“[I]f inaccurate information falls into a government database, does it make a sound?” Partly affirming summary judgment for the defendant in Owner-Operator Indep. Drivers Ass’n, v. DOT, No. 16-5355 (D.C. Cir. Jan. 12, 2018), the U.S. Court of Appeals for the D.C. Circuit answered its own question in the negative and held that a handful of truck drivers lacked standing to sue over the existence of allegedly inaccurate driver information in a government database. However, the court also ruled that two truck drivers about whom information was disseminated could overcome the Spokeo bar that sunk the claims of their peers and permitted their claims to go forward. In doing so, the appeals court helped clarify what actions in the digital realm rise to the level of concrete harm.

Plaintiffs in Owner-Operator were five commercial truck drivers and their industry association. Pursuant to federal regulations, the drivers’ safety records were contained in the Motor Carrier Management Information System, which employers may access through the Department of Transportation’s (DOT) Pre-Employment Screening Program. Each of the plaintiff drivers successfully challenged safety citations they had received in court, and then asked to have the citation reports removed from the safety record database.Continue Reading D.C. Circuit finds dissemination, but not mere existence, of inaccurate information in government database satisfies Article III standing requirement post-Spokeo

Michaels escaped a potential class action alleging Fair Credit Reporting Act (“FCRA”) violations late last month when a federal judge found the United States Supreme Court’s recent decision in Spokeo, Inc. v. Robbins, 136 S. Ct. 1540 (2016) foreclosed the plaintiffs’ claim for a bare statutory violation not resulting in concrete damages.  The recent ruling in In re: Michaels Stores, Inc., Fair Credit Reporting Act (FCRA) Litigation confirms the significance of the Spokeo decision and also provides FCRA defendants with additional ammunition to use in fighting statutory violation claims where damages are lacking.

The Michaels suit was based upon the consolidation of three proposed class actions alleging the store failed to clearly and conspicuously announce its intent to obtain background checks in a separate document containing only that disclosure, which was in violation of the FCRA. Instead of providing a standalone document, Michaels did disclose that it would be obtaining such checks as part of its online employment application. The complaints in the class pointed to 15 U.S.C. § 1681b(b)(2)(A), which directs that an employer may not procure a consumer report for employment purposes without providing a “clear and conspicuous disclosure…in a document that consists solely of the disclosure….”
Continue Reading Bare Statutory Violation of FCRA Fails to Satisfy Standing Requirements Post-Spokeo, Says District of New Jersey in Suit Over Michaels Employment Disclosures

While the United States Supreme Court’s ruling in Spokeo v. Robins, 136 S. Ct. 1540 (2016), has garnered much attention after being cited by numerous courts as a means to dismiss data privacy class actions, defendants should never count out any potential avenues for exiting such a suit; in Pennsylvania (and in many other states following the same legal principle), the economic loss doctrine can also provide summary relief.  As demonstrated in Longenecker-Wells, et al. v. Benecard Services, Inc., et al., No. 15-3538, 2016 WL 4474701 (3d Cir. Aug. 25, 2016), even in data breach suits where actual harm exists and plaintiffs have standing, a quick dismissal is still possible.

The Benecard suit was initiated by former employees and customer members of Benecard Services Inc., which provides medical and vision supply services to public and private organizations.  Plaintiffs sued after unknown third parties breached Benecard’s computer system and accessed plaintiffs’ personal and confidential information.  The hackers then used that information to file fraudulent tax returns, which caused the IRS to issue tax refunds to the third parties rather than to the plaintiffs. 
Continue Reading Third Circuit Dismissal Affirmance Based on Economic Loss Doctrine Shows Spokeo Shouldn’t Be Your Only Data Breach Class Action Exit Strategy

In an instructive opinion on how intangible harms can cause injuries sufficient to confer standing on plaintiffs—and a rare example of the U.S. Supreme Court’s latest ruling on standing aiding plaintiffs—a West Virginia federal court ruled June 30 that computer-dialed telemarketing calls caused concrete, particularized privacy invasions such that plaintiff’s Telephone Consumer Protection Act (“TCPA”) putative class action claim could move forward.

The ruling in Mey v. Got Warranty, Inc., et al., No. 5:15-cv-00101 (N.D. W.Va. June 30, 2016) provides a contrast to the growing number of dismissals issued by courts across the country finding that, after the U.S. Supreme Court’s opinion in Spokeo v. Robins, 136 S. Ct. 1540 (2016), plaintiffs in various cases failed to allege concrete, particularized injuries sufficient for Article III standing.1   Because of this, it may provide guidance for plaintiffs—particularly in the area of technology-related statutes and data breaches, where standing is often an issue—on how to avoid summary dismissal of their claims.  Given the court’s detailed opinion, the import of the holding may extend well beyond the context of the case, in which plaintiff alleged she received numerous robocalls in violation of TCPA provisions barring autodialed, prerecorded messages and calls to those on the National Do Not Call Registry.Continue Reading Federal Court Finds Intangible Harm Caused by Robocalls Sufficient for Post-Spokeo Standing in TCPA Claim Alleging Privacy Invasion

In a sign of the continuing significance of the U.S. Supreme Court’s recent ruling in Spokeo v. Robins, 136 S. Ct. 1540 (May 24, 2016), another federal court has cited that ruling in dismissing claims for lack of Article III standing. In Gubula v. Time Warner Cable, Inc., No. 15-cv-1078 (E.D. Wis. June

Just days after the Supreme Court’s ruling in Spokeo v. Robins, the highly anticipated decision is already impacting data breach class actions across the country. The defendant in the Spokeo case contended that the plaintiff had suffered no concrete injury, and that a mere statutory violation is not enough of an injury to

The federal judiciary derives its power from Article III of the United States Constitution. That power is limited to deciding “Cases” and “Controversies,” Art. III, section 2. In the case of Spokeo v. Robins, the United States Supreme Court considered whether a plaintiff presents such a “case” or “controversy” where he only alleged a violation of a consumer protection statute, but did not allege any additional harm. The statute in question was the Fair Credit Reporting Act (“FCRA”). The Court found that plaintiff “cannot satisfy the demands of Article III by alleging a bare procedural violation. A violation of one of the FCRA’s procedural requirements may result in no harm.” Slip op. at 10. Even though Congress enacted the FCRA to avoid dissemination of inaccurate information, for example, “It is difficult to imagine how the dissemination of an incorrect zip code, without more, could work any concrete harm.” Id. at 11. The Supreme Court remanded this case for the Ninth Circuit Court of Appeals to further consider whether this plaintiff presented a “concrete injury” justifying the assertion of Article III jurisdiction.
Continue Reading In Spokeo v. Robins, The United States Supreme Court Articulates a Need for ‘Concrete’ Injury To Sue in Federal Court

A recent argument and non-decision at the Supreme Court could have significant effects on plaintiffs’ lawsuits under consumer data protection and privacy laws. Last week, the Court heard arguments on the standard of harm for establishing standing under the Fair Credit Reporting Act, and declined to review a Driver’s Privacy Protection Act case in which the harm to the potential class was uncertain.

The cases, Spokeo Inc. v. Robins, et al. and Senne v. Palatine, Illinois, interpret actual or potential harm as a requirement for standing in actions brought under laws that protect consumers’ personal information. While the justices appeared divided on whether Spokeo’s publication of false consumer information online constituted injury sufficient to allow a plaintiff to sue under FCRA, the Court’s denial of the plaintiff’s appeal in Palatine let stand the Seventh Circuit’s decision that the benefits of including personal information on parking tickets should be balanced against the “negligible harm” of disclosing the information. The law that results in Spokeo and the new Seventh Circuit interpretation of the DPPA have the potential to make it more difficult for plaintiffs to get their privacy law cases into court.
Continue Reading Spokeo, Palatine Cases Discuss Negligible Harm from Privacy Breaches, Could Put Damper on Suits

On February 4, the Ninth Circuit ruled that a plaintiff need not show actual harm to have standing to sue under the Fair Credit Reporting Act (FCRA); a violation of the statutory right is a sufficient injury in fact to confer standing. The case, Robins v. Spokeo, Inc., may open the door for plaintiffs to

In the wake of the U.S. Supreme Court’s decision in Spokeo v. Robins, 136 S. Ct. 1540 (2016), there has been a plethora of litigation in privacy class actions over whether federal courts can exercise subject-matter jurisdiction over the asserted statutory or common law claims. However, in addition to considering whether a court has subject-matter jurisdiction, entities hit with a putative privacy class action should also consider whether the court can exercise personal jurisdiction over the parties and claims.

There are two types of personal jurisdiction: general and specific. Over the course of the last decade, the U.S. Supreme Court has limited the forums in which a court can exercise general – or all purpose – jurisdiction over a defendant. In most cases, those forums will be only an entity’s state of incorporation and principal place of business. The result has been an increased focus on whether courts have specific – or case-linked – jurisdiction. Now, entities – even those that conduct business in all 50 states – may be able to successfully bring a motion to dismiss for lack of personal jurisdiction where the entity’s contacts with the forum did not give rise to the claims against it.

In addition, the Supreme Court’s decision in Bristol-Myers Squibb Co. v. Superior Court of California, San Francisco Cty., 137 S. Ct. 1773 (2017) (Bristol-Myers) opened the door to an additional use of the lack of personal jurisdiction defense in nationwide privacy class actions. Relying on Bristol-Myers, several district courts have permitted entities hit with nationwide class actions to limit the putative class where the absent class members’ claims did not arise from the entity’s contacts with the forum state.Continue Reading Asserting the defense of lack of personal jurisdiction in privacy class actions