The Supreme Court’s decision in Spokeo, Inc. v. Robins continues to have an impact on class actions involving data privacy statutes. Most recently, a federal district court dismissed yet another class action involving claims under the Fair and Accurate Credit Transactions Act (FACTA) in Kirchein v. Pet Supermarket, Inc. for lack of subject matter jurisdiction under Spokeo, on the grounds that Kirchein did not establish the injury-in-fact necessary to maintain the case in federal court.

In January 2016, Kirchein filed a putative class action in the U.S. District Court for the Southern District of Florida, alleging violations of FACTA, which prohibits printing more than the last five digits of the credit card number or expiration date on the receipt provided to the customer. FACTA provides a private right of action with statutory damages up to $1,000 for any violation. In August 2016, the court preliminarily approved a $580,000 class action settlement. In October 2017, however, the defendant moved to vacate the preliminary approval order and settlement and reopen the class on the grounds that the class was much larger than the parties anticipated. The Court denied the motion on those grounds, but gave the parties an opportunity to brief the issue of subject matter jurisdiction under Spokeo.

After considering the parties’ briefing, the Court dismissed the case on February 8, 2018 for lack of subject matter jurisdiction, finding that the mere “disclosure of the first six digits of a credit card account number” did not result in an imminent, real risk of harm under Spokeo. In doing so, the Court relied heavily on its own September 2017 decision in a case alleging similar violations of FACTA. In that case, the Court held that merely printing the digits of the credit card on a receipt was insufficient to establish standing when the plaintiff did not allege that any disclosure of his private information actually occurred. Similarly here, Kirchein failed to allege that anyone besides Kirchein himself actually saw the receipt. To the extent that Kirchein relied on store employees seeing the receipt, the Court was unconvinced, finding that to be the same type of disclosure that happened any time a consumer uses a credit card to pay for a transaction.

The Court also rejected Kirchein’s argument that the settlement was still enforceable, despite any lack of standing resulting from Spokeo. The Court noted that Spokeo was not a change in the law, but merely clarified well-established principles of standing, and emphasized that it must have subject matter jurisdiction at all stages of a case, including to approve a class action settlement agreement under Rule 23.

The decision joins those of the Seventh and Second Circuits, as well as several other district courts, which have dismissed FACTA claims for lack of standing under Spokeo. These cases continue to suggest that purely technical violations of data privacy statutes will not satisfy the injury-in-fact requirement under Article III’s standing analysis after Spokeo. Instead, plaintiffs will need to show that a violation of the statute caused harm, likely through the actual disclosure to a third party.

Earlier this year, the Northern District of Illinois declined to certify a Telephone Consumer Protection Act (TCPA) class action even though the key issue in the case – whether class members had provided prior express written consent to receive prerecorded telemarketing calls – appeared to be a common question. In Legg v. PTZ Insurance Agency, Ltd., it seemed apparent “that none of the proposed class members” provided prior express written consent in the form required by the TCPA and its accompanying regulations. Nevertheless, the Court held that Article III standing concerns rendered class members’ consent an individualized issue that predominated over any common class questions.

The defendants in Legg were pet adoption and pet insurance companies that provided pet adopters with a 30-day free gift of pet health insurance. During the adoption process, shelters gathered information from pet adopters for the purpose of providing this free gift. To receive the free gift, adopters had to opt in to email communications from the defendants. Adopters also provided their telephone numbers. Thereafter, the defendants made prerecorded calls to pet adopters to remind them of their free gift.

The plaintiffs sought to certify a class of individuals who received such calls without providing signed “prior express written consent,” which must be obtained prior to making prerecorded calls with a telemarketing or advertising purpose.  The plaintiffs argued that determining whether class members had provided prior express written consent was a common question that could be answered on a class-wide basis.

Although the court seemed to agree, its analysis did not end there. Instead, the court reasoned that if class members had verbally agreed to receive calls from the defendants, they could not have suffered a concrete injury under Spokeo, Inc. v. Robins when they ultimately received such calls – even if the defendants failed to obtain such consent in the written, signed form required by the TCPA. Indeed, the defendants supplied affidavits from pet adopters declaring that they agreed and expected to receive calls from the defendants regarding pet insurance. Reasoning that the Congressional purpose of the TCPA was to prevent unsolicited calls, the court rejected the idea that a mere failure to abide by the TCPA’s procedural requirements gave rise to an Article III injury. Instead, it found that insofar as “the class members agreed to receive the calls, they lack[ed] a ‘genuine controversy’” and denied class certification because determining whether each individual class member consented – and hence whether they were injured – would involve “hundreds, if not thousands, of mini-trials on the issue of consent alone.” Last month, the Seventh Circuit denied the plaintiffs’ petition to appeal this ruling.

In TCPA cases, the ability to certify a class frequently depends upon whether the issue of consent is a common question or whether it is individualized. Legg demonstrates that even where consent appears at first blush to be a common question, defendants in TCPA actions may be able to defeat class certification by relying upon Spokeo to establish that the question of consent is individualized.

Earlier this year, the Supreme Court, in Spokeo, Inc. v. Robins, held that a bare procedural violation of a statutory requirement, divorced from any concrete harm, does not establish the injury-in-fact necessary to maintain a lawsuit in federal court. As the year comes to an end, it is clear that Spokeo has undoubtedly had an impact on class actions involving data privacy.

Procedural Violations of Data Privacy Statutes Do Not Satisfy Article III Following Spokeo

Given that many data privacy statutes provide for statutory damages and attorneys’ fees, they have become prime targets for class action attorneys. The class action claims, however, typically stem from technical or procedural violations of these statutes without any actual harm suffered by the plaintiffs, subjecting these lawsuits to fresh attacks following Spokeo. The various Courts of Appeals that have faced such challenges in data privacy actions in the wake of Spokeo have consistently found standing lacking under Article III.

Most recently, on December 13, 2016, the Seventh Circuit examined Spokeo in the context of the Fair and Accurate Credit Transactions Act (FACTA) in Meyers v. Nicolet Restaurant of de Pere, LLC.  FACTA prohibits businesses from printing more than the last five digits of a customer’s credit card number or the expiration date on a receipt, providing a private right of action with statutory damages up to $1,000 for any violation. In Meyers, the plaintiff alleged that a restaurant violated FACTA by printing the expiration date of his credit card on his sales receipt. In analyzing whether the plaintiff suffered a concrete harm in accordance with Spokeo, the Court noted that the plaintiff discovered the violation immediately, nobody else saw the non-compliant receipt, and thus it was “hard to imagine” how the expiration date could have increased the risk that the plaintiff’s identity would be compromised. Accordingly, the Court held that the plaintiff failed to establish any concrete harm, nor any appreciable risk of harm, to satisfy the injury-in-fact requirement for Article III standing under Spokeo.

The D.C. Circuit similarly held that a data privacy class action could not even “get out of the starting gate” with respect to standing following Spokeo. The plaintiffs in Hancock v. Urban Outfitters, Inc. alleged violations of D.C.’s Use of Consumer Identification Information Act, which prohibits retailers from asking for a customer’s address in connection with a credit card transaction. The Court held that the plaintiffs failed to allege that they suffered any cognizable injury as a result of defendants requesting their zip codes, noting that the plaintiffs did not allege any invasion of privacy, increased risk of fraud or identity theft, or pecuniary or emotional injury.  Instead, the claim rested upon a bare violation of the statute—the very theory of standing that the Supreme Court rejected in Spokeo.

These cases suggest that purely technical violations of data privacy statutes will not satisfy the injury-in-fact requirement under Article III’s standing analysis after Spokeo.  Instead, plaintiffs will need to show that a violation caused harm, likely through the actual disclosure to a third party or some evidence of emotional injury.

Data Breaches Likely Satisfy Article III Standing

Spokeo, however, has had less of an impact on standing in data breach class actions. This is because, as the Supreme Court in Spokeo acknowledged, an alleged violation of a procedural statutory right can establish the requisite concrete injury if the violation creates “a risk of real harm.”

The Sixth Circuit recently held that a data breach creates a sufficient “risk of real harm” to satisfy Article III. In Galaria v. Nationwide Mutual Insurance Company, some hackers allegedly broke into an insurance company’s computer network and stole personal identifying information of the customers. The plaintiffs brought a class action alleging violations of the Fair Credit Reporting Act for the company’s alleged failure to adopt procedures to protect against the wrongful dissemination of its customers’ data.  In evaluating standing, the Court found that where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for fraudulent purposes—creating a “risk of real harm” to support standing. The plaintiffs also alleged that they had to expend time and money to monitor their credit, check their bank statements, and modify their financial accounts because of the data breach. Thus, in addition to the substantial risk of harm, the plaintiffs had reasonably incurred mitigation costs sufficient to establish standing under Article III.

Looking Ahead to Future Standing Challenges

Cases involving data privacy claims arguably have seen the greatest impact from the Supreme Court’s ruling in Spokeo.  Although the line drawn between standing and the absence of standing seems clear at the moment, plaintiffs’ attorneys are sure to create new theories of harm to attempt to satisfy Article III’s standing requirement.

Welcome back to our three-part series providing an overview of CIPA, recent CIPA class actions, and class action defenses. In Part I we provided an overview of CIPA and its recent resurgence in the age of smart speakers.  In Part II we highlighted recent class actions alleging CIPA violations involving the use of smart speakers. Here, we address potential defenses in response to a motion to certify a CIPA class.

Defenses to a CIPA Class Action

These recent lawsuits are good reminders of the real privacy concerns with new developing technologies.  Below is an overview of practice pointers and lessons learned from CIPA lawsuits if you are named in CIPA litigation. Continue Reading The Revitalization of CIPA Claims in the New Age of “Smart” Speakers (Part III)

On January 25, 2019, the Illinois Supreme Court issued a highly anticipated ruling in the Rosenbach v. Six Flags case regarding enforcement of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (BIPA or the Act).  In its unanimous ruling, the Court held that a procedural violation of the Act, even absent a showing of actual injury, is sufficient to confer standing to sue for a BIPA violation.

This means that an employer who, for example, uses employee fingerprint data for timekeeping purposes could be on the hook for a BIPA violation for failure to follow the comprehensive notice-and-consent rules set forth in the Act.

Whether the Rosenbach ruling will trigger a spike in biometric privacy litigation against private employers remains to be seen.  For now, understanding BIPA and key compliance principles can help employers mitigate against some of the risks inherent in collecting employee biometric data. Continue Reading Rethinking Biometric Data Collection Practices After Rosenbach: Takeaways and Compliance Strategies for Employers

Consistent with a growing trend among courts nationwide, the D.C. Circuit Court unanimously held that a group of plaintiffs had cleared a “low bar” to establish constitutional standing for their claims in a data breach case against health insurer CareFirst by alleging potential future harm as a result of the breach. The plaintiffs alleged that there was a substantial risk that their personal information could be used for medical identity theft after a breach of CareFirst’s systems. Despite the fact that (i) no actual misuse of the information had yet occurred and (ii) the breach involved medical information, rather than financial or other sensitive information typically involved in successful data breach claims, the D.C. Circuit Court held that the plaintiffs had established standing and their claims could move forward.

In 2016, the U.S. Supreme Court held in Spokeo v. Robins that plaintiffs must allege an actual or imminent injury, not hypothetical harm, to establish standing and proceed past the pleadings stage. The Supreme Court found that plaintiffs cannot rely on statutory violations for standing and remanded the case for the lower court to identify a “concrete injury.” Even after the Supreme Court’s decision, appellate courts have split on how to interpret the standard in data breach cases and whether to find standing based on a risk of harm, and courts are increasingly sympathetic to data breach claims.

The D.C. Circuit Court joins several other circuit courts that have interpreted the pleading standard liberally and in favor of data breach victims. As a result, more claims in these jurisdictions will survive past the pleading stage based on a risk of injury to the individuals affected by a breach. These rulings are largely based on an assumption that the perpetuators of information theft intend to misuse the information, indicating that the bar to claims at the pleading stage would require proof that the breached information could not or would not be used for fraud or identity theft.

Significantly, the D.C. Circuit’s ruling focused on the risk of harm from breaches of information other than financial information and social security numbers, which typically form the basis for data breach claims. The D.C. Circuit noted that there was a substantial risk to the plaintiffs of medical identify theft based on a breach of information such as names, birthdates, email addresses, and health insurance policy numbers. In addition to an overall increase in data breach claims based on potential harm, this type of ruling could expand the success of claims based in negligence or other state law doctrines arising out of breaches of health information.

It is likely that the Supreme Court will eventually weigh in on whether plaintiffs have standing in claims arising out of data breaches based on the potential for harm. In the meantime, individuals and entities who maintain personal information, whether financial or medical, should be aware that individuals affected by data breaches are increasingly likely to get their day in court.

The $10 million settlement class in the Target data breach case was unraveled by the Eighth Circuit Court of Appeals in a recent decision that will force the district court to address the impact of the Supreme Court’s decision in Spokeo v. RobinsThe Eighth Circuit remanded the case to the district court, finding that the lower court did not conduct a rigorous analysis of the record under Rule 23 prior to certifying the settlement class.

The case stems from the 2013 data breach of consumers’ credit and debit card information, which consisted of approximately 110 million Target customers. Following the consolidation of the hundreds of consumer class action lawsuits that followed, the U.S. District Court for the District of Minnesota preliminarily certified a settlement class defined as “[a]ll persons in the United States whose credit or debit card information and/or whose personal information was compromised as a result of the [Target] data breach.”  Under the terms of the settlement, Target was to create a $10 million settlement fund, which would pay class members with documented losses first with the remaining balance distributed to members with undocumented losses.  Class members who suffered no loss from the data breach would not receive any monetary compensation.  Target also agreed to permit an attorney fee award of up to $6.75 million in addition to the $10 million class fund and take on certain improvements in its data security practices.

Prior to final approval, two class members, Leif Olson and Jim Sciaroni, objected to the settlement. Olson alleged that certification of the class was improper due to the intraclass conflict between the named representatives and class members who, like Olson, had not suffered any loss and therefore would not receive any compensation, but would release Target from any claims should the breach someday injure him in the future.  Olson contended that this “zero-recovery subclass” should be certified as a separate subclass with independent representation.

At the final approval stage, the district court did not analyze Olson’s objection. Indeed, the district court refused to reconsider whether certification was proper solely because it had already preliminarily certified the class, stating “[b]ut the Court certified a settlement class in the preliminary approval order, and will not revisit that determination here.”  This outright refusal to consider the propriety of class certification at the final approval stage was the death knell for the case before the Eighth Circuit.

The Eighth Circuit explained that not only do courts have the duty to conduct a rigorous analysis to ensure that Rule 23’s prerequisites are met, but this duty continues throughout the litigation.  In reviewing the district court’s preliminary order, the Eighth Circuit found that it was lacking in legal analysis, concluding that the court’s remarks were “the product of summary conclusion rather than rigor.”  This lack of legal analysis constituted an abuse of discretion and prevented the appellate court from conducting a meaningful review.

The Eighth Circuit highlighted three issues for the district court to consider on remand. First, whether an intraclass conflict exists when class members who cannot claim money from a settlement fund are represented by class members who can. Second, if there is a conflict, whether it prevents the class representatives from fairly and adequately protecting the interests of all of the class members.  Third, if the class is conflicted, whether the conflict is fundamental and requires certification of one or more subclasses with independent representation.

Although these questions are important in any case involving intraclass conflicts, they underscore a problem arising frequently in data breach actions—how should the law treat the compromise of data without any evidence of misuse.  This issue is particularly at the forefront following the Supreme Court’s decision in Spokeo v. RobinsIf class members that suffered no loss from the data breach lack standing under Spokeo, it is unclear whether such a subclass could exist since neither the representative nor its members suffered a concrete injury.  It also poses the question as to whether those members should be included in the class at all.  How the district court analyzes these issues on remand may set the stage for future data breach class actions.

Throughout the past several years, data privacy and security practices have evolved into more than just defending against identity theft and protecting sensitive data. In fact, since 2014, to help raise awareness for data protection issues, the United States designated January 28th as Data Privacy Day.  In recognition of this internationally observed day, over the next eight weeks, our Data Privacy and Security team will examine eight of the most significant data privacy and security trends and how they may impact your company.

Week 1: The Relentless Progression of Malware

The internet has been plagued by malware since inception. But in 2016 several new forms of malware emerged.  Spear phishing is one common form that involves targeting a specific victim. Another is angler phishing, which involves a fake customer-support account that purports to “help” customers, but actually steals their information.  Perhaps the most malicious technique, certainly the fastest growing, is ransomware. Ransomware holds victims’ data hostage until the hacker is paid money.  Despite the growing awareness of ransomware, it remains a highly effective revenue generating tool for hackers. In fact, it is evolving into new strains, including a form in which the victims are offered the decryption key in exchange for forwarding the virus to new potential victims.  “To pay or not to pay” is indeed the question, and the answer often raises as many concerns as it does solutions.

Week 2: Data Privacy Litigation: Changes in the Liability Standard

There were several significant developments in data litigation in 2016.  Chief among them was the U.S. Supreme Court ruling in Spokeo, Inc. v. Robbins.  Spokeo held that a procedural violation of a statutory requirement, absent concrete harm, does not establish injury-in-fact.  Since then, courts have struggled to consistently interpret and apply this standard in class action data privacy cases.  In 2017, we expect courts around the country will continue to grapple with this standard, particularly as theories of harm continue to evolve. In addition, changes at the Supreme Court and new input into plaintiffs’ attempts at “no-injury” classes could further impact the landscape of data privacy class action litigation.

Week 3: Financial Services Sector

Beginning in January 2016, the Securities and Exchange Commission announced that the Office of Compliance Inspections and Examinations (OCIE) would focus on security protocols implemented by financial firms to protect against cyberattack. That began a long year of financial industry focus on data privacy and security issues.  More recently the New York Department of Financial Services (DFS) proposed the first cybersecurity regulations that would require financial institutions to adopt minimum cybersecurity standards. Shortly thereafter G-7 financial leaders agreed to a set of best practices in the financial industry. Other developments in the industry include:

And all of this is in addition to existing standards and laws, such as the Gramm-Leach-Bliley Act. As the financial industry navigates through these various guidelines and requirements in 2017, it will be interesting to see how these standards will be interpreted, whether a uniform standard evolves, and what impact these standards may have on data protection efforts in other industries.

Week 4: Big Data

The amount of consumer data that is being collected and used is greater than ever. As companies adjust privacy policies and respond to increased consumer and regulatory scrutiny, they are constantly working to protect information and respect consumer choices while still monetizing consumer data. Information governance has quickly become the best way for a business to safeguard data and limit liability. With the development of new mobile applications, artificial intelligence platforms, and cloud data processing systems, Big Data analytics will continue to provide valuable information that must be appropriately harnessed and protected.

Week 5: Mergers and Acquisitions

By the end of 2016, the seemingly endless stream of data breaches made security incidents appear normal, almost predictable. But when Yahoo released statements concerning two separate data breach incidents, affecting more than one billion users, the potential consequences for the company extended far past the norm. Yahoo’s announcement came in the midst of negotiations of a multi-billion dollar sale.  In light of Yahoo’s previously unknown data privacy and security issues, the transacting parties must now determine the impact these incidents will have on the deal.  The lesson here is this: before any terms are finalized, both seller and buyer should engage in thorough data privacy due diligence in order to fully understand the target’s privacy and security risk profile.  This includes an analysis of the target’s information security and governance programs, as well as information relating to known security incidents and vulnerabilities, disputes and enforcement actions.  Engaging in appropriate due diligence from the outset could dramatically change the structure of the deal, as well as the value of the transaction.  Security and privacy issues must also be considered during the negotiation of the transaction documents themselves, particularly with respect to representations and warranties, limitations of liability, indemnification obligations and closing conditions.

Week 6: Critical Infrastructure

The systems that support telecommunications, transportation, water, electricity and other critical networks are at substantial risk of being compromised by a far-reaching cyberattack. For example, since 2015, Ukraine’s power grid has been shut down twice by hackers, leaving thousands without heat during the snowy winter.  Cognizant of this impending threat, both President Obama and President Trump have examined national cybersecurity and how it impacts critical infrastructure. Likewise, roughly one week into the new year, the National Institute of Standards and Technology (NIST) released draft revisions to the “Framework for Improving Critical Infrastructure Cybersecurity” to help clarify and enhance the 2014 version. Going forward, securing critical infrastructure will depend largely on safeguarding the devices that manage those systems.  These devices and the interconnected manner by which they utilize and drive digital communication are known as the internet of things (IoT).  Attacks on the IoT, including medical devices, the healthcare industry, and the internet itself were front and center in 2016. The government and private sector alike must come together in 2017 to combat these imminent and pervasive threats.  For example, to help incentive companies to secure devices and avoid attacks, the Federal Trade Commission recently announced a competition to award up to $25,000 to anyone who creates a solution for securing outdated IoT devices.

Week 7: Safe Harbor Out, Privacy Shield In

In the midst of the summer heat, the European Commission officially adopted the U.S. Privacy Shield as an adequate framework for data transfers between the EU and those U.S. companies who self-certify their compliance with the Privacy Shield. The Privacy Shield replaces and updates the previous Safe Harbor framework which was invalidated by the European Court in 2016. While President Trump’s recent Executive Order, Enhancing Public Safety in the Interior of the United States, may call into question the effectiveness of the Privacy Shield, the US and the EU must continue to collaborate in order to determine the best way to permit and facilitate data transfers. There are also outstanding data implications resulting from BREXIT that will likely affect the UK-EU-US data privacy relationship. While we do not yet know what the post-BREXIT UK-EU relationship will resemble, if the UK also decides to leave the European Economic Area it would no longer be an automatically “safe” destination for EU personal data and so may need to adopt its own UK Privacy Shield in order to receive personal data from the EU. Additionally, the EU’s General Data Protection Regulation (GDPR) will continue to impact business decisions in 2017.  In fact, one study found that 28,000 data protection officers will be needed in order to comply with GDPR. The GDPR will not only impact EU companies, but any non-EU company processing the personal data of individuals in the EU to offer goods or services, or to monitor their behavior. In light of the significant new fines imposed on organizations who breach the GDPR, businesses are well advised to be undertaking their compliance efforts now to be ready for the May 2018 deadline.

Week 8: National Cybersecurity Concerns

This list would not be complete without a mention of the cybersecurity challenges President Trump will face during his administration. Recently, Trump announced that Rudy Giuliani will serve as a cybersecurity advisor helping to bridge the gap between the government and private sector. Tom Bossert will also serve as an adviser on national security, terrorism and cybersecurity and will be equal in status to incoming national security adviser and former Army Lt. Gen. Michael Flynn. Bossert currently works as a private consultant on homeland security matters and formally worked in the Bush administration as a deputy homeland security adviser.  Bossert, who previously held a position with the Small Business Administration, said this about his new position:

We must work toward cyber doctrine that reflects the wisdom of free markets, private competition and the important but limited role of government in establishing and enforcing the rule of law, honoring the rights of personal property, the benefits of free and fair trade, and the fundamental principles of liberty.

Bossert’s mention of the private sector comes as no surprise. The Trump administration will likely seek to ensure that any protection the government offers citizens in the form of new regulations will be balanced by strong support of technological innovation, free market enterprise and national security.

On May 16, 2016, the U.S. Supreme Court held in Spokeo, Inc. v. Robins that a bare procedural violation of a statutory requirement, divorced from any concrete harm, does not establish the injury-in-fact necessary to maintain a lawsuit in federal court.  The Court acknowledged, however, that an alleged violation of a procedural statutory right could establish the requisite concrete injury if the violation creates “a risk of real harm.”

The Supreme Court’s ruling has been much anticipated by both sides of the class-action bar. All interested parties must continue to watch and wait, it appears, as the Ninth Circuit will now consider on remand whether the risks created by the alleged violations in this case are sufficient to make the harm to the plaintiff “concrete.”

Plaintiff Thomas Robins alleged that defendant Spokeo, Inc. compiled a personal information report on him that contained inaccurate information—wrongly listing him as married, affluent and holding a graduate degree. According to the plaintiff, that misinformation violated several provisions of the Fair Credit Reporting Act (FCRA), including a requirement to follow reasonable procedures to assure maximum possible accuracy of consumer reports.

The Supreme Court vacated the Ninth Circuit’s prior ruling that the plaintiff had established standing simply by alleging the defendant violated his individualized statutory rights under the FCRA. The law requires that an injury-in-fact be both concrete and particularized to support Article III standing, and the six-Justice majority of the Supreme Court held that the Ninth Circuit’s analysis focused solely on the “particularized” component, thus failing to determine whether the harm was “concrete.”

So what harms are “concrete”? The Supreme Court’s ruling does not preclude the possibility that the violation of a statutory procedural right could constitute an injury-in-fact—provided that it leads to concrete harm.  The Court emphasized that harm need not be “tangible” in order to be concrete, and that the risk of real harm may be sufficient to establish concreteness.

But what does “concrete” mean in this context? The Supreme Court left this issue to the Ninth Circuit to resolve, directing it to consider on remand “whether the particular procedural violations alleged in this case entail a degree of risk sufficient to meet the concreteness requirement.”  The Supreme Court provided further guidance by noting that a report containing an incorrect zip code, while undoubtedly inaccurate, may not create the risk of any real harm.

Under the facts alleged and the statute at issue, the steps of the Ninth Circuit’s analysis on remand seem fairly predictable. (Indeed, Justice Ginsburg’s dissent, joined by Justice Sotomayor, considered the analysis to be so straightforward that it did not require remand.)  The Ninth Circuit will likely examine the type of allegedly inaccurate information in the plaintiff’s personal report, and then determine whether it could create a risk of harm to the plaintiff.

The effect of this decision on class-action standing jurisprudence going forward is more difficult to ascertain, and will almost certainly be context-dependent. Some statutory procedural violations may readily suggest an ensuing risk of harm to the plaintiff.  On the other hand, plaintiffs bringing putative class actions arising from technical violations of a statute (e.g., noncompliance with the font-size requirements of the FCRA, or the inclusion of a reference number on the outside envelope of a debt collection letter under the Fair Debt Collection Practices Act) may have a bit more work to do in their pleadings to try to show a concrete harm.