In Dieffenbach v. Barnes & Noble, Inc., the Seventh Circuit allowed a data breach class action to survive the pleadings stage, including a challenge to the plaintiffs’ standing. At the same time, the Court indicated that the plaintiffs may have a tough time proving their claims on the merits or establishing that class certification is warranted. That warning may put the brakes on this action as well as others brought on a similar theory of liability.
Every data breach class action in federal court must confront a threshold question: has the plaintiff alleged a sufficient “injury in fact” to establish Article III standing? The inquiry frequently focuses on whether a plaintiff has standing simply by pleading an increased risk of future injury from the theft of personal identifying information (PII). This is because many named plaintiffs do not––because they cannot––allege any present harm. The federal courts of appeals continue to weigh in on the issue of whether allegations of possible future harm suffice for Article III purposes. But far from providing clarity or consensus, recent appellate decisions have reached differing conclusions, which appear highly dependent on the nature of the facts alleged in each case.
The Sixth Circuit Court of Appeals recently ended a Fair Debt Collection Practices Act (“FDCPA”) lawsuit because the plaintiffs could not show that the allegedly offending letter had caused them actual harm. In Hagy v. Demers & Adams, the Sixth Circuit held that the plaintiffs lacked standing to sue a law firm for its technical FDCPA violation, namely failing to identify itself as a debt collector in a letter to the plaintiffs. Debt collectors will likely applaud the practical and sensible approach the Sixth Circuit applied in Hagy. The decision is remarkable, however, for its constitutional rebuke of Congress. Reminding the legislative branch that it lacks general police powers to create statutory remedies where no actual harm exists, the Sixth Circuit’s decision suggests — without specifically stating — that the statutory damage provision of the FDCPA may be unconstitutional. Read More
The Ninth Circuit recently held in Bassett v. ABM Parking Services, Inc. that a plaintiff cannot establish Article III standing to maintain a Fair and Accurate Credit Transactions Act (“FACTA”) claim merely by pleading that a business printed a credit card expiration date on the plaintiff’s receipt. In so ruling, the Ninth Circuit followed similar rulings by the Second and Seventh Circuits, avoiding a potential circuit split. As explained below, the Bassett decision is the latest in a growing majority of cases in the wake of Spokeo, Inc. v. Robins that demand a plaintiff allege actual harm to maintain a FACTA damages claim—even one for statutory damages based on an alleged willful violation.
After paying for groceries with a credit card or debit card, the clerk hands the receipt to the customer. In addition to the last four digits of the card number, it contains the first digit. Or perhaps it contains the first six digits. Or maybe the expiration date. Is this a concrete injury that provides the customer standing to sue the grocery store?
That is the question federal courts have grappled with since the Supreme Court decided Spokeo, Inc. v. Robins in May 2016. The Fair and Accurate Credit Transactions Act (“FACTA”) regulates retailers’ conduct in printing card number information on customers’ receipts and provides a private right of action for alleged violations. But, as discussed below, a customer may not have standing to sue in federal court or even in certain state courts just because a violation may have occurred.
The D.C. Circuit recently gave its opinion as to whether pleading an increased risk of future injury is sufficient to establish Article III standing to sue in a data breach class action filed in federal court. The issue has divided federal circuit courts of appeals.
In answering in the affirmative, the D.C. Circuit joined the view of the Sixth, Seventh, and Eleventh Circuits. Compare Attias v. CareFirst, Inc., — F.3d —-, No. 16-7108, 2017 WL 3254941 (D.C. Cir. Aug. 1, 2017), with Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012); Galaria v. Nationwide Mut. Ins. Co., 663 Fed. Appx. 384 (6th Cir. 2016) (unpublished); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016); and Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015). In Attias, the plaintiffs did not allege that they had suffered identity theft as the result of a hacking incident involving a system containing their data. The defendant argued that the mere threat of future harm was too speculative to give rise to standing. But the D.C. Circuit held that it was plausible that the unauthorized party had “the intent and the ability to use [the] data for ill” and thus that the plaintiffs had jurisdictional standing at least at the pleading stage. Id. at *1, *5-*6. Notably, the standing issue arises under Fed. R. Civ. P. 12(b)(1) as an issue of subject matter jurisdiction. The D.C. Circuit did not otherwise decide whether the plaintiffs’ allegations stated a claim that could withstand a motion to dismiss under Fed. R. Civ. P. 12(b)(6), allowing the district court the opportunity to first review the question.
By contrast, the Second and Fourth Circuits have held that data breach plaintiffs lack standing where they plead nothing more than an increased risk of future injury. See Whalen v. Michaels Stores, Inc., — Fed. Appx. —-, No. 16-260, 2017 WL 1556116, at *1 (2d Cir. May 2, 2017) (unpublished); Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), cert. denied sub nom., Beck v. Shulkin, No. 16-1328, 2017 WL 1740442 (U.S. June 26, 2017).
Notwithstanding the circuit court split, the United States Supreme Court has yet to grant certiorari to review the issue. We will continue to monitor and report on developments in data breach standing law as they occur.
A North Carolina federal district court recently denied a motion by the federal government to dismiss claims raising a First Amendment challenge to a portion of the Telephone Consumer Protection Act (“TCPA”). See American Ass’n of Political Consultants v. Lynch, Case No. 5:16-00252-D (E.D.N.C.). At this early stage of the case, the government did not address the substance of the constitutional challenge. Rather, the government asserted that the court did not have jurisdiction over the case and that the political organizations which filed the suit did not have standing to maintain suit. The court, however, rejected the government’s arguments and allowed the case to proceed.
With the ever-increasing amount of personal information stored online, it is unsurprising that data breach litigation has become increasingly common. A critical issue in nearly all data breach litigation is whether a plaintiff has standing to pursue claims—especially where there is no evidence of actual fraud or identity theft resulting from the purported data breach. The plaintiffs’ bar has pursued a litany of legal theories in the attempt to clear the standing hurdle, including the recent theory of “overpayment” (a/k/a “benefit of the bargain” theory). Under this theory, the plaintiff alleges that the price for the purchased product or service—whether sneakers, restaurant meals, or health insurance—included some indeterminate amount allocated to data security. Depending on how the theory is framed, the purported “injury” is either that the plaintiff “overpaid” for the product or service, or that the plaintiff did not receive the “benefit of the bargain,” because the defendant did not appropriately use the indeterminate amount to provide adequate data security. Despite plaintiffs’ attempts to establish standing through this novel theory, courts have limited its applicability in a variety of ways discussed in this alert.
To read the full alert, click here.
Guaranties are common practice in the commercial lending industry. Typically, the borrower is a small corporation, limited liability company, or similar entity that is thinly capitalized with few (likely encumbered) assets. Under these circumstances, the borrower’s promise to pay a debt is cold comfort to a commercial lender in the event of a default, where its only source of recovery is likely to be the collateral it holds. For this reason, commercial lenders often condition loans not only on a security interest in the borrower’s property, but also on a separate, individual guaranty agreement executed by a third party, usually the principals of the corporate borrower. Such guaranties provide another avenue through which commercial lenders may recover loan amounts and damages due to the borrower’s default.
To read the full alert, click here.