The biggest question looming over every class-action case filed in response to a data breach is: Will the plaintiffs have standing? The answer has divided courts in recent cases across the country.

Last year, the U.S. Supreme Court held in Spokeo, Inc. v. Robins that Congress could not confer standing to plaintiffs based on a violation of a statute alone.1 Instead, the Court held that, even if a statute has been violated, plaintiffs must prove they have an injury-in-fact and that the injury is both concrete and particularized. Spokeo added a new layer of complexity in pleading standing in data breach cases. Previously, the Supreme Court held in Clapper v. Amnesty International USA that “conjectural” or “hypothetical” injuries were insufficient to confer standing and that harm must be “certainly impending.”2 What Spokeo and Clapper mean in practice for data-breach cases is far from settled.Continue Reading Class Action Standing and Data Breaches: When Is There an Injury-in-Fact?

Last year, the U.S. Supreme Court issued a decision in Spokeo Inc. v. Robins, holding that a plaintiff bears the burden of establishing Article III standing by alleging an injury in fact that is concrete, particularized, and actual or imminent.1 The Court stated that “Article III standing requires a concrete injury even in the context of a statutory violation,” and that a plaintiff cannot “allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury in fact requirement of Article III.”2

Following Spokeo, courts across the nation have been grappling with how to interpret and apply the decision. In particular, a jurisdictional divide has arisen regarding courts’ interpretations of the standing issue in Fair Credit Reporting Act (FCRA) consumer protection class actions. Courts in the Seventh and Eighth Circuits, for example, have tended to find no standing in FCRA cases.3 Conversely, the Ninth Circuit has leaned toward plaintiff-friendly findings of standing in FCRA cases.4 Thus, the post-Spokeo FCRA class action jurisprudence demonstrates the criticality of forum in determining a defendant’s likelihood of success in challenging standing.Continue Reading Post-Spokeo Jurisdictional Divide Continues as Northern District of California Rejects TransUnion’s Lack of Standing Argument

On July 21, 2017, Judge John A. Ross of the U.S. District Court for the Eastern District of Missouri issued a preliminary approval of a settlement agreement between the owner of AshleyMadison.com and the class representing former users whose personal information was breached in July 2015. Under terms of the settlement, Ruby Corp, the operator of the Ashley Madison website, is scheduled to pay $11.2 million. For some, the settlement announcement is a missed opportunity: the litigation represented a chance to clarify the scope of actionable consumer harm in breach-related litigation, as unlike in other notable breaches, the mere identification of individuals who used the website (and were thus affected by the breach) likely produced unwanted consequences. Nonetheless, the settlement agreement is interesting by itself, as it offers unique solutions to address class members seeking financial remuneration but wishing to avoid further publicity regarding their connection to AshleyMadison.com.
Continue Reading Ashley Madison: Life Is Short. Settle.