One issue that has arisen repeatedly in cases where private individuals sue for damages based on data breach is standing. In the federal system, standing goes to the very power of the court to adjudicate a case.
Under Article III of the United States Constitution, federal courts are only empowered to hear cases over which they have “subject matter” jurisdiction. Generally, when rights arise under federal law, a federal court has subject matter jurisdiction over a case. And, under certain circumstances, a suit between citizens of different states can be heard in federal court as “diversity of citizenship” also bestows subject matter jurisdiction on the court.
These general rules have been limited by the United States Supreme Court under the “Case or Controversy” clause of Article III, which provides that the federal judicial power only extends to actual “cases or controversies.” One of the jurisdictional limiting doctrines that has grown out of the Court’s interpretation of the “Case or Controversy” clause is that of “standing.” As the Court recently explained, “standing” under Article III requires that the plaintiff has: “(1) suffered an injury-in-fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins
, 136 S. Ct. 1540, 1547 (2016).
In Spokeo the plaintiff learned that the “people search engine,” Spokeo, had collected and then disseminated information about him that was untrue. The plaintiff filed a class action suit against Spokeo for violation of the Fair Credit Reporting Act (FCRA). The FCRA requires “consumer reporting agencies” to “follow reasonable procedures to assure maximum possible accuracy of” consumer reports, and provides that “[a]ny person who willfully fails to comply with any requirement [of the Act] with respect to any [individual] is liable to that [individual] ” for either “actual damages” or statutory damages, costs of the action, attorneys’ fees and potentially punitive damages. The district court dismissed the complaint citing the plaintiff’s lack of standing, but the Ninth Circuit reversed on appeal, finding that the plaintiff had alleged that “Spokeo violated his statutory rights, not just the statutory rights of others” and the plaintiff’s “personal interests in the handling of his credit information are individualized rather than collective.” Based on these findings, the Ninth Circuit concluded the plaintiff had adequately alleged injury-in-fact.
The U.S. Supreme Circuit disagreed and remanded the case for further proceedings. The Court noted that injury-in-fact “requires a plaintiff to allege an injury that is both ‘concrete and particularized,’” but the Ninth Circuit’s analysis only addressed “particularity,” not “concreteness.” The Court further explained:
For an injury to be “particularized,” it “must affect the plaintiff in a personal and individual way.”
A “concrete” injury must be “de facto”; that is, it must actually exist. When we have used the adjective “concrete,” we have meant to convey the usual meaning of the term – “real” and not “abstract.” (citations omitted)
With respect to the FCRA, the Court held that the plaintiff could not satisfy the standing requirement by alleging a “bare procedural violation.” The Court gave the example of a credit reporting agency providing an erroneous zip code in a credit report. “It is difficult to imagine how the dissemination of an incorrect zip code, without more, could work any concrete harm.”
The Supreme Court has not addressed the question of standing directly in a case involving a data breach. The circuit courts that have addressed the issue of standing in the data breach setting since Spokeo have issued conflicting opinions. See Galaria v. Nationwide Mutual Ins. Co.
, 2016 WL 4728027 (6CA Sept 12, 2016) (standing requirement satisfied in a data breach class action where the plaintiffs were placed “at a continuing, increased risk of fraud and identity theft” and a “sufficiently substantial risk of harm” beyond just a “possible future injury”); contrast In re Supervalu, Inc.
, 870 F.3d 763 (8CA 2017) (standing requirement was not met in the data breach class action because the plaintiffs could not “manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending” but allowing one plaintiff to proceed with his claims because he alleged that fraudulent charges had been made to his payment card account following the incident).
As a result of this split, a plaintiff’s ability to meet the standing requirement may depend on the circuit in which the case is brought. In jurisdictions where the federal courts have adopted a narrow interpretation of Spokeo, this leads to a strange result: plaintiffs may only be able to pursue federal rights in state court as state courts are not bound by the “standing” requirement under Article III. Something close to this happened in a recent Seventh Circuit case.
In Collier v. SP Plus Corp.
, 2018 WL 2186786 (CA7, May 14, 2018), the plaintiffs filed a state court class action lawsuit alleging that the defendant, the operator of public parking lots at Dayton International Airport, printed receipts that included the expiration date of their credit or debit cards in violation of the Fair and Accurate Credit Transaction Act (FACTA). Because the plaintiffs’ claims arose under federal law, the defendant removed the case to federal court and promptly moved to dismiss on the grounds that the plaintiffs lacked standing to sue rendering the federal court without subject matter jurisdiction. The plaintiffs agreed and moved the court to remand the action to state court because it was improperly removed in the first place.
The district court denied the plaintiffs’ motion and gave the plaintiffs time to amend their complaint to cure the standing defect. When the plaintiffs did not amend their complaint, the court dismissed the complaint with prejudice. Because the dismissal with prejudice acts as an adjudication on the merits, the plaintiffs could not refile in state court. The plaintiffs appealed the dismissal.
On appeal, the Seventh Circuit Court first noted that the party invoking federal court jurisdiction, in this case the defendant, has the responsibility to make sure that all requirements of that jurisdiction are met. If the defendant did not believe the plaintiffs had standing to sue, it was improper for them to remove in the first instance. Next, the Court noted that under the removal statute, a case must be remanded to state court if “at any time . . . it appears that the district court lacks subject matter jurisdiction.” Examining the complaint, the Seventh Circuit Court agreed that the plaintiffs lacked standing to sue.
Here, it is clear that Collier and Seitz’s complaint did not sufficiently allege an actual injury. A mere reference to “actual damages” in the complaint’s prayer for relief does not establish Article III standing. The single reference here falls far short of an allegation that the plaintiffs suffered a concrete harm or appreciable risk of harm apart from the statutory violation. (citations omitted)
Defendants argued that it would be unfair to remand the case because the plaintiffs might then amend their complaint “after it is too late” for removal, and requested the Court to direct the plaintiffs to amend their complaint to support their allegations of actual damages or strike those allegations from the complaint. The Seventh Circuit Court declined the request. “This is impossible. We have no basis to order these plaintiffs how to plead their case in state court after remand. Further, a state’s standing doctrine is ‘the business’ of its own courts; ‘it is not for [this court] to venture how the case would there be resolved.’” (citations omitted) The Court also noted that if the plaintiffs amended their complaint or served any other papers in the state court that conferred subject matter jurisdiction on the federal courts, the defendant would have 30 days from service to remove the case to federal court.
turned on the specificity of the pleading, this scenario could arise in a case where a plaintiff alleges damages based on the increased risk of injury from a data breach. That case would be removable in the Sixth Circuit, but not in the Eighth Circuit. In the Eighth Circuit, that case would have to be pursued in state court.
A similar anomaly would occur in a case where the plaintiffs sue for data breach under state law which might be brought in federal court based on diversity of citizenship. The state law might create a private right of action for “bare procedural violations” or for “increased risk of harm.” However, since standing is a constitutional question in federal court, the plaintiff would still need to satisfy Article III’s “injury-in-fact” requirement. So, the plaintiff’s ability to file originally in federal court or the defendant’s right to remove might be dependent on the circuit in which the case can be brought.
Standing is a significant issue in data breach cases. Standing can determine whether a case may be brought originally in or removed to federal court. Until the United States Supreme Court clarifies the standing doctrine in private data breach actions, plaintiffs and defendants must know the standing requirements in whichever circuit they find themselves regardless of whether the claim arises under federal or state law.