In a previous post on this blog here, we noted that the recent decision in D.C. Circuit Court of Appeals had joined a growing number of federal courts holding the risk of future harm is enough to allow a class action to proceed following a data breach.

Now the Ninth Circuit Court of Appeals joins this growing list in Robins v. Spokeo, Inc., No. 11-56843, (9th Cir. Aug. 15, 2017) (Spokeo).  In Spokeo, the Ninth Circuit concluded that an actual violation of statute accompanied by a threatened harm was sufficient to confer standing.  In that case, the Ninth Circuit explained that the threatened harm is the “threat to a consumer’s livelihood” which arises from the dissemination of false information in a consumer reports, which are widely used in employment decisions, loan applications, in home purchases, and “much more.”

Spokeo operates a website that creates profiles on individuals containing detailed information. The plaintiff sued Spokeo in a class action claiming that his profile contained inaccurate information on his age, marital status, wealth, education level and profession. His suit was based on the Fair Credit Reporting Act (FCRA), a federal consumer protection statute which imposes certain procedural requirements on consumer reporting agencies and gives affected consumers a right to sue for statutory damages.  The stakes are high: FCRA provides up to $1,000 in statutory damages per class member for “willful” violations, in addition to potential punitive damages. Under FCRA, there is no cap on statutory damages.

This latest ruling in the Spokeo saga confirms that a technical violation combined with the dissemination of “trivial” misinformation, without more, will likely not confer standing upon a consumer to sue post-data breach.  This ruling, however, does not clarify precisely which categories of “misinformation” should fall into this harmless category beyond “the erroneous zip code” or “misreporting a person’s age by a day or a person’s wealth by a dollar.”  As such, this ruling does not resolve the bigger issue of what exactly is required to bring a claim under FCRA and other privacy statutes.  Until the courts squarely address this issue, parties will continue to dispute whether plaintiffs have standing bring their claims.