Spokeo's Implications for Cyber-Security Litigation

On May 16, 2016, the Supreme Court issued its opinion in Spokeo, Inc. v. Robins, 578 U.S. ____ (2016), reaffirming that Article III standing requires statutory plaintiffs to demonstrate concrete injury. Although Spokeo was concerned with statutory standing, it is expected to have significant implications in cybersecurity class action litigation.

Thomas Robins sued Spokeo under the Fair Credit Reporting Act ("FCRA") claiming that misinformation in his profile was hurting his employment prospects. According to Robins, the profile misrepresented his education (listing him as having a graduate degree), his wealth level (listing him in the "Top 10%"), and his marital status (describing him as married with children). Robins argued that his profile made him look overqualified for the positions he wanted.

The district court dismissed Robins' lawsuit, ruling that he had not established an actual "injury in fact" and therefore lacked standing to sue. Robins appealed to the Ninth Circuit, which reversed. The Ninth Circuit held that Robins did not have to demonstrate a concrete injury as long as he proved that Spokeo had violated the FCRA.

The Supreme Court disagreed. It confirmed that Article III standing requires a concrete injury even in the context of a statutory violation. The Court vacated the Ninth Circuit's order and remanded the case.

It is only a matter of time before Spokeo begins to be cited in cybersecurity class actions. Spokeo confirms that cybersecurity plaintiffs must show a concrete injury, rather than simply asserting that a data breach occurred. The Supreme Court noted that a concrete injury must be real and not abstract, although it is not necessarily synonymous with tangible. Whether plaintiffs will be able to meet the concrete injury requirement will likely be determined on a case by case basis.