September 28, 2016

Cybersecurity: What does the Supreme Court’s Spokeo decision mean for your business?

Posted in Cybersecurity by Gene Killian |

Cybersecurity is obviously critically important, but it’s also (equally obviously) Huge Money:  for lawyers, consultants, IT people, seminar providers, retired judges looking for a niche…the list goes on and on.  So whenever a cybersecurity decision gets handed down by any court, or a proposed bill gets drafted by a legislature, hundreds of thousands of words are breathlessly and seemingly instantly generated about what it all means. That being the case, why shouldn’t yours truly jump on the bandwagon?  So here goes:  What does the Supreme Court’s much-discussed recent decision in Spokeo really say, and how does it impact your company or clients?

First, the facts. Spokeo operates a “people search engine.”  (Aside: I have a friend who works for the NSA, who told me: “People think we’re always snooping on them.  What they don’t realize is that they’re just not that interesting.”)  If you go on the Spokeo website and enter a person’s name, phone number, or email address, Spokeo will conduct a computerized search in a wide variety of databases and, soon, you may learn more about that person than you ever wanted to know.

A fellow named Thomas Robbins became concerned when he learned that the Spokeo site contained information about him that was inaccurate. His profile apparently stated that he was married, had children, was in his 50s, held a job, was relatively affluent, and held a graduate degree. According to Robbins, all of that information was false, and he was harmed because he was unable to find a job in a down economy, since employers considered him to be overqualified.  So he sued Spokeo.

In response, Spokeo contended that Robbins lacked standing to sue, because he couldn’t prove that he had been “injured in fact.” In agreeing with Spokeo, Justice Alito wrote as follows for the majority: “To establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent,’ not conjectural or hypothetical.” (Citations omitted.) According to Alito, for an injury to be “particularized,” it “must affect the plaintiff in a personal and individual way.” Alito further wrote that a “concrete” injury must be “de facto”; that is, it must “actually exist.”   According to a majority of the Supreme Court, the courts below hadn’t properly considered the requirements of “concreteness” and “particularity” with respect to the injuries asserted by Robbins, so the case was sent back for additional factual development.

But, in a dissenting opinion. Justice Ginsburg put her finger on a major flaw in the majority’s analysis, writing as follows: “Robbins complains of misinformation about his education, family situation, and economic status, inaccurate representations that could affect his fortune in the job market.” Ginsburg fairly asked, what could be more “particularized” and “concrete” than that?

Naturally, since the Spokeo decision is as clear as mud, there are differing twists in the lower courts as to what the holding actually means:

  • In Church v. Accretive Health, Inc., a consumer sued under the Fair Debt Collection Act because a company sent her a letter that didn’t contain required FDCA language. Her injury? She says she was “very angry” and “cried a lot”. The Eleventh Circuit said that since the relevant statute provided her with “a substantive right to receive certain disclosures,” the requirements of “concreteness” and “particularity” had been met, and she had proper standing to sue.  
  • In Hancock v. Urban Outfitters Inc., consumers filed a class action alleging that Urban Outfitters violated DC’s “Consumer Identification Information Act” when it requested zip codes in connection with credit card purchases. (I have to admit, I used to find that practice annoying, too, but I’ve recently noticed that most stores around where I live have stopped doing it.) The Court said that the “naked assertion that a zip code was requested and recorded” without any “concrete” (there’s that word again) consequence was not sufficient to create standing. 
  • In Braitberg Charter Communications Inc., a cable subscriber filed a class action alleging that a cable provider kept his personally identifiable information after he canceled services, in violation of the Cable Communications Policy Act. He claimed that the company’s failure to destroy the information injured him by invading his federally protected privacy rights. The Eighth Circuit said that wasn’t enough. 
  • In Galleria v. Nationwide Mutual Insurance Company, consumers filed a class action against an insurance company alleging claims for invasion of privacy, negligence, and violations of the Fair Credit Reporting Act after hackers breached the insurance company’s computer network and stole personal information. The Sixth Circuit found that the consumers had alleged the required injury, because the theft of their personal data placed them at a continuing, increased risk of fraud and identity theft. (Not sure why this is more “concrete” or “particular” that Mr. Robbins’ problem in the Spokeo  Remember, Robbins said he had a lingering problem because incorrect data maintained by Spokeo was harming him in the job market.  Suppose the site had incorrectly said he was a felon, or a sex offender, or even a politician?  Would that be enough?)  
  • In In re Nickelodeon Consumer Privacy Litigation, consumers argued that Viacom and Google unlawfully used cookies to track children’s web browsing and video-watching habits on Viacom’s websites. The purpose of the information-gathering was to sell targeted advertising based on the user’s web browsing. The consumers argued that targeting advertisements to children was more profitable than targeting advertising to adults “because children are generally unable to distinguish between content and advertisements.” The Court held that the consumers had standing to sue, writing: “The purported injury here is clearly particularized, as each plaintiff complains about the disclosure of information relating to his or her online behavior…the harm is…concrete in the sense that it alleges a clear de facto injury, i.e., the unlawful disclosure of legally protected information.” (This particular decision is worth reading because it contains a great explanation of security risks associated with “cookies,” and a discussion of various privacy statutes; but again, why did these consumers meet the test, while Mr. Robbins came up short in Spokeo?)

Here’s the bottom line though:  If you’re in Court arguing over whether a plaintiff has “standing” to sue you, you’ve already lost.  When it comes to cybersecurity, get your ducks in a row to the maximum extent you can, and keep them there.  You should be talking with your IT people, your risk manager, and your general counsel frequently about cyber-issues.