Every data breach class action in federal court must confront a threshold question: has the plaintiff alleged a sufficient “injury in fact” to establish Article III standing? The inquiry frequently focuses on whether a plaintiff has standing simply by pleading an increased risk of future injury from the theft of personal identifying information (PII). This is because many named plaintiffs do not––because they cannot––allege any present harm. The federal courts of appeals continue to weigh in on the issue of whether allegations of possible future harm suffice for Article III purposes. But far from providing clarity or consensus, recent appellate decisions have reached differing conclusions, which appear highly dependent on the nature of the facts alleged in each case.
Recently, the Ninth Circuit held in Bassett v. ABM Parking Services, Inc. that an allegation that a business violated the Fair and Accurate Credit Transactions Act (“FACTA”) by printing a credit card expiration date on a customer’s receipt is, by itself, insufficient to establish Article III standing under Spokeo, Inc. v. Robins. (For more information, read K&L Gates alerts on the Bassett decision and FACTA standing jurisprudence.) Now, in Noble v. Nevada Checker Cab Corp., No. 16-16573 (9th Cir. Mar. 9, 2018), the Ninth Circuit reached the same conclusion with respect to an alleged FACTA violation arising out of the printing of the first digit of the card number in addition to the last four digits. In doing so, the Ninth Circuit appears to be sending a strong signal to potential FACTA plaintiffs that something more than a technical violation is necessary to have standing to pursue statutory damages in federal court under FACTA.
The Sixth Circuit Court of Appeals recently ended a Fair Debt Collection Practices Act (“FDCPA”) lawsuit because the plaintiffs could not show that the allegedly offending letter had caused them actual harm. In Hagy v. Demers & Adams, the Sixth Circuit held that the plaintiffs lacked standing to sue a law firm for its technical FDCPA violation, namely failing to identify itself as a debt collector in a letter to the plaintiffs. Debt collectors will likely applaud the practical and sensible approach the Sixth Circuit applied in Hagy. The decision is remarkable, however, for its constitutional rebuke of Congress. Reminding the legislative branch that it lacks general police powers to create statutory remedies where no actual harm exists, the Sixth Circuit’s decision suggests — without specifically stating — that the statutory damage provision of the FDCPA may be unconstitutional. Read More
By David D. Christensen and Matthew N. Lowe
The Ninth Circuit recently clarified in In re Hyundai and Kia Fuel Economy Litigation that district courts must carefully scrutinize class settlements to ensure that they satisfy each of the prerequisites of Rule 23, especially for Rule 23(b)(3) classes, and that courts cannot substitute the fairness of a settlement for the proper certification analysis. Of particular note, the court emphasized the need to analyze whether potential material differences in the applicable states’ laws preclude certification of a nationwide settlement class.
To read the full alert, click here.
Through its recent en banc decision in PHH Corp. v. Consumer Financial Protection Bureau, the D.C. Circuit reinstated the holding of the three-judge panel regarding the safe harbor provision in Section 8(c) of the Real Estate Settlement Procedures Act (RESPA). Specifically, the court reaffirmed that under Section 8(c), payments made by one settlement service provider to another do not violate Section 8(a), even if made in connection with a captive relationship or a referral, when the payments are reasonably related to the market value of the goods, services, or facilities provided. Although potentially overshadowed by the portion of the en banc court’s holding that the leadership structure of the Consumer Financial Protection Bureau (CFPB) is constitutional, the panel court’s reinstated holding regarding RESPA’s Section 8(c) safe harbor is notable and important for the simple confirmation that the safe harbor “is what it is.”
To read the full alert, click here.
By Andrew C. Glass, Robert W. Sparkes, III, Roger L. Smerage, and Elma Delic
In what appears to be a first-of-its-kind ruling, the District Court for the Southern District of New York recently concluded that a federal district court has the authority to vacate an arbitrator’s class certification award based on the due process rights of absent class members. That this potentially ground-breaking decision arose from the long-standing litigation in Jock v. Sterling Jewelers, Inc. is no surprise. Over the course of a decade in Jock, the district court and the Second Circuit Court of Appeals have rendered multiple decisions addressing the proper role of a court in reviewing an arbitrator’s authority to determine whether parties have agreed to class arbitration. In the latest decision, the district court became the first court to apply Justice Alito’s concurrence in Oxford Health Plans LLC v. Sutter to strike down an arbitrator’s ruling. The Jock court determined that, absent an express class arbitration provision in each putative class member’s arbitration agreement, an arbitrator does not have the authority to bind absent class members to a class judgment—even if they signed the same form of arbitration agreement as the named plaintiffs. As discussed below, this novel decision could have significant implications.
To read the full alert, click here.
The Ninth Circuit recently limited the availability of diversity jurisdiction for certain cases with claims involving mortgage loan modifications. Specifically, in Corral v. Select Portfolio Servicing, Inc., the Ninth Circuit held that, where the plaintiff-borrower “seeks only a temporary stay of foreclosure pending review of a loan modification application … the value of the property or amount of indebtedness are not the amounts in controversy.” — F.3d —-, 2017 WL 6601872, at *1 (9th Cir. Dec. 27, 2017). Rather, to satisfy the amount in controversy requirement in such cases, parties must demonstrate that the value of the temporary delay in foreclosure exceeds $75,000, “such as the transactional costs to the lender of delaying foreclosure or a fair rental value of the property during pendency of the injunction” (in addition to any compensatory damages plaintiffs may be seeking). Id. at *5.
After paying for groceries with a credit card or debit card, the clerk hands the receipt to the customer. In addition to the last four digits of the card number, it contains the first digit. Or perhaps it contains the first six digits. Or maybe the expiration date. Is this a concrete injury that provides the customer standing to sue the grocery store?
That is the question federal courts have grappled with since the Supreme Court decided Spokeo, Inc. v. Robins in May 2016. The Fair and Accurate Credit Transactions Act (“FACTA”) regulates retailers’ conduct in printing card number information on customers’ receipts and provides a private right of action for alleged violations. But, as discussed below, a customer may not have standing to sue in federal court or even in certain state courts just because a violation may have occurred.
The Ninth Circuit has opined, again, on whether a statutory violation of the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. §§ 1681, et seq.—by itself—constitutes a concrete injury for Article III standing purposes. Last year, in Spokeo, Inc. v. Robins, the United States Supreme Court vacated and remanded the Ninth Circuit’s original opinion on the issue. Although the Ninth Circuit had reviewed the plaintiff’s allegations for existence of a particularized injury, it had not separately analyzed whether they described a sufficiently concrete injury. In Spokeo, the Supreme Court ruled that “a bare procedural violation [of a federal statute], divorced from any concrete harm,” does not suffice to “satisfy the injury-in-fact requirement of Article III.” But the Court declined to define a “bare procedural violation” in favor of allowing the Ninth Circuit to first consider the question. Now that the Ninth Circuit has done so, the Supreme Court may take up the question once more.
To read the full alert, click here.
The D.C. Circuit recently gave its opinion as to whether pleading an increased risk of future injury is sufficient to establish Article III standing to sue in a data breach class action filed in federal court. The issue has divided federal circuit courts of appeals.
In answering in the affirmative, the D.C. Circuit joined the view of the Sixth, Seventh, and Eleventh Circuits. Compare Attias v. CareFirst, Inc., — F.3d —-, No. 16-7108, 2017 WL 3254941 (D.C. Cir. Aug. 1, 2017), with Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012); Galaria v. Nationwide Mut. Ins. Co., 663 Fed. Appx. 384 (6th Cir. 2016) (unpublished); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016); and Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015). In Attias, the plaintiffs did not allege that they had suffered identity theft as the result of a hacking incident involving a system containing their data. The defendant argued that the mere threat of future harm was too speculative to give rise to standing. But the D.C. Circuit held that it was plausible that the unauthorized party had “the intent and the ability to use [the] data for ill” and thus that the plaintiffs had jurisdictional standing at least at the pleading stage. Id. at *1, *5-*6. Notably, the standing issue arises under Fed. R. Civ. P. 12(b)(1) as an issue of subject matter jurisdiction. The D.C. Circuit did not otherwise decide whether the plaintiffs’ allegations stated a claim that could withstand a motion to dismiss under Fed. R. Civ. P. 12(b)(6), allowing the district court the opportunity to first review the question.
By contrast, the Second and Fourth Circuits have held that data breach plaintiffs lack standing where they plead nothing more than an increased risk of future injury. See Whalen v. Michaels Stores, Inc., — Fed. Appx. —-, No. 16-260, 2017 WL 1556116, at *1 (2d Cir. May 2, 2017) (unpublished); Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), cert. denied sub nom., Beck v. Shulkin, No. 16-1328, 2017 WL 1740442 (U.S. June 26, 2017).
Notwithstanding the circuit court split, the United States Supreme Court has yet to grant certiorari to review the issue. We will continue to monitor and report on developments in data breach standing law as they occur.