The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Will SCOTUS Spokeo Ruling Deny Justice To Data Breach Victims?



The suit against professional tracking service Spokeo didn’t involve a data breach, but the ruling this month by the Supreme Court in Spokeo’s favor could have big implications for breached firms and their customers.

A ruling earlier this month by The Supreme Court may go a long way toward resolving legal uncertainty about when and if individuals caught up in a data breach have a right to sue the breached company. A funny thing: the case in question has nothing to do with a data breach. Also: the news for breach victims isn’t good.

The case in question is Spokeo, Inc. v. Robins (PDF), a case that tested the question of whether a professional tracking service like Spokeo could be held liable for publishing inaccurate data about an individual. The Plaintiff, Thomas Robins, found woefully inaccurate information on his Spokeo profile that he believed may have cost him job opportunities. He filed a class action suit against Spokeo alleging violations of the Federal Fair Credit Reporting Act (FCRA).

The big question in this case was the issue of what the courts refer to as “standing” – basically: whether you have a right to bring suit. And that’s why Spokeo is so relevant to breached firms and their customers, because the question of whether customers are harmed by breaches in a concrete way that can be demonstrated in court is much disputed within legal circles.

And that was the question in Spokeo vs. Robins. In short: nobody argued that Mr. Robins’ profile on Spokeo was a mess and inaccurate. And those inaccuracies clearly violated the FCRA provision that requires consumer reporting agencies to “follow reasonable procedures to assure maximum possible accuracy” of consumer reports.

The question, however, was whether Mr. Robins could prove a concrete harm, or “injury in fact,” to use legal parlance. That is, could he show that the inaccurate information caused him harm: the loss of a job, or something along those lines.

A lower court had ruled in Robins’ favor, finding that the inaccurate profile information clearly violated the FCRA, and that gave Robins the right to file the Class Action suit. But the Supreme Court rejected that idea, ruling 6-2 that simply having a statutory right violated didn’t clear the bar for “injury in fact.”

That’s where things get tricky. As this analysis by the firm Hogan Lovells notes, defendants in data breach cases are already jumping on the Spokeo ruling and using it to argue that class action and other suits linked to data breaches be dismissed for lack of “concrete harm.” In fact, that’s just the argument that Children’s National Health System (CNHS) made in a filing on May 19 (PDF) – three days after the Spokeo ruling – in a class action suit brought by Fardoes Khan, a former patient at CNHS, following a July 2014 data breach there.

As we’ve noted on this blog before, lower courts have slowly been moving toward plaintiffs in class action and other civil cases alleging damages from data breaches, accepting the notion that data breaches and the theft of personal information poses an imminent risk to consumers, even though no immediate harm may exist.

The U.S. Seventh Circuit reversed a lower court’s decision to dismiss a class action suit against chain restaurant P.F. Chang’s, saying that the risk of “future injuries” suffered by consumers wrapped up in the breach there were “sufficiently imminent” to give them standing in court (PDF). And Home Depot settled a class action suit, agreeing to pay $19 million to customers harmed in the incident after failing to advance the “no harm” argument.

The question is how the Spokeo ruling will change that. As Hogan Lovells points out in its analysis: the importance of the decision may rest on whether lower courts interpret the ruling narrowly or broadly. If narrowly: the ruling would only affect plaintiffs trying to bring class action suits under Article III of the FCRA, establishing the precedent that “concrete harm” must be present. Read more broadly, however, the Spokeo ruling could make it very difficult for consumers whose information has been exposed by hackers to file class action suits either under the FCRA or other Federal laws, minus evidence of actual harm directly linked to the incident.

Or not. As this analysis at the National Law Review points out, dissenting opinions by two justices, Kagan and Sotomayor, leave open the possibility that the treatment Robins received by Spokeo – the inaccurate information – could be considered “harm” if it can be shown to have affected his employment opportunities. That will be decided now that the case has been handed back to the lower court.

Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.

Paul Roberts

ANALYST REPORTS

Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)

Paul Roberts

Paul Roberts is the editor in chief of The Security Ledger and founder of the Security of Things Forum. A seasoned reporter, Paul has more than a decade of experience covering the IT security space. His writing has appeared in publications including The Christian Science Monitor, MIT Technology Review and The Economist Intelligence Unit. He's appeared on news outlets including Al Jazeera America, NPR's Marketplace Tech Report and The Oprah Show.