I’ve read some of the commentaries on the recent U.S. Supreme Court decision in Spokeo v. Robins, as both sides claimed victory. Today, I read commentary by Venkat Balasubramani and Eric Goldman. Both seemed to suggest that the decision may be of greater benefit to defendants in data breach lawsuits than to plaintiffs.
Here’s a snippet from Venkat’s analysis and commentary:
I think it will depend on how lower courts make use of this ruling, and my sense is that it will be cited by defendants liberally. Some courts will probably rely on it to get rid of privacy lawsuits (perhaps in combination with a strict reading of the Iqbal/Twombly pleading requirements). I could see it having an effect on class actions procedurally as well. I don’t think this will have much of an effect on TCPA cases.
In any event, there is a lot of language in Justice Alito’s opinion that supports a narrow(ish) view of privacy harm.
Eric Goldman also thinks this may favor defendants in data breach lawsuits:
If I’m right, what does this mean in practice? First, we’ve seen cases where the plaintiff didn’t actually attempt to show any harm from a statutory violation. Those cases should lack standing. Second, plaintiffs will be required to do more work to identify sufficient harms that they suffered. Obviously saying “the statutory violation made me mad/upset/frustrated or caused me angst” won’t cut it. And as we’ve seen, speculation about the possibility of bad things that might happen in the future (e.g., I could get hacked or I am exposed to a higher chance of identity theft) shouldn’t cut it either. So I think this opinion will make plaintiffs say more in their complaint, work harder to show they suffered cognizable harms, and fail to have standing when they don’t do both.
So against that backdrop, I saw an item on Law360 this morning that suggests that they’re right that this may favor defendants more:
A Maryland federal judge Thursday sent back to state court a putative class action alleging Children’s National Health System violated state privacy laws by allowing a data breach to occur, citing the U.S. Supreme Court’s just-issued Spokeo ruling to hold the patient does not have standing in federal court.
The case is Khan v. Children’s National Health System.
Update: And now Barnes & Noble is asking the court to dismiss the lawsuit against it, also citing Spokeo.
Update2: Alison Frankel found a few more examples of defendants rushing to cite Spokeo.