The United States Supreme Court opinion in Spokeo (“Spokeo II) was viewed as a major decision in cybersecurity litigation. We at Mckenna Storer addressed the importance of that decision in this space in “No Harm, No Foul: Why Spokeo v. Robins is a Win for Data Privacy Defendants”. The results following that decision have been mixed for plaintiffs and defendants. In Spokeo II, the Court remanded the case to the U.S. Court of Appeals for the 9th Circuit, which recently issued its opinion on remand. The 9th Circuit held that Plaintiff has standing to sue Spokeo for violations of the Fair Credit Reporting Act (FCRA).
The 9th Circuit addressed whether Plaintiff Robins sufficiently pled a concrete injury such that he had standing to sue Defendant Spokeo under Article III of the United States Constitution. Robins argued that Spokeo’s alleged violation of the FCRA was sufficient to establish concrete injury. Guided by the Spokeo II opinion, the 9th Circuit considered the extent to which a violation of a statutory right can itself establish an injury sufficiently concrete for the purposes of Article III standing. Spokeo II made clear that a plaintiff must demonstrate an injury that is real and not abstract or merely procedural.
Additionally, the Court stated that intangible harm may rise to this level as with restrictions on free speech or harm to one’s reputation. Despite this earlier statement, Spokeo II recognized that some statutory violations alone can manifest concrete injury. As the 2nd Circuit summarized in Strubel v. Comenity Bank, Spokeo II “instruct[s] that an alleged procedural violation [of a statute] can by itself manifest concrete injury where Congress conferred the procedural right to protect a plaintiff’s concrete interests and where the procedural violation presents ‘a risk of real harm’ to that concrete interest.”
Based on its interpretation of Spokeo II, the 9th Circuit addressed two questions on remand: (1) whether the statutory provisions of the FCRA were established to protect concrete interests, and (2) whether the specific procedural violations alleged in this case actually harm, or present a material risk of harm, to such interests.
The court answered the first question in the affirmative. Specifically, the court determined that consumers have a concrete interest in accurate credit reporting about themselves. This determination is based on both the importance of credit reports in daily life and Congress’ judgment identifying this harm.
The court also affirmatively answered the second question. In doing so, the court focused on the information that was inaccurately reported; specifically, the plaintiff’s age, marital status, educational background, and employment history. The court determined that inaccurately reported information in this case was sufficient to present actual harm, or material risk of harm. The court also noted that not every inaccuracy will give rise to a concrete harm.
This most recent Spokeo opinion has confirmed what has been evident in cybersecurity litigation since the Supreme Court’s ruling in this case. The question of whether a plaintiff has standing to sue will be specific to the facts of each case. There is no bright line rule taking this issue off the table, so challenges to standing will continue to be raised by defendants in cybersecurity litigation.
If you found this content helpful, you may also value other Privacy and Data Security articles.