On April 27, 2015, the United States Supreme Court granted certiorari on the seminal question of whether a putative class of consumers’ allegations of statutory violations under the Fair Credit Reporting Act (FCRA), without concomitant actual injury, are sufficient to withstand a motion to dismiss for lack of standing. Spokeo, Inc. v Robins. In other words, do they have to prove actual injury or is fear of future harm sufficient? The implications for cyber breach plaintiffs could be palpable, as the vast majority of consumers have been unable to demonstrate tangible harm. In such cases, plaintiffs typically allege that they have suffered lost time and angst as the result of their efforts to deal with the theft of their personally identifiable information (PII) such as their names, social security numbers, and physical and email addresses. Spokeo follows the Supreme Court’s decision in Clapper v. Amnesty International USA, where the Court again enumerated the principle that speculative or conceptual injury is insufficient and that plaintiffs must demonstrate “concrete, particularized and actual or imminent” harm in order to establish Article III standing. Since then, lower courts have been split on whether fear of future harm is enough to overcome the Constitution’s standing requirement. In Spokeo, plaintiffs alleged that Spokeo’s publication of inaccurate information in violation of the FCRA would adversely impact their employment prospects without showing tangible and concrete harm. Rather, they simply claim that their increased risk of harm satisfied the standing requirement. The predicate for the Spokeo lawsuit parallels that in cyber breach actions, albeit in those cases, plaintiffs oftentimes allege common law claims. Still, it is the rare consumer who incurs expense or suffers actual harm as the result of a cyber intrusion. They simply allege the risk of future harm. Is that enough? The Supreme Court will resolve the split of court authority in the statutory context this term.
Richard J. Bortnick is senior counsel at Traub Lieberman Straus & Shrewsberry and contributing author for the Cyber Risk Network. He was previously shareholder in law firm Christie, Parabue and Young. Rick litigates and counsels US and international clients on cyber and technology risks, exposures and best practices, directors’ and officers’ liability, professional liability, insurance coverage, and commercial litigation matters.
He also drafts professional liability insurance policies of varying types, including cyber, privacy and technology forms, and is Publisher of the highly-regarded cyber industry blog, Cyberinquirer.com.
