Two decisions last week further widened the divide among the Courts of Appeals in applying Spokeo in cybersecurity litigation.
In In re Horizon Healthcare Servs. Data Breach Litig., 2017 U.S. App. Lexis 1019 (3d Cir. Jan 20, 2017), the Third Circuit revived a class action complaint against Horizon Healthcare Services relating to the theft of unencrypted personal information on two stolen laptops. The district court dismissed the complaint and ruled that plaintiffs lacked Article III standing because they had not suffered a cognizable injury. The Third Circuit reversed, concluding that the alleged Fair Credit Reporting Act (FCRA) violation, in and of itself, established injury in fact at the pleading stage sufficient to survive a motion to dismiss. Id. at *14, 22-24. The Third Circuit took a narrow view of Spokeo, recognizing that “it is possible to read the Supreme Court’s decision in Spokeo as creating a requirement that a plaintiff show a statutory violation has caused a material risk of harm before he can bring suit” (id. at *19) – but ultimately concluding that Spokeo simply “reiterate[d] traditional notions of standing.” Id. at *20. The Third Circuit relied upon its pre-Spokeo case law (In re Google Inc. Cookie Placement Consumer Privacy Litig., 806 F.3d 125 (3d Cir. 2015) and In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262 (3d Cir. 2016)) and concluded that improper disclosure of personal data in violation of FCRA was a cognizable injury for Article III standing purposes. Horizon Healthcare, 2017 U.S. App. Lexis 1019 at *24.
Ironically on the same day, the Seventh Circuit affirmed dismissal of a class action complaint against Time Warner alleging a statutory violation of the Cable Communications Policy Act. In Gabala v. Time Warner Cable, Inc., 2017 U.S. App. Lexis 1058 (7th Cir. Jan. 20, 2017), the Seventh Circuit acknowledged that there may be a statutory violation and acknowledged that there was a risk of harm, but the Court ultimately held: “while [plaintiff] might well be able to prove a violation of Section 551 [of the Act], he has not alleged any plausible (even if attenuated) risk of harm to himself from such a violation – any risk substantial enough to be deemed concrete.” Id. at *6 (citing Spokeo).
Both the Third Circuit and the Seventh Circuit cited to the Eighth Circuit’s recent decision in Braitberg v.. Charter Communications, Inc., 836 F.3d 925 (8th Cir. 2016) which we have discussed in prior blog posts. The Seventh Circuit cited Braitberg favorably while the Third Circuit rejected Braitberg’s broad interpretation of Spokeo. Compare Gabala, 2017 U.S. App. 1058 at *6, with Horizon Healthcare, 2017 U.S. App. Lexis 1019 at *20 n.17. Both courts offered different interpretations and application of Spokeo and therefore separately relied up and rejected Braitberg in the process.
Courts of appeals and district courts continue to wrestle with the Supreme Court’s Spokeo decision which is less than a year old – which is also interesting because the Ninth Circuit still has not issued its own decision following the Supreme Court’s remand in Spokeo. It appears increasingly likely that the Supreme Court will accept certiorari review and clarify its Spokeo precedent in the near future.
KMK Legal Alerts and Blog Posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. Please consult with counsel of your choice regarding any specific questions you may have.
© 2019 Keating Muething & Klekamp PLL. All Rights Reserved
Joe Callow helps clients manage and reduce litigation risk and litigation costs. When litigation arises, he handles and coordinates cases on a national, regional, and local basis.
Joe primarily works on class action and complex ...
Drew Hicks assists clients in litigation and dispute resolution by, among other things, advising clients on litigation risk management and cost issues. Drew focuses his practice on representing public and private companies in a ...
Jacob Rhode assists clients with litigation and dispute resolution, helping develop and implement strategies to successfully resolve corporate disputes.
Jacob primarily works on complex commercial and financial services ...
- Cybersecurity and Privacy Law
- Cybersecurity Regulation
- Data Breach
- Privacy Laws
- Class Action Litigation
- General Data Protection Regulation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- Cyber Insurance
- September 2018 Was a Busy Month for Data Privacy
- GDPR - 90 Days Later
- GDPR: Less Than 100 Day and Counting to "G-Day" - Here's What You Need to Know
- SEC Issues Guidance on Cybersecurity Disclosures
- New D.C. Circuit Ruling Finds Substantial Risk of Harm Inherent to Data Breach
- Target Class Action Settlement Temporarily Upended
- Spokeo Continues to Divide the Lower Courts in Cybersecurity Litigation
- Cyber Breach Incident Notification Guidelines Ahead
- CyberSecurity News: Spokeo, Galaria and Braitberg
- Privacy Class Action Dismissed Under Spokeo