In the context of data-breach litigation, Article III standing has historically been a hurdle for the plaintiffs’ bar. This “standing hurdle” is more than just an oxymoronic phrase. And after the Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), many believed that would be data-breach plaintiffs would find it even more difficult to establish Article III standing. Under Spokeo, the data breach plaintiffs are required to show an “injury-in-fact” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” Many commentators thought this standard would stymie recoveries for the would-be data breach plaintiffs looking for monetary awards based on the potential harm that their information was exposed. But, since Spokeo, courts have been willing to entertain several standing theories, honing in on the Sokeo court’s lack of clarity on what constitutes a “concrete” injury, permitting cases to proceed past the pleading stage based on de minimus harm (In Re: Supervalu, Inc.), violations of federal statutes that protect information (In Re: Horizon Healthcare, Inc. Data Breach Litigation), and based on future risk of injury (Attias v. Carefirst, Inc.). Clearly, the latter seemed to be the farthest departure from “not conjectural or hypothetical standard” articulated in Spokeo.
Earlier this week, the Eleventh Circuit examined Spokeo once again, and continued what seems to be pattern of courts becoming more willing to confer standing on the plaintiffs following a data breach. Muransky v. Godiva Choclatier, Inc., however, did not involve the same type of data breach that has been grabbing recent news headlines. Instead, Muransky arose out of Godiva’s violation of a provision of the Fair and Accurate Credit Transactions Act (FACTA) which prohibits printing more than the last 5 digits of a customer’s credit card number on a receipt. Godiva printed 6 numbers on its receipt, and was the subject of litigation under FACTA. In short, the lawsuit settled in principle for $6.3 million, and Mr. Muransky objected to the settlement. The district court approved the settlement, and Mr. Muransky appealed to the Eleventh Circuit.
On appeal, the court examined whether the alleged injury sustained, which was “a heightened risk of identity theft when Godiva printed more digits of his credit card number than the law allows” was suffient to confer standing under Spokeo. While the court acknowledged that “bare procedural violations, divorced from any concrete harm” will not confer standing, it held that Spokeo required a rule that would permit a plaintiff to “show injury in fact by alleging the violation of a procedural right granted by statute poses a risk of real harm to a concrete interest.” Interpreting Spokeo’s “concreteness” requirement, the court articulated that “intangible injuries, including injury in the form of a risk of real harm’ can satisfy the concreteness requirement. It went even further with the standard stating that the injury can be tangible or intangible, does not need to be “substantial” and a “small injury and identifiable trifle, is sufficient to confer standing.”
In expanding what can be deemed concrete injury for purposes of determining standing, it remains to be seen whether other circuits will continue to expand the injury-in-fact requirement to other intangible injuries that, in some circles, would be considered merely hypothetical. With larger and more frequent data breaches, and this evolving notion of harm, the prospect of knocking out data breach litigation at the pleading stage based on Article III standing arguments may become hypothetical as well.