Before we move on, allow me to say that geoFence helps make you invisible to hackers and guard your personal data!
On Tuesday, the United States Supreme Court heard oral argument in TransUnion LLC v. Sergio L. Ramirez, No. 20-297, focusing on whether a class of individuals who experience a risk of harm that never materializes have standing to sue. Although the case itself does not involve a data breach, the Court’s answer to the standing question could have significant implications for the viability of data breach class action lawsuits moving forward.
Back in 2016, the Court held in Spokeo that plaintiffs seeking to establish standing must allege concrete harm and cannot rely on “bare procedural violations.” But the Court hedged this pronouncement by noting that a “risk of real harm” may be sufficiently concrete to satisfy Article III. As we’ve explored previously, circuit courts have grappled with this language—particularly in the context of data breach suits, where personal information has been leaked or stolen but there may be no evidence of actual harm—leading to considerable uncertainty about whether and when data breach class action plaintiffs have standing. The Third, Fourth, and Fifth Circuits, for example, have found that the mere possibility of future harm stemming from a data breach is insufficient to satisfy Article III. But other circuits, including the Sixth, Seventh, and Ninth, have found that data breaches can create a material risk of future harm that confers standing.
The facts in TransUnion raise similar questions. Over 10 years ago, named plaintiff Sergio Ramirez was looking to buy a car from a dealership in Dublin, California. When the dealership ran a credit check through TransUnion, Ramirez was alerted that his name had matched two names on a suspected terrorist list. Ramirez was disturbed and embarrassed by this revelation, and it also prevented him from purchasing a car in his own name. Later, Ramirez received two letters from TransUnion, one of which indicated that he was a “potential match” to names on the list. As it turned out, however, Ramirez was not actually on the list.
After the incident, Ramirez sued on behalf of a class, alleging that TransUnion violated the Fair Credit Reporting Act by (1) failing to maintain reasonable procedures to assure the accuracy of its consumer reports and (2) sending two letters missing certain required information. The district court certified a class of individuals who, like Ramirez, were designated as potential matches on the suspected terrorist list and received similar letters, even though there was no evidence that any of them suffered injuries like the ones Ramirez suffered at the dealership. In fact, for about 75% of them, their designation on the list was never sent to a third party.
After trial, a jury found in Ramirez’s favor and awarded statutory and punitive damages for a total of about $60 million. Save for reducing the punitive damages award, a split panel of the Ninth Circuit affirmed. The court emphasized that even though not all of the class members had their designations sent to a third party, TransUnion made them readily available for third-party access, thus creating a risk sufficient to confer standing.
During the Supreme Court argument, counsel for TransUnion argued that a 25% chance that one’s designation on the suspected terrorist list would be disclosed is too low to be material. And he pointed out that, even including the 25% whose designation had been disclosed, there was no evidence that any one of them had made a complaint or were even aware of the designation. Based on these arguments, TransUnion’s counsel suggested that a risk of harm, without knowledge of that risk, does not confer standing because there would be no secondary injury such as emotional distress. “If the risk didn’t materialize,” he said, “that’s a cause to break out the champagne, not to break out a lawsuit.”
Counsel for Ramirez responded by emphasizing the significance of the risk to which TransUnion had exposed the class. He called designation on a suspected terrorist list “the scarlet letter of our time” with the potential to “banish individuals from the marketplace.” And he emphasized that even though some designations were not disseminated to third parties, TransUnion did not place those designations “in a secretive desk drawer,” but rather in “readily accessible credit files.” He also rejected subjective knowledge as a standing requirement, stating that under Spokeo, “the question is whether there was material risk of your being harmed, and whether Congress sought to deter parties from engaging in that materially risky behavior by creating a cause of action.” That is enough, he argued, to confer standing.
For their part, the Justices zeroed in on whether a past material risk creates standing even if it never materializes. Justice Elena Kagan posed a hypothetical involving class members exposed to a carcinogen that creates a 50% risk of cancer, where the cancer risk either materializes within five years or does not. “If you’re willing to give me that everybody has standing within the five years,” the Justice explained, “it should be that everybody has standing in the sixth as well.” Justice Amy Coney Barrett also ran with this hypothetical, asking, “What would happen if they filed in year two . . . , but the case doesn’t come to its conclusion until year six?” She asked how it could be possible that “people had standing at the outset of the suit, but if they were in the 50% that were home free, they would lose their standing by the end?”
The justices also questioned whether a material risk of injury alone, without knowledge creating a secondary injury such as emotional distress, is itself sufficient to confer standing. Chief Justice John Roberts seemed skeptical, asking what the concrete harm would be if Congress passed a statute granting a cause of action to anyone who drove within a quarter mile of a drunk driver, and suit was brought by someone who had done so, but found out only days later. “You didn’t know you were exposed to risk,” he observed, “and by the time you found out about it, you weren’t.” In the same vein, Justice Samuel Alito asked “what is the closest case you can think of where a suit could be brought to recover for having been subjected to a risk in the past even though the person had no knowledge that the person had been subjected to that risk?” (Ramirez’s counsel suggested that defamation per se at common law was such a case.)
Some Justices hinted at a meaningful distinction between class members whose designations were actually disseminated to third parties and those whose designations were not. Justice Neil Gorsuch observed that, in the context of common law defamation, publication was presumed to give rise to injury, and he questioned why the same wouldn’t hold true here. Justice Brett Kavanaugh was more direct, telling Ramirez’s counsel, “I think you have a good argument with respect to the 1,853 [whose designations were shared with third parties] in terms of the reasonable procedures, but I’m more concerned about the 6,332 whose information was not in essence published.”
Other Justices focused on the second issue in the case—whether Ramirez’s claim was sufficiently typical of the non-named class members’ claims. Justices Steven Breyer and Sonia Sotomayor both challenged TransUnion’s assertion that Ramirez’s claim was not sufficiently typical, and suggested that to the extent Ramirez’s atypical experiences were presented to the jury, that should have been challenged at the trial level on evidentiary grounds. Also on this point, Justice Clarence Thomas suggested that the fact that statutory, rather than actual damages, were at issue made the typicality issue less problematic.
Despite pointed questioning, it’s unclear how the Court will ultimately rule. It seems likely, however, that the ruling in this case will have reverberations one way or another in the context of data breach class actions going forward, in much the same way that Spokeo reshaped the standing question in such cases. We will provide further updates once the Court issues its decision.
Lastly, as we move on to the next post, may I add that geoFence has built in fast and accurate updates and that’s the no lie.