Data Breach Class Actions: Analyzing Standing for Future Injuries-in-Fact (Part 1)

By Brandon C. Meadows, Esq. & Ty Robare, Law Clerk

Businesses regularly store the data of customers and clients, whether through transactions or regular recordkeeping practices. When businesses hold onto this data, they are obligated to protect it from falling into the hands of unauthorized parties. In the digital age, though, the menace of data breaches looms large, often leaving a trail of individuals grappling with the loss or compromise of their personal information. This grim reality has precipitated a cascade of class action lawsuits, as affected parties seek judicial redress.

Yet, the pathway to adjudication begins (and often ends) with the pivotal challenge of establishing standing. Businesses faced with the prospect of class action litigation have a key opportunity at the outset of the case to eliminate the case entirely or drastically reduce their exposure. This article endeavors to help unravel the complex tapestry of constitutional standing in data breach class action litigation and provide a roadmap for navigating its earliest stage.

Class Certification and Requirement of Standing

In the framework of class action litigation, the determination of a plaintiff (or plaintiffs’) standing is the threshold issue to the ultimate determination of whether the class should be certified. The requirements of class certification help to illuminate some of the determinations that intertwine standing with a putative class’s ability to eventually become certified by the Court.

Florida’s standards for class certification are virtually identical to the federal requirements. Rule 1.220, Florida Rules of Civil Procedure, requires (1) the members of the class must be so numerous that separate joinder of each member is impracticable; (2) the claim or defense of the representative party must raise questions of law or fact common to those raised by the claim or defense of each member of the class; (3) the claim or defense of the representative party must be typical of the claim or defense of each member of the class; and (4) the representative party must be able to fairly and adequately protect and represent the interests of each member of the class. Additionally, the claim or defense of each member of the class must predominate over any question of law or fact affecting only individual members of the class.

Further, to satisfy standing, a plaintiff must meet three requirements. First, a plaintiff must establish that she suffered an injury in fact that is concrete, particularized, and actual or imminent. Second, she must show that the defendant likely caused their injury. And third, she must show that a favorable judicial decision can likely redress her injury. Florida’s standing jurisprudence, although deriving from the Florida Constitution instead of Article III of the U.S. Constitution, largely harmonizes its requirements with those under federal law.

An injury-in-fact signifies an encroachment upon a legally shielded interest that is concrete, particularized, and either actual or imminent. The narrative for litigation over the breach of personal information often showcases plaintiffs anchoring their standing on the substantial risk of impending harm or damage that may be caused in the future. Nonetheless, courts have traditionally required such allegations of possible future misconduct with allegations of present, actual misuse of the compromised personal information to hallmark a concrete injury.

Therefore, central to embarking on any class action litigation is the imperative for the class representative to fulfill the standing requisites, amongst which the demonstration of an injury-in-fact stands paramount. Constitutional standing is a critical linchpin in the adjudicatory process; a misstep here, and the case may end with the court’s dismissal.

The Early Evolution of a ‘Prospective’ Injury-in-Fact in Data Breach Cases

Before the Supreme Court’s decision in Clapper v. Amnesty International USA, federal appellate courts were already traversing the complex terrain of the injury-in-fact requirement in data breach class actions. The circuits exhibited a notable schism in their interpretative stance:

• The Third Circuit’s reasoning and ultimate holding in Reilly v. Ceridian Corp., 664 F.3d 38 (3rd Cir. 2011) epitomized a stringent approach towards the injury-in-fact requirement. The court held that a speculative, future harm did not satisfy the standing threshold, necessitating a manifest harm or a substantial risk thereof.
• Conversely, the First Circuit in Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011), was more lenient, recognizing the costs incurred by plaintiffs to mitigate a substantial risk of future harm were sufficient to establish an injury-in-fact and, by extension, standing.

These divergent stances underscored the judicial struggle to balance the principles of access to justice against the necessity to curb frivolous litigation, creating a ripe scenario for Supreme Court intervention in Clapper.

Clapper: Not Quite a Watershed Moment for Establishing an Injury-in-Fact

The Supreme Court’s decision in Clapper v. Amnesty International USA, 568 U.S. 398 (2013), etched a stringent standard into the injury-in-fact doctrine, mandating that the harm be “certainly impending” to satisfy the requirement. The Court, by setting a high bar and effectively citing with the more conservative approach espoused in the Third Circuit, significantly impacted the adjudication of data breach class actions by eschewing a lower threshold of “reasonable likelihood.” The Clapper decision was reflective of a desire to curb a perceived litigation excess, and it undeniably cast a long judicial shadow, influencing subsequent appellate court decisions.

Post-Clapper Divergence: The Seventh and D.C. Circuits

Amidst the post-Clapper judicial milieu, the Seventh Circuit emerged as a vanguard, charting a less stringent course in line with the First Circuit’s philosophical underpinnings in Anderson. In Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015), the court veered away from Clapper’s stringent orthodoxy, acknowledging the costs borne by plaintiffs to mitigate or respond to an increased risk of identity theft as a concrete injury. Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017), followed suit, recognizing inherent risks posed by unauthorized data access as tangible harm constituting an injury-in-fact.

This judicial foray significantly loosened the Clapper-induced injury-in-fact requirement within that circuit, marking a shift towards a more plaintiff-friendly interpretation.

Post-Clapper Convergence: The Fourth and Eleventh Circuits Weigh In

In line with the Supreme Court, the Fourth Circuit in Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017) reiterated a stringent stance, necessitating more than a mere speculative, future harm to satisfy the injury-in-fact requirement.

Adopting similar reasoning, the Eleventh Circuit in Tsao v. Captiva MVP Restaurant Partners, LLC, 986 F.3d 1332 (11th Cir. 2021) echoed Clapper’s sentiments, necessitating a concrete, actual harm or a high degree of risk thereof.

Beyond Clapper: The Supreme Court’s Next Attempt at Judicial Clarity

The post-Clapper era witnessed a continuing alignment and discord among the circuits, each endeavoring to balance the principles of access to justice against the exigency to curb frivolous litigation.

While Clapper aimed at fostering judicial clarity, its stringent threshold engendered further discord among the circuits, making the standing hurdle in data breach class actions a convoluted endeavor—perhaps more convoluted than it was pre-Clapper.

Crucially, this overview of standing in data breach class actions does not begin to cover all the laws implicated by this issue or the factors that may compel the application of such laws.

If you find yourself facing the prospect of a class action lawsuit and want to understand your case, the merits of your claim or defense, potential monetary awards, or the amount of exposure you face, you should speak with a qualified Jimerson Birr lawyer. Our experienced team of attorneys is here to help. Call Jimerson Birr at (904) 389-0050 or use the contact form to set up a consultation.

Related Blogs:

Data Breach Class Actions: Analyzing Standing for Future Injuries-in-Fact (Part 2)