guidance to look to “both history and the judgment of Congress” to determine whether an intangible harm “constitutes [a concrete] injury in fact . . . .”  Id. at *8, (quoting Spokeo, 136 S. Ct. at 1549).  “Congress, by enacting the VPPA, elevated an otherwise non-actionable invasion of privacy into a concrete, legally cognizable injury,” the Court held.  Id.  Injury in fact was thus sufficiently alleged.  Id.

Just a few days before, in Braitberg v. Charter Communications, the 8th Circuit upheld dismissal of a data privacy class action for lack of standing.  No. 14-1737, 2016 WL 4698283 (8th Cir. Sept. 8, 2016).  There, plaintiff Braitberg claimed that his cable provider maintained, but had not disclosed, certain of his personally identifiable information (“PII”) well after cancellation of his cable service, in alleged violation of the Cable Communications Policy Act.  Id. at *1.  The 8th Circuit upheld dismissal of the case, stating that, under Spokeo, plaintiff had alleged only a bare violation of a statute, and not any actual, concrete harm.  Id. at *4.  Plaintiff, said the Court, “identifies no material risk of harm from the retention; a speculative or hypothetical risk is insufficient.”  Id.

Just a week earlier, the 6th Circuit reversed a district court ruling granting a motion to dismiss for lack of standing in Galaria v. Nationwide Mutual Insurance Co., another data breach case.  Nos. 15-3386/3387, slip. op. (6th Cir., Sept. 12, 2016).  There, plaintiffs alleged no actual misuse of their stolen PII, but were found to have standing, based on: (1) a showing that they had a heightened risk of fraud and identity theft; and, (2) allegations that they had already spent time and money to mitigate the risk of fraudulent charges, including the monitoring of credit reports and the purchase of credit reporting services.  Id. at 6-7.  The court found that misuse of the data was sufficiently imminent given the likely bad intentions of the hackers:  “There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals.” Id. at 6.  In addition, the defendant had advised those affected by the breach that it would pay for bank statement and credit report monitoring, a seemingly good idea which ended up working against them: “Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year.”  Id.  Galaria follows the approach of two pre-Spokeo data breach cases from the 7th Circuit: (1) Lewert v. P.F. Chang’s China Bistro, 819 F.3d 963 (7th Cir. 2016) and (2) Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015).  Both cases found standing based on allegations, respectively, of increased risk of fraudulent charges and identity theft, and of actual money and time spent to protect against fraudulent charges and identity theft.  It can be expected that plaintiffs will continue to make similar allegations in future data breach class actions to withstand challenges based on lack of standing.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume VI, Number 288


About this Author

David S. Cannon, Sheppard Mullin, Government Contracts Attorney, High Stakes Litigation Lawyer, San Francisco,

David Cannon is a partner in the Government Contracts, Investigations & International Trade Practice Group in the firm's San Francisco office.

Mr. Cannon handles high-stakes litigation, including banking, commercial litigation and intellectual property disputes.  In banking-related matters, he has handled securities fraud claims, as well as mortgage and lender disputes stemming from the financial crisis.  This work has included large scale class actions in federal and California state courts.  With commercial disputes, he has helped...

Liên H. Payne, Sheppard Mullin, commercial litigation lawyer, tort contract disputes attorney

Liên Payne is an associate in the Business Trial Practice Group in the firm’s San Francisco Office.  Ms. Payne has worked on teams representing prominent financial institutions in high stakes commercial litigation involving tort and contract disputes and teams representing auto finance companies in complex class actions involving alleged unfair business practices and improper consumer disclosure. Ms. Payne’s practice also involves representing public and private entities and individuals in government investigations and  white collar criminal defense.