This post has been cross-posted from Seyfarth’s Consumer Class Defense Blog.

Now more than ever, it is important for organizations to review and update their basic information security protocols (their incident response, business continuity and crisis communications plans), and to ensure they’re keeping apprised of potential and developing security threats that may imperil their organizations (like a catastrophic ransomware attack). Nation state attacks and cyber criminal gangs efforts seem to be aimed daily at US businesses. And the ransomware plague that continues unabated, affects nearly all industry verticals.¹

Unfortunately, sometimes even when threats are known and being addressed, when employees are trained frequently regarding information security, and when the highest security precautions are taken, a threat-actor can quickly capitalize on miniscule vulnerabilities, and an organization is faced with the grueling task of picking up the pieces. This usually includes conducting a forensic investigation, updating written information security protocols, deploying patches and password resets, replacing hardware, conducting additional employee training, as well as analyzing differing state breach legislation and notifying consumers, attorneys general, and credit bureaus in accordance with those laws.

Even after these efforts, an organization is still at risk of privacy class action litigation. This might arise through a state attorney general, federal regulator, or a consumer whose data was wrongly accessed or in fact stolen during the cyber-attack.

But in order for a consumer to sue, the threshold, and hot-button, question is whether the consumer has standing under Article III of the US Constitution. [T]he “irreducible constitutional minimum” of standing consists of three elements. The plaintiff must have (1) suffered an “injury in fact” (2) that is “fairly traceable” to the challenged conduct of the defendant and (3) that is likely to be redressed by a favorable judicial decision.²

This article discusses the first prong of the standing elements: injury in fact. Because it is generally difficult for plaintiffs in these actions to show financial harm, or other actual damages, arguments have been raised by the plaintiffs’ bar that the future risk of harm should suffice to meet the first prong of the standing elements. The Supreme Court stated in Spokeo, Inc. v. Robins that even when a statute has been violated, plaintiffs must show that an “injury-in-fact” has occurred that is both concrete and particularized. While this did provide some additional information, the question of how the future risk of harm fits in was left outstanding. Fortunately, on June 25, 2021 the Supreme Court revisited this issue in TransUnion LLC v. Ramirez, 20-297, 2021 WL 2599472, at *1 (U.S. June 25, 2021), when a credit reporting agency flagged certain consumers as potential matches to names on the United States Treasury Department’s Office of Foreign Assets Control (OFAC) list of terrorists, drug traffickers, or other serious criminals. The Court found that those “flagged” consumers whose information was divulged to third party businesses as being included in this list suffered a concrete injury in fact.. With regards to those consumers who were flagged as potential matches, but the information was never disseminated, the Court was unconvinced that a concrete injury occurred. Id. The Court further examined the risk of future harm for these individuals, but declined to find injury in fact, stating that risk of harm cannot be speculative, it must materialize, or have a sufficient likelihood of materializing. Id. It will be interesting to see how this ruling plays out in the circuits in the context of a data breach. The Court included in its opinion some interesting information regarding certain circumstances that may give rise to a concrete harm. Id. Aside from physical or financial harm, the Court also stated that reputational harm, the disclosure of private information, or intrusion upon seclusion may rise to the level of concrete harm. Id. This then begs the question of whether a risk of harm analysis might be necessary in the context of a breach, where private information is indeed accessed and disclosed (i.e., disseminated) to an unauthorized 3rd party.
Continue Reading First There Was Litigation; And Then There Was Standing