High Court Suit Could Impact Data Breach Damages
Posted May 19, 2015
Supreme Court to Review Spokeo, Inc. v. Thomas Robins for Possible FCRA Violation. Result Could Apply to Data Breaches
If you’re not familiar with it, FCRA stands for the Fair Credit Reporting Act. FCRA regulates the collection, dissemination, and use of consumer information and expressly includes consumer credit information.
In his article on newsbreaks.infotoday.com, George H. Pike discusses the far-reaching implications of a Supreme Court decision on Spokeo, Inc. v. Thomas Robins for consumers suing for damages as the result of data breaches. The following has been excerpted from Pike’s piece and edited to fit our format. You may find the full article by clicking on this link.
The case that the Supreme Court will review is Spokeo, Inc. v. Thomas Robins. Robins complained in a class-action lawsuit that Spokeo, a provider of personal information online, willfully violated the FCRA by posting inaccurate information about him. Also, Spokeo allegedly failed to follow “reasonable procedures” to ensure that its information was accurate, failed to provide proper notices about the use of its information, and failed to post toll-free telephone numbers that sources can use to address inaccurate information. Robins claimed that the inaccurate information impacted his ability to find a job, but in filing his lawsuit as a class-action lawsuit—representing not only himself but all others “similarly situated”—he focused more on the violations of the law rather than the injuries he suffered.
Was Robins damaged by possible misinformation
In the Robins case, the question of standing was based not on Spokeo’s alleged posting of inaccurate information, but on whether Robins had suffered an actual injury-in-fact as a result of the inaccurate information. Robins claimed that the information—which indicated he had greater wealth and a more advanced college degree than he actually had—contributed to his inability to find a job.
[The] FCRA includes a monetary penalty for a violation of at least $100 and as much as $1,000 to be paid to the consumer. The FCRA states, “Any person who willfully fails to comply with any requirement … is liable to that consumer in an amount equal to … damages of not less than $100 and not more than $1,000. …” The appellate court found that the availability of these damages met the injury-in-fact requirement for standing.
Potential law suits against Facebook, Google, Yahoo, eBay et al.
Spokeo’s appeal of this case to the Supreme Court was supported by the U.S. Chamber of Commerce; businesses such as Facebook, Google, Yahoo, and eBay; and the financial industry. Spokeo’s concern was that if a person can file a lawsuit—particularly a class-action lawsuit—by showing only that some legal violation occurred without being required to show that the violation actually caused harm, then businesses could be subject to potentially massive lawsuits for incidents that caused no or little actual harm.
“Supreme” ruling affect on data breaches
A similar outcome could apply to data breaches and other privacy violations. If a data breach takes place, but there is no resulting impact on consumers, those consumers might still have standing to pursue a personal or class-action lawsuit because the breach violated their privacy rights or violated a right created by a state or federal statute.
Under current law, most consumers have limited rights in the case of data breaches—mainly the right to be notified of the breach, to have consumer reporting services notified of the breach, and/or to get compensated for credit protection services.
Only actual victims of identity theft can file a lawsuit (under some but not all circumstances, depending on the specific law covering the breach), and then only to recover the costs associated with the breach.
Consumers’ right to sue
Consumer advocates argue that consumers must have the right to pursue litigation for data breaches or violations of privacy laws—not only to protect their rights, but also so the threat of lawsuits or liability serves as a balance against corporate excess or neglect in managing their data. A more stringent requirement for standing, they argue, would upset that balance.