In its recent decision in TransUnion v. Ramirez, the Supreme Court clarified the mere risk of future injury can not support standing without a separate concrete harm. This will have far reaching repercussions in data breach and privacy litigation.

As I have discussed several times, there has been a glaring conflict among federal circuits concerning what is or is not standing in the data breach, virtual world

Article III of the U.S. Constitution requires that a plaintiff suffers an injury in fact that is concrete and which the law recognizes, to maintain an action. Article III has been interpreted to require a plaintiff to have personally:
  1. Suffered some actual or threatened injury.
  1. That can fairly be traced to the challenged action of the defendant.
  1. That is likely to be redressed by a favorable decision.
Without meeting these three requirements, a plaintiff has no standing and can not bring a lawsuit.
But like many legal concepts, standing gets murky in the virtual world. For example, if the data maintained by a business is stolen but not used by the bad guys, has there been any actual harm? What does it mean for harm to be threatened in this context?
Federal courts have struggled with these issues with inconsistent results. The District of Columbia, Sixth, Seventh, and Ninth Circuits have held that a defendant’s failure to properly secure a plaintiffs’ data that subjected the plaintiff to a risk of identity theft without more was sufficient to support standing. However, the Second, Third, Fourth, and Eighth Circuits require a data privacy plaintiff to allege additional facts that would “push the threatened injury of future identity theft beyond the speculative to the sufficiently imminent.” 
Standing could be supplied by a statutory violation and penalty as long as this close relationship between the actual harm and the statutory violation was present. Whatever that meant.
And as I have discussed before, the Supreme Court muddied the waters a few years ago in its decision in Spokeo v. Robins. The critical issue there was whether Article III standing could be conferred when a plaintiff suffers no injury but instead seeks only to recover statutorily imposed penalties. The Court held an intangible or threatened harm could itself satisfy Article III standing if there was a “close relationship” to actual harm. Thus, standing could be supplied by a statutory violation and penalty as long as this close relationship between the actual harm and the statutory violation was present. Whatever that meant.
How this harm and relationship must be pled and established was open to interpretation. SCOTUS didn’t say what was needed other than by noting, for example, that an incorrect zip code which could constitute a violation of the Fair Credit Reporting Act, would not supply standing because there would not be a sufficient tie to actual harm.
TransUnion v. Ramirez
But last week, in TransUnion LLC v. Ramirez, SCOTUS clarified what standing in the virtual world means. By a 5-4 majority, the Court held that a statute providing a private cause of action and a statutory penalty for a violation does not confer Article III standing unless the plaintiff alleges concrete, imminent harm besides the statutory damages.  
TransUnion marketed a product that purportedly would compare consumer’s first and last names (and nothing more) with names on a government list of possible terrorists and other criminals. If a consumer applying for credit shared a first and last name with a suspected terrorist, drug trafficker, or other serious criminal applied for credit, TransUnion would identify the person as a “potential match.”
The problem, of course, was that the list generated lots of false positives, which in hindsight should have been self evident to TransUnion.
The lead plaintiff brought a class action lawsuit under the Fair Credit Reporting Act. The putative class consisted of 1,853 people for whom TransUnion had provided misleading credit reports to third parties. The putative class also consisted of 6,332 other individuals. TransUnion had notified these individuals about the issues that could arise under the product. But it did not reveal the matches with the government database to any third parties. The question before the Court was whether either group had standing.
SCOTUS held that the 1,853 class members for whom TransUnion actually provided misleading credit reports did. This was because the “injury” of having misleading credit reports out in the world bore a “close relationship” to reputational harm that is typically recognized as actual
The mere risk of future injury from the credit report could not support standing without a separate concrete harm
But the other 6,332 class members about whom no credit reports were givien to anyone else had not, held SCOTUS, demonstrated a concrete injury. The reason—and this is why the case has far-reaching ramifications— was because the misleading information had not been published anywhere. Without publication, the Court held, there was no harm, no foul. No standing. In other words, the mere risk of future injury from the credit report could not support standing without a separate concrete harm
This last concept should resolve the split among circuits in a variety of data breach and privacy contexts. In most cases, it is the issue of threatened and potential harm that is the most vexing. The bad guys steal the data but don’t immediately do anything with it. Pre TransUnion, in some circuits, plaintiffs had standing. In others, they didn’t. Now, the mere taking of data and private information does not give rise to standing. To have redress, you have to wait until your data is used for nefarious purposes.
To say the least, TransUnion will have a chilling effect on data breach, privacy, and class action litigation.
Photo Attributions: