TransUnion changes the game in data breach and privacy class actions

This summer, the U.S. Supreme Court issued its decision in TransUnion LLC v. Ramirez, 141 S. Ct. 2190, holding that plaintiffs must suffer concrete harm to have standing to recover for a statutory violation. In doing so, the Supreme Court overturned the 9th U.S. Circuit Court of Appeals' ruling that the class members' alleged risk of future harm conferred standing. This seemingly simple decision has broad ramifications in all class actions because it is now clear that a statutory violation alone cannot confer Article III standing. This shift significantly impacts data breach and privacy class actions where plaintiffs have historically relied on allegations of a risk of future harm caused by the breach or privacy violation to establish standing.

Where Were We?

In 2016, the Supreme Court issued its decision in Spokeo v. Robins, 136 S. Ct. 1540, which opined on the meaning of the term "concrete injury" as used in the context of Article III but created more questions than answers. The Spokeo court defined "concrete injury" as "real" and not "abstract," but also held that the injury does not necessarily have to be "tangible." This loose definition left courts throughout the country struggling to determine what types of intangible damages were "concrete." In the context of the Fair Credit Reporting Act, circuit courts divided over whether a violation alone constitutes concrete injury, resulting in plaintiffs' forum shopping to obtain the broadest possible interpretation. The Supreme Court's grant of certiorari in TransUnion provided hope for some practical guidance as to the meaning of "concrete injury."

Following TransUnion , a Risk of Future Injury Does Not Confer Standing

In TransUnion, the plaintiff alleged a FCRA violation on behalf of a nationwide class based upon TransUnion's alleged lack of reasonable procedures to assure accurate reporting of consumer records relating to "potential" terrorists, drug traffickers, and other serious criminals. For Article III standing purposes, the Supreme Court drew a distinction between class members whose consumer reports had and had not been disclosed to third parties. In doing so, the court rejected Ramirez's proposition that, under Spokeo, "a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right."

For those whose consumer reports were disclosed to third parties, the Supreme Court found the existence of concrete injury because of the "longstanding American law [that] a person is injured when a defamatory statement that would subject him to hatred, contempt, or ridicule is published to a third party[.]" For the remaining class members whose reports were not shared with third parties, no such injury occurred, and the risk of future injury was insufficient. The court reasoned that if individuals are indeed exposed to a risk of "future harm, time will eventually reveal whether the risk materializes in the form of actual harm ... [and] then the harm itself, and not the pre-existing risk, will constitute a basis for the person's injury and for damages." The court explained that Congress may not "simply enact an injury into existence, using its lawmaking power to transform something that is not remotely harmful into something that is."

A Likely Shift in Data Breach and Privacy Class Actions

The TransUnion decision will impact future privacy and data breach class actions where Article III standing has historically been a central threshold issue. Proving concrete harm resulting from a data breach or privacy violation is difficult given that the usual alleged harms are not tangible, and even if they are, cannot be traced back to the alleged privacy violation or breach. This is particularly true for data breach class actions since plaintiffs often already have had their personally identifiable information disclosed in prior breaches or voluntarily in social media posts or otherwise. Before TransUnion, plaintiffs often alleged the risk of future harm as a basis for Article III standing, claiming that disclosure of their personal information could lead to identity theft and fraudulent charges. And, for a period of time, several courts found that such allegations established Article III standing.

For example, in In re Adobe Sys., Inc. Priv. Litig., 13-CV-05226-LHK (N.D. Cal. Aug. 13, 2015), the Northern District of California held that the risk that "[p]laintiffs' personal data will be misused by the hackers who breached Adobe's network is immediate and very real [especially considering that] there is no need to speculate as to whether [p]laintiffs' information has been stolen and what information was taken." On that basis, the court denied Adobe's motion to dismiss the plaintiffs' class action claims for lack of Article III standing because the plaintiffs had alleged a "concrete and imminent" harm.

Similarly, in Krottner v. Starbucks Corp., 2010 DJDAR 18689, the 9th Circuit held that appellants' allegations of an increased risk of identity theft due to the potential exposure of their names, addresses and social security numbers stored on a stolen laptop were sufficient to confer Article III standing. Today, these courts would need to reach an entirely different conclusion now that the Supreme Court has made clear a threat of future injury is not concrete.

Following TransUnion¸ we foresee defendants relying on the Supreme Court's succinct explanation: "[n]o concrete harm, no standing." As for plaintiffs, the road to standing will be more difficult in that they must now show concrete injury that can be traced to the incident. Because the "threat of future injury" is no longer sufficient, we already have seen plaintiffs alleging other novel categories of purported injuries, including diminution of value of their own personal information, time and money spent mitigating the potential effects of the incident, and claims that a company has been "unjustly enriched" by housing personal information without adequate security measures. Courts are currently struggling with these novel theories and have handled them in disparate ways. We also anticipate that the plaintiffs' bar will increasingly try to pursue these claims in state court under circumstances in which a defendant cannot remove the case to federal court. States currently have wide variances in standing requirements, many of which impose a much less demanding standard than Article III. 