The U.S. Supreme Court’s decision to limit a consumer lawsuit over
In a Friday opinion, the justices found that consumers don’t have a legal right to sue if a risk of reputational harm from misleading credit reports doesn’t materialize. This kind of standing-to-sue issue can come up for consumer claims brought in other contexts like data breaches, where information such as credit card numbers or Social Security numbers are exposed but not necessarily used for fraud or identity theft.
The Supreme Court’s opinion provides fodder for companies defending against privacy lawsuits to argue that exposure of information on its own isn’t enough for consumers to pursue their claims, said Aaron Weiss, a shareholder at Carlton Fields PA.
“After this decision, defendants will definitely fight things like exposure of Social Security numbers or health care information as being sufficient” to establish legal standing, Weiss said.
For consumers, arguing that they risk being harmed any time such information is subject to a breach, without showing if a risk was realized, “appears to be off the table now,” he said.
TransUnion appealed to the Supreme Court after it was ordered to pay $40 million to thousands of consumers who were categorized as potential terrorists due to a name-matching system.
The lead plaintiff in the case, Sergio Ramirez, alleged violations of the Fair Credit Reporting Act after a terrorist watchlist designation came up in his credit report while he was trying to buy a car.
At issue was whether other consumers who were also categorized as terrorists had standing to sue. The justices narrowed the class to only include consumers for which misleading credit reports were sent to third parties such as car dealerships, not those where the reports weren’t distributed.
The ruling “raises the bar” for consumers bringing privacy claims that don’t involve some kind of data disclosure, said Alan Butler, executive director of the nonprofit Electronic Privacy Information Center.
Examples of nondisclosure-based privacy claims include allegations that information in a database isn’t properly deleted or corrected, he said.
“It makes it more difficult to bring privacy claims not involving disclosure in the class action format,” Butler said, because claims could become much more individualized going forward.
The Supreme Court opinion’s impact is likely to be especially relevant for other cases involving laws like the Fair Credit Reporting Act that allow for consumers to seek monetary damages, said Kristin Bryan, a senior associate at Squire Patton Boggs focused on data privacy and cybersecurity.
Simply alleging a violation of a data protection law won’t be enough for consumers to sue and seek damages, she said. Consumers bringing lawsuits also won’t be able to rely on the risk of future harms, like the eventual disclosure or use of data that was subject to a security breach.
“The court here is skeptical of such a theory of liability,” Bryan said.
The case is TransUnion LLC v. Ramirez, U.S., No. 20-297, decided 6/25/21.