Written by: Sam Crochet, Esq.
In-house counsels are facing growing pressure to perform risk assessments and address internal policies to avoid data breaches for a new reason (as if they needed one). Data breach plaintiffs, depending on the state, may now find their cases welcome in state courts despite struggling to prove a clear “injury” in federal court. The Supreme Court’s 2016 Spokeo v. Robins decision established a plaintiff’s federal court “standing” necessitated actual injury as opposed to mere statutory violation. The Spokeo decision led many in-house counsels to believe lack of an “injury in fact” could prevent Plaintiffs from pursuing data breach lawsuits. However, recently, the 9th Circuit Court backed an Ikea shopper’s argument her zip-code-collection claim against the retail giant should simply remain in state court as opposed to disappear altogether despite failing to show a real injury. The three judge panel decided concrete harm had not been shown by the Ikea shopper, but that she could have a second bite of the apple in state court, where the statute or general “standing” law might be different.
The decision reveals the key issue from the Spokeo ruling is not about whether a case can be brought, but actually where that case can be brought. This is a concept Plaintiff’s attorneys have been preaching for the better part of a year and one that now seems to be gaining more steam. In our experience, state statutes often grant discretion in ordering civil penalties against data breach defendants. My belief is any admission in federal court by a plaintiff regarding lack of an injury (which they might do to “save” their case and send it to state court as mentioned above) should be used vigorously by defense attorneys to persuade state judges to order nominal penalties in this kind of scenario.
The Ikea decision shows oftentimes a data breach plaintiff will receive a second bite at the apple in state court due to Spokeo’s double edged sword. At Hall Booth Smith, we counsel our clients to keep the big picture in mind so we can help them develop strategies in light of this potential consequence. This approach allows them to drastically reduce the risk of civil penalties down the line. Regardless, this trend is concerning and underscores the fact the best defense is for companies to always be proactive in performing a well-tailored yearly risk analysis that is fully compliant with the many industry specific rules, from an experienced data privacy/security attorney.