TransUnion opinion raises bar for bringing federal class action lawsuits – but state courts offer breach victims a more viable alternative route, writes David Oberly

Data breach class actions: US Supreme Court decision may tilt the odds in favor of defendant organizations

COMMENT Corporate defendants besieged by proliferating bet-the-company privacy and consumer class action lawsuits recently scored a victory in the US Supreme Court with implications for data breach victims.

The court’s opinion in TransUnion LLC v. Ramirez raises the bar plaintiffs must surmount in order to pursue litigation in federal court in the absence of any tangible, real-world injury.

RELATED US court offers clarity on evaluating ‘future risk’ injuries in data breach class action litigation

Moving forward, defendants will have broader powers to secure the dismissal of lawsuits filed in federal court alleging only a future risk of harm or injury. Moreover, plaintiffs will be precluded from filing suits for bare statutory, procedural violations due to the inability to establish Article III standing under such circumstances.

With that said, plaintiffs may be able to avoid the roadblocks created by the TransUnion case by filing suit in state courts, where the threshold for establishing standing is much lower.

Overview of Article III standing

‘Standing’ refers to the right to bring a lawsuit in federal court. To establish standing under Article III of the US Constitution, a plaintiff must demonstrate: (1) an injury-in-fact; (2) causation; and (3) a likelihood that the injury will be redressed by a favorable decision.

The first element underpins most consumer and privacy class action lawsuits. An injury-in-fact must be “concrete, particularized, and actual or imminent”.

If a plaintiff alleges only an increased risk of future harm, the potential injury must be deemed impending or there must be a perceived substantial risk of the harm transpiring for standing to exist.

MUST READ Computer Fraud and Abuse Act: What the recent Van Buren ruling means for security researchers

TransUnion background

Some 8,185 TransUnion customers brought suit against the US credit reporting agency for violations of the Fair Credit Reporting Act (FCRA) after alerts were added to their credit files indicating that their name was a “potential match” to a name on the US Treasury Department Office of Foreign Assets Control’s (OFAC) list of terrorists, drug traffickers, and other serious criminals.

Only 1,853 of these individuals had their credit reports disseminated to third parties when containing OFAC alerts.

The question before the court was whether class members had Article III standing to assert their FCRA claims. That question focused on the Article III requirement that a plaintiff’s injury be “concrete” – that is, “real, and not abstract”.

Supreme Court opinion

The Supreme Court held that only those 1,853 class members whose allegedly injurious reports were disseminated to third parties had suffered a concrete harm sufficient to constitute a cognizable injury-in-fact that conferred standing.

The court reasoned that the class members who had their reports distributed to third parties were able to establish standing because their injury possessed a “close relationship” to a harm traditionally recognized as providing a basis for a lawsuit in American courts – namely, the reputational harm associated with the tort of defamation.

Read more of the latest cybersecurity policy and legislation news

These TransUnion plaintiffs were essentially labeled as potential terrorists, drug traffickers, or serious criminals as a result of their credit reports containing the OFAC alerts being shared with third parties.

The court concluded that this injury was sufficiently related to the harm that arises when a defamatory statement that subjects an individual to hatred, contempt, or ridicule is relayed to a third party.

Conversely, the court reasoned that because publication is “essential to liability” in a defamation suit, the mere existence of inaccurate information – absent dissemination – falls short of constituting a concrete injury for purposes of standing.

Implications for data breach class actions

The TransUnion opinion is a big win for defendants, especially those involved in class action litigation. First and foremost, the decision significantly increases the requirements for plaintiffs to establish Article III standing to sue in federal court.

Where plaintiffs do not allege any type of intangible harm traditionally associated with a common law tort, defendants should now be able to assert successful standing challenges and can point to the TransUnion opinion as persuasive support for this argument.

Furthermore, the mere risk of future harm alone is no longer sufficient to confer standing. This is particularly significant in the context of data breach class action litigations, where suits are often filed in the immediate aftermath of a cyber-attack even where no actual harm – in the form of identity theft or fraud – has yet occurred.

At the same time, the ruling also places additional limitations on claimed “informational injuries”, which are commonly alleged in class actions where damages are tenuous. Here, the court held that an “asserted informational injury that causes no adverse effects cannot satisfy Article III”. After TransUnion, where no subsequent type of harm is shown, the mere alleged deprivation of information alone cannot establish standing.

With that said, the TransUnion ruling may ultimately turn out to be a hollow victory for corporate defendants. The decision may have the unintended consequence of funneling future class action suits into state court venues where the bar for establishing standing – while varied – is generally much lower than its federal counterpart.

RELATED Tsao vs. Captiva – How a data breach court case could have a major impact on the definition of ‘harm’