As the circuit and district courts continue to grapple with the meaning of Article III standing under the Supreme Court’s recent decision in Spokeo v. Robbins, where the Supreme Court held that a plaintiff must allege a particularized and concrete injury, as opposed to relying solely on a statutory violation to demonstrate an injury in fact, it is becoming clear that whether the statute at issue demonstrates a congressional intent to provide civil redress for a violation of the statute can be an important factor in determining whether a plaintiff survives a motion to dismiss based on lack of subject matter jurisdiction. The Third Circuit’s decision Horizon Healthcare Services Inc. Data Breach Litigation, --- F.3d ---, 2017 (3d Cir. Jan. 20, 2017) provides the latest example.
In Horizon, the Third Circuit vacated and remanded the District Court’s decision that dismissed, at the pleading stage, the plaintiffs’ class action complaint based on lack of Article III standing, holding that the plaintiffs had alleged Article III standing to sue under the Fair Credit Reporting Act (“FCRA”), because the statute reflected an express “remedy for the unauthorized transfer of personal information,” in which a violation gives rise to an injury for standing purposes. Notably, the Court also went onto hold that even without evidence that “Plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal created a de facto injury.”
The suit centered on the theft of two laptops from Horizon’s offices in Newark, New Jersey that contained unencrypted personal identifying and health information relating to 839,000 members insured under Horizon’s health insurance plans. The named plaintiffs were among the members whose personal identifying information was on the stolen laptops, but did not allege that their personal information had been viewed or used by the thieves or other third parties. In bringing the class action suit, plaintiffs alleged, among other state law claims, separate claims for willful and negligent violations of the FCRA, maintaining that Horizon was a consumer reporting agency under the Act. Noting that Horizon’s motion to dismiss for lack of subject matter jurisdiction under FRCP 12(b)(1) was a facial challenge to the complaint (as opposed to a factual challenge), requiring the Court to accept the allegations as true, the Court specifically stated that it was not passing judgment concerning whether Horizon was a consumer reporting agency under the FCRA; only whether, based on the pleadings, the plaintiffs had alleged Article III standing.
Plaintiffs maintained that the mere violation of the FCRA demonstrated a cognizable and concrete injury sufficient to satisfy the first element of Article III standing. In that regard, they argued that “the violation of their statutory right to have their personal information secured against unauthorized disclosure constitutes, in and of itself, an injury in fact.” While the District Court held that some type of additional, specific harm beyond the violation of the statute was required, citing to its recent holding In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016) (where the plaintiffs alleged that the defendants Viacom and Google unlawfully collected personal information about the webpages they visited and videos they watched on Viacom websites), the Third Circuit stated where Congress expressly enacts a statute that provides civil redress based on the “unauthorized disclosure of information that, in Congress’s judgment, ought to remain private,” Article III standing exists.
The Court’s holding in Nickelodeon was preceded by its decision in, In re Google Inc. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015), where the Plaintiffs alleged, by placing cookies on users’ browsers, internet advertising providers had violated the Stored Communications Act. Notwithstanding that the plaintiffs did not allege any economic injury, the Court rejected the Defendants argument that the plaintiffs lacked Article III standing. In doing so, the Court stated that what is required to satisfy the standing requirement is that if the injury “affect[s] the plaintiff in a personal and individual way, the plaintiff need not suffer any particular type of harm to have standing. Instead, the actual or threatened injury required by Art[icle] III may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing,” even absent evidence of actual monetary loss.”
In the context of privacy litigation, in Horizon, the Third Circuit reaffirmed the factors it first articulated in Google, which, if implicated, will likely result in a finding of Article III standing: “when it comes to laws that protect privacy, a focus on economic loss is misplaced. Instead, the unlawful disclosure of legally protected information constitute[s] a clear de facto injury.” When the foregoing is coupled with the fact that the unauthorized disclosure of unencrypted, easily accessible information in Horizon was in the possession of individuals who had stolen the laptops, the Court’s finding of Article III standing in Horizon appeared plain based on its prior decisions in Google and Nickelodeon.
In finding plaintiffs had alleged Article III standing, the Third Circuit rejected Horizon’s reliance on Spokeo, distinguishing the facts and noting that in Spokeo, the plaintiff’s claim was that the defendant published inaccurate information about him, unlike the plaintiffs in Horizon whose personal information was unlawfully acquired by third parties in alleged violation of the FCRA. The Third Circuit further noted that, in Spokeo, the Supreme Court remanded for a determination as to whether the Plaintiff had suffered an injury in fact, noting that a procedural (or technical) statutory violation divorced from any concrete harm is insufficient to satisfy Article III standing. By contrast, the Third Circuit emphasized the Spokeo Court’s recognition that “the violation of a procedural right granted by statute can be sufficient in some circumstances to constitute injury in fact. In other words, a plaintiff in such a case need not allege any additional harm beyond the one Congress has identified.” Finding that the plaintiffs did not allege a procedural or technical violation of the FCRA, the Court noted that they alleged “the unauthorized dissemination of their own private information– the very injury that FCRA is intended to prevent.”
Parenthetically, to the extent other courts, in applying Spokeo, have required that the statutory violation be accompanied by a material risk of harm (which it did not believe to be required under all circumstances), the Court in Horizon noted that plaintiffs did show such harm in that “the information that was stolen was highly personal and could be used to steal one’s identity,” in conjunction with the fact that the objective of the theft was to obtain such information by individuals likely to use it.
By contrast, the Seventh Circuit’s ruling, in Gubala v. Time Warner Cable Inc., --- F.3d ---, 2017 (7th Cir. Jan. 20, 2017), issued on the same day as the Third Circuit’s decision in Horizon, illustrates that technical statutory violations, without more, will not satisfy Article III standing. In Gubala, the Plaintiff alleged that, in violation of 47 U.S.C. § 551(e) of the Cable Communications Policy Act, Time Warner failed to destroy his records containing personal identifiable information for more than a decade after he stopped being its customer. He did not allege that Time Warner sold his information to third parties or that it had otherwise been unlawfully disseminated or acquired by third parties. In short, the plaintiff did not allege any economic harm or injury independent of the statutory violation. In affirming the District Court’s dismissal of the plaintiff’s claim based on lack of standing, the Seventh Circuit, citing to Spokeo, summarized the plaintiff’s problem as follows: “… while he might well be able to prove a violation of section 551, he has not alleged any plausible (even if attenuated) risk of harm to himself from such a violation—any risk substantial enough to be deemed “concrete.” Thus, unlike the Plaintiffs in Horizon who alleged a statutory violation for which Congress had specifically provided civil redress for the unauthorized disclosure of personal information and who, based on the theft of their personal information that was now in the possession of third parties were at risk of harm, the plaintiff in Time Warner did not allege anything other than the violation of the statute, which the Seventh Circuit found fell well short of what was required to satisfy the Article III standing requirement. The Eighth Circuit might soon have an opportunity to weigh in as well. As noted in a recent blog, the Eight Circuit, in Sciaroni, recently remanded a class action lawsuit to the District Court that might require it to address whether the alleged subclass that suffered no economic harm due to a date breach has standing to sue. Assuming no settlement, the District Court’s decision on remand and any decision on appeal that follows bears monitoring.
Other alleged statutory privacy violation cases may fall short of satisfying Article III standing as well. For example, to guard against identify theft and fraud, Congress enacted the Fair and Accurate Credit Transactions Act (“FACTA”), 15 U.S.C. § 1681c(g), as a 2003 amendment to the FCRA. FACTA requires merchants who accept credit cards to not print more than the last five numbers of a credit card or the expiration date upon any receipt provided to a cardholder at the point of sale or transaction. For each willful violation, consumers may recover any actual damages sustained as a result of the violation or statutory damages of between $100 and $1,000.
In Meyers v. Nicolet Restaurant of de Pere LLC, 843 F.3d 724 (7th Cir. 2016),the Plaintiff alleged that he received a receipt from the defendant restaurant that included his expiration date in violation of FACTA. Even though plaintiff was in possession of the receipt; that no one had ever seen it and he was unable to allege that he suffered any actual damages or that he was at risk of suffering harm, he brought a class action lawsuit to recover statutory damages under FACTA. In dismissing the class action complaint, the Seven Circuit relying on the Supreme Court’s holding in Spokeo, found the plaintiff failed to allege an injury in fact to satisfy Article III standing in that he did not allege any harm or appreciable risk of harm from the printing of the receipt with the expiration date. In other words, there was no concrete injury independent of the alleged statutory violation. Importantly, even though the statute provided for a civil remedy for a violation of FACTA, the Seventh Circuit, citing to Spokeo, noted that Congress does not have the final word on whether a plaintiff has suffered a sufficient injury for purposes of standing, “because not all inaccuracies cause harm or present any material risk of harm.” The Court went on to explain that “Congress’ judgment that there should be a legal remedy for the violation of a statute does not mean each statutory violation creates article III injury (citations omitted). Such an injury must be ‘de facto’; that is, it must actually exist.”
Recently, we commented on the Fourth Circuit’s decision in Beck v. McDonald, in which the Court affirmed the District Court’s dismissal of the plaintiffs’ (veterans) claims, under the Privacy Act of 1974 and the Administrative Procedure Act, due to the plaintiffs’ inability to establish an injury in fact under Article III. There, the plaintiffs’ personal identifying information was lost or stolen, but they had not alleged any resulting injury nor, during the course of discovery, were they able to show that their personal information was used by third parties. As plaintiffs’ claims were grounded in future injury, namely, the threat of identity theft or that their personal information would be fraudulently used or used to their detriment in the future, the Court viewed the complaint through the prism of the Supreme Court’s holding in Clapper v. Amnesty International USA, 568 U.S. ___ (2013), as opposed to Spokeo. As we noted, in Clapper, the Supreme Court held that claims of future injury could only satisfy the Article III standing requirement if the injury was “certainly impending” or if there was a “substantial risk” that the harm was going to occur, and not just a “highly attenuated chain of possibilities.” Although the Court recognized that the prospect of being the victim of identity theft in the future could give rise to a concrete injury, there must be a showing that the injury was impending or that there was a substantial risk that the harm would occur, factors that the Court found lacking in Beck.
As the case law evolves, it is apparent that the circuit and district courts are going to continue to arrive at different conclusions as to what constitutes a sufficiently alleged injury to satisfy Article III standing. Moreover, in instances where a statutory violation is alleged, the courts may face a further divide as to which ones will require a statutory violation be accompanied by a concrete injury and those that interpret certain statutes to establish de facto injury, satisfying Article III standing, as was the case in Horizon. Ultimately, it is not difficult to envision these issues being addressed by the Supreme Court. Until then, from a strategic litigation perspective, it is critically important to recognize and understand the differences in how the circuit courts treat standing in privacy cases.