BIRMINGHAM — Two recent decisions in two different federal appeals courts regarding who has the right to sue over data breaches reflect a “social shift” in how “we view our data,” according to an attorney specializing in privacy law.
The first ruling, which was filed in the U.S. Court of Appeals for the Ninth District, found that a plaintiff’s alleged “increased risk for identity theft” was enough to confer standing to allow the lawsuit to continue. The case arose after the servers of Zappos.com, an online retailer, were breached in 2012.
The second decision, which was handed down by the U.S. Court of Appeals for the Seventh District in Chicago, revived a class action suit against bookseller Barnes & Noble stemming from a data breach in 2012 in which credit card data was stolen from consumers.
However, not all courts have handled these types of cases in the same way, according to Niya T. McCray, an attorney at Bradley Arant Boult Cummings LLP's Birmingham, Ala., office.
Niya McCray Bradley Arant Boult Cummings
The core issue revolves around Article III standing, which is required to bring a case in federal court. Article III of the U.S. Constitution requires a “concrete actual injury” or an “impending actual injury,” and courts have differed on whether standing should be granted in cases centered around a threat of future harm.
“Throughout the years, we have seen splits in authority,” McCray told the Cook County Record. “Some cases needed plaintiffs to give them hard evidence of ‘real’ harm: charges on your credit card, out-of-pocket fees, things of that nature. In those cases, the threat of future harm, though real enough for the affected consumers, was not enough to warrant standing. Other courts, though, have been more lenient, which may be attributable to their respect for and knowledge of data sensitivity.”
McCray said that recent rulings in the Seventh and Ninth Circuits are significant because they mirror big changes in the ways that we view our data.
“There was a time when you absolutely had to show that you’d already experienced some kind of economic loss before you could even file a complaint,” McCray said. “Now, though, plaintiffs and consumers are able to recuperate prospective losses based on the theory that any time their data is compromised, they are at a constant, pervasive risk of further harm, even if that harm has not happened yet.”
McCray said the recent decisions square with the U.S. Supreme Court’s decision in Spokeo Inc. v. Robins. In that case, the high court drew distinctions between “concrete” and “tangible” injuries. The plaintiff in that case, however, could not prove harm.
“In Spokeo, the court differentiated between a ‘concrete’ injury and a ‘tangible’ injury,” McCray said. “Essentially, the risk of real harm was not ruled out as a means of satisfying the Article III injury-in-fact requirement.
"Once your data - personally identifying information - has been breached, there is always a lingering fear that something unfavorable will happen. In my opinion, the new trend towards recognizing the fear of impending harm squares perfectly with Spokeo. Future data misuse is cognizable; it’s palpable, and it merits standing.”