Supreme Court remand may signal end for data breach class actions

The Supreme Court’s decision to remand a Fair Credit Reporting Act (FCRA) case to the Ninth Circuit Court of Appeals may affect the future of class actions brought by victims of health care data breaches.  The High Court told the Ninth Circuit to determine whether the respondent in Spokeo, Inc. v. Robins (May 16, 2016) sustained a concrete injury for purposes of proceeding with FCRA allegations based on Spokeo’s alleged dissemination of incorrect information about the respondent.  The opinion emphasized the importance of the concreteness element of the injury-in-fact requirement of standing, and could endanger lawsuits filed by data breach victims based on impending injuries.

Spokeo

The respondent alleged that while he was “out of work” and “actively seeking employment,” Spokeo, a website that calls itself a “people search engine,” posted misinformation about him that was detrimental to his job search.  Specifically, he claimed that the misinformation stating that he was married with children, employed, and in “very strong” economic health made him appear overqualified for work, desirous of a higher salary, and unwilling to travel or relocate. He alleged that Spokeo’s actions violated the FCRA, which requires consumer reporting agencies to “follow reasonable procedures to assure maximum possibly accuracy.”

A district court determined that the respondent did not have standing to sue, but the Ninth Circuit reversed, noting that Spokeo violated the respondent’s individual statutory rights and that his interests regarding how his credit information was handled were “individualized rather than collective.”  Writing for the majority, Justice Alito noted that standing requires an injury in fact that is both “concrete and particularized,” in addition to being “actual or imminent.” While the Ninth Circuit’s analysis concluded that the respondent’s injury was particularized, affecting him “in a personal and individual way,” the Supreme Court determined that the appellate court did not perform a separate analysis to determine whether the injury was concrete, with Justice Alito noting that “not all inaccuracies cause harm or present any material risk of harm.” He also noted, however, that concrete injuries may be tangible or intangible.  Justice Thomas concurred, while Justice Ginsburg, joined by Justice Sotomayor, dissented.

Health care ramifications

The Supreme Court’s view on concreteness could affect the ability of data breach victims to file class actions against the entities that held their protected health information (PHI). Prior cases have dealt with the “actual or imminent” aspects of alleged injuries, with circuits disagreeing with one another. In 2015, for example, the U. S. Court of Appeals for the Seventh Circuit determined that retail customers whose credit card information had been hacked were subject to a “certainly impending” risk or future injury involving fraudulent charges and identity theft, even though they had not actually fallen victim to those actions (see Credit hacking case opens door to health care class actions, August 11, 2015).  It issued a similar decision in 2016  in Lewert v. P.F. Chang’s China Bistro, Inc. (April 14, 2016), another credit hacking case, noting that the injuries were concrete.

In Khan v. Children’s National Health System (May 18, 2016), decided after Spokeo, the U.S. District Court for the District of Maryland determined that the plaintiff had did not have an injury in fact.  It noted that, in the context of data breaches, victims allege “an injury in fact arising from increased identity theft if they put forth facts that provide either (1) actual examples of the use of the fruits of the data breach for identity theft, even if involving other victims; or (2) a clear indication that the data breach was for the purpose of using the plaintiffs’ personal data to engage in identity fraud.” In Khan, phishing emails targeted a hospital system’s employees’ emails that happened to contain some PHI, but the court found no evidence that hackers targeted PHI for the purposes of committing identity fraud.  The Khan court noted that the majority of district courts follow this line of reasoning. Stakeholders should follow the Spokeo case, as the ultimate decision may be an indication of the future trend of data breach class actions.