The U.S. Supreme Court’s decision in TransUnion LLC v. Ramirez sheds light on the important issue of Article III standing. Although it did not explicitly concern privacy or cybersecurity litigation, the court’s analysis on the issue of concrete injury, particularly with respect to claims that involve statutory damages, is instructive.
TransUnion offers several important takeaways that will greatly impact privacy and cybersecurity claims going forward. One takeaway is that we expect plaintiffs in data breach cases will increasingly turn to state courts for relief.
Statutory Damages Not Enough Without Concrete Harm
Many statutes provide for statutory damages, including the California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, and the Telephone Consumer Protection Act, to name a few. However, in 2016, the court held in Spokeo Inc. v. Robins that mere allegations of a “bare procedural violation [of a statute], divorced from any concrete harm” are insufficient to satisfy the injury requirement for Article III standing.
The Supreme Court went a step further inTransUnion, expressly stating that statutory damages do not satisfy the harm element in the standing analysis. The court explained that if a private plaintiff were permitted to rely solely on statutory damages, it could authorize “virtually any citizen to bring a statutory damages suit against virtually any defendant who violated virtually any federal law.”
These types of private attorney general actions are, according to the court, inappropriate and indeed implicate the Constitution’s separation of powers.
TransUnion holds that only plaintiffs concretely harmed by a defendant’s statutory violation have standing to pursue a claim in federal court. Those “concrete” harms can be tangible or intangible, but they cannot be purely statutory in nature.
Common Law Claims, State Court Class Actions Are Winners
The decision confirms that an alleged injury for purposes of Article III must have a “close relationship” to a harm “traditionally” recognized as providing a basis for a lawsuit in American courts.
In addition to the obvious tangible injuries (such as monetary and physical harms), there are recognized intangible harms such as reputational harms, disclosure of private information, invasion of privacy, and intrusion upon seclusion. And it is not hyperbole to say that, in the context of privacy and cybersecurity litigation, complaints almost always assert common law claims.
Although it is common to see such common law claims, they have not typically been the “star of the show,” and certainly have not to this point garnered the type of monetary awards that one expected from claims involving statutory damages. TransUnion is likely to change that, as plaintiffs will likely focus on those tort claims that allege an intangible harm.
Moreover, as Justice Clarence Thomas points out in his dissent, the court has “ensured that state courts will exercise exclusive jurisdiction over these sorts of class actions” by finding that the federal courts lack jurisdiction.
Thus, not only will common law claims become more important in privacy and cybersecurity litigation, but the disputes are also much more likely to be filed in state court. In addition, we note there may be additional issues relating to a plaintiff’s ability to prosecute a claim for violation of a federal law in state court.
Neither Privacy Nor Cybersecurity Claims Were Asserted
At first blush, TransUnion seems to cast doubt as to whether a harm that is not yet realized can be sufficiently concrete to satisfy Article III standing, regardless of the causes of action asserted. The court notes that the risk of future harm may permit a plaintiff to pursue injunctive relief if there is a sufficiently imminent and substantial risk of harm, but it “does not necessarily mean that the plaintiff has standing to seek retrospective damages.”
In order to be eligible for monetary damages, a plaintiff must demonstrate that the exposure to the risk of future harm itself causes a separate concrete harm.
Importantly, though, the court likens the plaintiffs’ claim for violation of the Fair Credit Reporting Act to a suit for defamation. It emphasizes that most of the plaintiffs did not have their credit files disclosed to third parties. Without that publication, the plaintiffs failed to demonstrate that they were directly harmed by the inaccurate OFAC alerts, or that they suffered another injury (such as emotional distress) from the mere risk of such disclosure.
Of course, privacy and cybersecurity cases, such as one asserting disclosure of personally identifiable information or one claiming theft of information through a data breach, may be fundamentally different.
For example, a data breach action would be premised on the defendant’s alleged failure to safeguard information and resulting in its unauthorized disclosure to third parties. Unlike in TransUnion, a data breach plaintiff’s information is already exposed.
Consequently, it is unclear whether the court’s decision will mean that data breach plaintiffs do not have standing unless and until they become, for example, the victim of identity theft, or whether the door has been left sufficiently open for a plaintiff to succeed by satisfying the increased risk of future harm analysis recently advanced by the U.S. Court of Appeals for the Second Circuit in its April McMorris decision.
The Second Circuit identified factors that help determine whether a plaintiff has demonstrated an injury based on an increased risk of future harm, including: (1) whether the plaintiff’s data was exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the [compromised] dataset has already been misused, even if the plaintiff him/herself has not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.
Plaintiffs More Likely to Seek State Court Relief
The TransUnion decision may be heralded by defendants, but its reach and results will be tested by litigants clamoring to be in the courts they believe to be most favorable. We anticipate that aggrieved individuals (and the plaintiffs’ bar) will increasingly seek relief in state court.
We also foresee that defendants will still remove cases to federal court, especially if the complaint includes a claim for violation of a federal statute, although plaintiffs’ motions to remand may be more fiercely litigated.
Finally, in the face of increasingly frequent privacy and cybersecurity incidents, we expect that courts analyzing standing in privacy and cybersecurity cases will articulate a fact-specific and perhaps even more nuanced approach, balancing the need for concrete harm (as discussed in TransUnion) with the situational assessment of future harm (as discussed in the Second Circuit’s McMorris decision).
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Molly McGinnis Stine is a partner with Locke Lord in the Chicago office and member of the firm’s Privacy & Cybersecurity Group steering committee.
Tara L. Trifon is a partner with Locke Lord in the Hartford, Conn., office and is a member of the Privacy & Cyber Litigation and Enforcement team.
Lindsey E. Kress is an associate with Locke Lord in San Franciso and a member of the Privacy & Cyber Litgation and Enforcement team.