It’s hardly controversial to say that data breaches are a bad thing for business, resulting in lost customers, lost confidence, and lost credibility. But what about the lost data? What kind of consequences come, for instance, when a malicious insider sells vast quantities of customer data, or an outsider exploits a weakness in your security to pilfer financial records and personal data?
Unsurprisingly, lawsuits are a near-instant response to a breach notification or press release, with specialized law firms that assemble groups of affected customers for class actions. Some of these lawsuits will be in the multi-million dollar range, while others will simply be a few individuals, but what they all have in common is that they very rarely lead to a jury verdict or a large settlement. In fact, many of these breach lawsuits are dismissed before discovery begins, which means the defendant company doesn’t have to endure a lengthy, costly, embarrassing process of producing documents and sitting for depositions.
Why is it this way? What possible explanation could there be for the difficulty these plaintiffs have in getting their day in court? The answer is simple: the Supreme Court has made it this way.
Standing to Sue
To be fair, it isn’t exactly new for the Supreme Court to limit the ability to pursue a lawsuit, nor is it entirely without justification. Only a litigant with an actual grievance that a court can actually solve is allowed to bring a lawsuit in federal court. This active stake in the outcome of litigation is called “standing,” and it has a basis both in the Constitution itself (Article III, sec. 2, cl. 1) and in simple judicial resource management: if everyone could sue everyone all the time for any reason, no one would ever leave the courthouse.
But SCOTUS hasn’t exactly been overly generous with its approach to standing. In fact, the slow whittling down of standing in federal cases is a major theme of the last fifty years of jurisprudence and legislation, with a particular emphasis on cutting back on class actions. Without the ability to show the right kind of injury and the right kind of potential remedy, plaintiffs’ claims are moribund.
While that may seem like an unfair limitation on the right to a day in court, it isn’t necessarily so. Article III of the Constitution came into force in 1789, and for some years thereafter the number of federal laws, federal employees, and federal buildings could fit into a New York City block. Today, the tax code and associated regulations alone would fill a West Village apartment that costs $3,000 a month; managing the onslaught of cases does require some kind of limiting principle.
Why Standing Matters in Breach Cases
That limiting principle, largely, requires the kind of concrete injury and redress a court can order that we discussed above — Bob stole my car and I want it back, Dave’s company is using my trademark and I want it stopped, Pete threw an alligator at me through a drive-thru window and I want compensation. But how does it apply to situations like data breaches, where finding the harm can be nearly impossible (as where it is unclear what data has been accessed, or whether it has been copied) or identifying redress is messy (as where no identity theft occurs or, perhaps, where no credit card numbers are stolen)?
In 2016, the Supreme Court made its first substantive foray into standing as it relates to data on the internet, issuing an opinion called Spokeo v. Robins. The case centers on an inaccurate profile of Robins on Spokeo.com, a website that offers credit and risk rating profiles about individuals based on publicly available information. Robins asserted, as the class representative in a national class action, that the falsity of the online profile harmed him and others, and that the Fair Credit Reporting Act made publication of such false information as part of a credit or risk profile illegal. Oddly enough, Robins’s Spokeo profile was false in a positive way, in that it portrayed him as a wealthy, high-profile business person. In his pleading, Robins never argued that the profile caused him any harm, simply that its falsity online was enough to state a claim.
SCOTUS disagreed, 6-2, concluding that, while FCRA does impose an obligation to report only accurate information, Robins’s claim lacked a showing of concrete harm:
This Court takes no position on the correctness of the Ninth Circuit’s ultimate conclusion, but these general principles demonstrate two things: that Congress plainly sought to curb the dissemination of false information by adopting procedures designed to decrease that risk and that Robins cannot satisfy the demands of Article III by alleging a bare procedural violation.
In short, simply identifying that information online was false or inaccurate is insufficient to show harm, even if that information could have been accessed by others. Although Robins eventually repleaded to state that he had been harmed in employment prospects and in his personal life, the rule in Spokeo remains: the dissemination or movement of data untied to particularized harm is not enough to state a claim.
That requirement means, procedurally, that many data breach cases can never state a claim either, because it demands a credible allegation of harm where, often, none can be found. It can be years before the financial consequences of a breach take root (in the compilation of a false identity, for instance) or for disinformation to spread and have a meaningful effect.
A Change on the Way?
Obviously, Spokeo is helpful to businesses that experience a breach or (in some cases) use data in ways that are objectionable. Which, inveitably, brings us to Facebook. The social giant is embroiled in a lawsuit alleging that its facial-recognition software violates the Illinois Biometric Information Privacy Act, one of the nation’s most important laws on the collection of biometrics (like retina scans, fingerprints, and facial ID). The lawsuit (Facebook, Inc. v. Patel) contends that Facebook, without proper disclosure or compliance with BIPA, obtained the users’ likenesses and appropriated it for the company’s own, undisclosed, uses.
The Ninth Circuit — based in San Francisco and the very same appellate court that SCOTUS overruled in Spokeo — concluded that the future risk of improperly obtained data is sufficient injury to sustain a claim, allowing the Patel suit to proceed. (The risk for Facebook, by the way, is enormous: BIPA includes statutory damages of $1000-$5000, and the class represents more than 6 million).
Why does this matter? Because the Ninth Circuit and the Sixth Circuit (in Cincinnati) both think that mere disclosure or access to data that can be misused in the future is enough to state a claim under Spokeo, but the Second Circuit (in New York), the Eighth Circuit (in Minneapolis) and the Eleventh Circuit (in Atlanta) disagree, and require some additional prove of harm at the time of pleading.
This is what’s called a “Circuit Split,” which means that the federal intermediate appellate courts have a disagreement on a question of substantially important law. There are only two ways to resolve a Circuit Split: a clarifying ruling by the Supreme Court or specific, responsive legislation passed by Congress. Given Congress’s relative lethargy on privacy in general and its lack of attention to procedural questions in federal courts in particular, it’s probably fair to doubt whether the latter option will come about.
We’re left, then, with the need for the Supreme Court to weigh in. Much has changed since Spokeo in 2016 — the addition of Justices Gorsuch and Kavanaugh, thousands of data breaches, increased focus on the effects of privacy on personal rights. But it is difficult to see the new Justices taking a different approach than their precedessors, and given Justice Kagan’s siding with the majority in Spokeo, it is unlikely that there will be a fundamental change in the law.
And that’s the important thing to understand about how the Supreme Court works: it’s almost always incremental. Even the big decisions are often more of a marker for future decisions rather than the final word. Brown v. Board of Education was a landmark ruling that changed American society, yes. But how often do you read about the thousands of cases that followed; explaining, refining, clarifying, and modifying it. Does Brown require the integration of public swimming pools? (Yes.) Does Brown permit closure of a public swimming pool to avoid integration? (Also, oddly, yes.) And so on, and so on.
Does this mean that privacy lawsuits never go anywhere? Absolutely not, for a few reasons. First, the Spokeo limitations are only about breaches where you can’t show harm yet. If your credit card was used, you can absolutely sue. Second, this is just about private lawsuits. Regulators can (and will) investigate, fine, and punish.
Finally, the Circuit Split may lead to real change, though in the incremental approach mentioned above. Will the Court overturn Spokeo in response to Patel? Probably not. But will there be changes that modify the judicial approach to data breaches, and potentially incorporate new understadning and awareness of privacy issues? It’s a possibility. The Court, like any institution, adapts and responds to change, and sometimes it takes public commentary and public advocacy to highlight the extent of those changes, particularly given the uncertainty and confusion Spokeo and its overly restrictive standard have already caused. The question is whether it will respond to public attention to privacy issues and developments in our understanding of how harm manifests itself online, or if it takes a wait-and-see approach. For now, that’s exactly what the rest of us will have to do.