Supreme Court Solidifies Data Breach and Data Privacy Plaintiff’s Inability to Meet Article III Standing Requirement Based on Fear of InjuryMarch 8th, 2013 by Paul Pittman
The U.S. Supreme Court issued an important decision last week that solidified the approach taken by federal courts to deny Article III standing to plaintiffs in data breach and data privacy cases. The decision in Clapper v. Amnesty Int’l USA, No. 11-1025, (February 26, 2013) dealt a serious blow to plaintiff’s ability to seek redress for the unauthorized collection of their personal information (“PI”) and fortified defendants’ ability to have these claims dismissed at the pleadings stage.
In Clapper, plaintiffs – consisting of attorneys and human rights, labor, and media organizations – challenged the constitutionality of a federal surveillance statute that authorized the surveillance of non U.S. citizens located abroad. Plaintiffs alleged that they engaged in sensitive communications with foreigners who would likely be monitored under the statute. Initially the Second Circuit held, in a novel ruling, that plaintiffs had standing to challenge the constitutionality of the federal foreign surveillance statute based on an objectively reasonable fear that their particular communications would be monitored. The Second Circuit found that the plaintiffs’ reasonable fear of being monitored, and the expenses incurred by plaintiffs to mitigate the likelihood of surveillance, was sufficient to establish an injury in fact to confer Article III standing.
In a 5-4 decision, the Supreme Court disagreed. The Court found that respondents’ fear of injury (surveillance) was too speculative and that the objectively reasonable standard applied by the Second Circuit was inconsistent with the Supreme Court requirement that a threatened injury by certainly impending to confer Article III standing. The Court determined that respondents’ fear relied upon a highly attenuated chain of possibilities that did not satisfy the certainly impending requirement. The Court noted that it is “reluctant to endorse standing theories that require guesswork as to how independent decisionmakers will exercise their judgment.” The Court also rejected respondents’ attempts to establish standing by pointing to ongoing costs incurred to mitigate the likelihood that their communications would be intercepted, such as flying overseas to meet with contacts in person rather than over the telephone. The Court held that “respondents cannot manufacture standing by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”
What does all this have to do with data breach and data privacy? Typically, plaintiff’s claims in data breach and data privacy cases are based on a fear of future injury or harm associated with the unauthorized collection and use of their personal information, such as the sale of PI to third party advertisers or identity theft. Courts have routinely dismissed plaintiffs’ claims based solely on a fear of injury or harm, which underscored the significance of the Second Circuit finding of Article III standing based on a fear of injury. However, by rejecting the Second Circuit ruling, the Supreme Court solidified the requirement that consumer data privacy plaintiffs must establish an injury in fact, that is actual or certainly impending, and beyond mere speculation (or fear) in order to obtain Article III standing. In addition, the Court’s rejection of the use of expenses incurred by a plaintiff to mitigate the occurrence of the injury feared, as proof of injury, removed another tool from plaintiffs’ dwindling arsenal for clearing the pleading stage in data privacy and data breach cases.
Ultimately, the Clapper decision provides a strong defense for companies who are currently faced, or will be faced, with claims relating to data breach or data privacy cases. Given the rise in cyber attacks and claims of unauthorized collection and use of consumer data, Clapper should play an important role in shaping consumer data privacy litigation going forward. However, it is worth mentioning that although the Supreme Court cited the certainly impending standard for determining Article III standing for a risk or fear of injury, the Court did not provide much guidance about how to apply the standard. The Court simply noted that the fear of injury in the Clapper case was highly speculative and relied on a highly attenuated chain of possibilities. Consequently, we can expect the certainly impending standard to be a major point of contention going forward as courts straddle the line in determining whether a plaintiff’s fear of injury meets the standard.
In the meantime, defendants should utilize Clapper in eliminating plaintiffs’ consumer data privacy claims, by focusing their defense on establishing how unlikely a plaintiff is to be actually injured by the data breach or violation of the plaintiff’s data privacy. The Clapper decision suggests that defendants in data breach and data privacy cases who can identify and expand on the multitude of factors that would have to occur for an injury to be found, while noting the various independent decisions that must be made along the way, will have a good shot at eliminating Article III standing based on a risk or fear of injury.