Two decisions last week further widened the divide among the Courts of Appeals in applying Spokeo in cybersecurity litigation.
In In re Horizon Healthcare Servs. Data Breach Litig., 2017 U.S. App. Lexis 1019 (3d Cir. Jan 20, 2017), the Third Circuit revived a class action complaint against Horizon Healthcare Services relating to the theft of unencrypted personal information on two stolen laptops. The district court dismissed the complaint and ruled that plaintiffs lacked Article III standing because they had not suffered a cognizable injury. The Third Circuit reversed, concluding that the alleged Fair Credit Reporting Act (FCRA) violation, in and of itself, established injury in fact at the pleading stage sufficient to survive a motion to dismiss. Id. at *14, 22-24. The Third Circuit took a narrow view of Spokeo, recognizing that “it is possible to read the Supreme Court’s decision in Spokeo as creating a requirement that a plaintiff show a statutory violation has caused a material risk of harm before he can bring suit” (id. at *19) – but ultimately concluding that Spokeo simply “reiterate[d] traditional notions of standing.” Id. at *20. The Third Circuit relied upon its pre-Spokeo case law (In re Google Inc. Cookie Placement Consumer Privacy Litig., 806 F.3d 125 (3d Cir. 2015) and In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262 (3d Cir. 2016)) and concluded that improper disclosure of personal data in violation of FCRA was a cognizable injury for Article III standing purposes. Horizon Healthcare, 2017 U.S. App. Lexis 1019 at *24.
Ironically on the same day, the Seventh Circuit affirmed dismissal of a class action complaint against Time Warner alleging a statutory violation of the Cable Communications Policy Act. In Gabala v. Time Warner Cable, Inc., 2017 U.S. App. Lexis 1058 (7th Cir. Jan. 20, 2017), the Seventh Circuit acknowledged that there may be a statutory violation and acknowledged that there was a risk of harm, but the Court ultimately held: “while [plaintiff] might well be able to prove a violation of Section 551 [of the Act], he has not alleged any plausible (even if attenuated) risk of harm to himself from such a violation – any risk substantial enough to be deemed concrete.” Id. at *6 (citing Spokeo).
Both the Third Circuit and the Seventh Circuit cited to the Eighth Circuit’s recent decision in Braitberg v.. Charter Communications, Inc., 836 F.3d 925 (8th Cir. 2016) which we have discussed in prior blog posts. The Seventh Circuit cited Braitberg favorably while the Third Circuit rejected Braitberg’s broad interpretation of Spokeo. Compare Gabala, 2017 U.S. App. 1058 at *6, with Horizon Healthcare, 2017 U.S. App. Lexis 1019 at *20 n.17. Both courts offered different interpretations and application of Spokeo and therefore separately relied up and rejected Braitberg in the process.
Courts of appeals and district courts continue to wrestle with the Supreme Court’s Spokeo decision which is less than a year old – which is also interesting because the Ninth Circuit still has not issued its own decision following the Supreme Court’s remand in Spokeo. It appears increasingly likely that the Supreme Court will accept certiorari review and clarify its Spokeo precedent in the near future.
KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.
© 2022 Keating Muething & Klekamp PLL. All Rights Reserved
Joe Callow helps clients manage and reduce litigation risk and litigation costs. When litigation arises, he handles and coordinates cases on a national, regional, and local basis.
Joe primarily works on class action and complex ...
Jacob Rhode assists clients with litigation and dispute resolution, helping develop and implement strategies to successfully resolve corporate disputes.
Jacob primarily works on complex commercial and financial services ...
- Cybersecurity and Privacy Law
- Privacy Laws
- California Consumer Privacy Act
- Cybersecurity Regulation
- Cyber Insurance
- Data Breach
- General Data Protection Regulation
- Class Action Litigation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- GDPR Compliance: What is Privacy Shield 2.0?
- Connecticut's Data Privacy Law
- The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)
- The Utah Consumer Privacy Act
- The Colorado Privacy Act
- The Virginia Consumer Data Protection Act
- State Data Privacy Law Series
- TransUnion LLC v. Ramirez and the Impact on Class Action Litigation
- 2023: The Year of the CPRA and CDPA - Virginia Joins California in Passing Comprehensive Privacy Legislation
- Cybersecurity Remains a Top Concern