Do plaintiffs have standing to sue a company that implemented poor data security practices that led to plaintiffs’ personal data being stolen before the plaintiffs can establish what the thieves do with their data?
“Standing” refers to a court’s ability to rule on a lawsuit, and it has become one of the most important parts of a lawsuit. If the plaintiff has not established that the court has standing to hear a case, then the court will dismiss the case. To establish standing, a plaintiff must allege—among other things—that they have suffered a concrete injury because of the defendant’s conduct.
Two recent Supreme Court cases—Spokeo, Inc. v. Robins and TransUnion, LLC v. Ramirez—made it harder for plaintiffs to establish standing. In both cases, plaintiffs sued based on the Fair Credit Reporting Act (“FCRA”), but the Supreme Court ruled that the plaintiffs lacked standing because they did not allege concrete injuries, but instead mere procedural violations of FCRA. In other words, the Court said that while the defendants violated the law, their violation did not actually hurt the plaintiffs in any real way.
In TransUnion, the Court explained two broad categories of concrete injuries: tangible harms (such as physical and monetary), and intangible harms that include, among other things, “injuries with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.” The court listed examples of these harms: reputational harms and, importantly, privacy torts like disclosure of private information and intrusion upon seclusion. EPIC thinks the Supreme Court’s view of standing was too narrow in these cases, but that is not at issue in this case.
In 2018, Marriott announced that its customers were the victims of one of the largest data breaches in history. Hackers made off with millions of customers’ names, addresses, phone numbers, email addresses, payment-card information, and in some cases, passport information, room preferences, and travel destinations. Reporting and discovery have shown that Marriott’s data security practices before the breach were weak, and the company knew it. It had hired its co-defendant in the case, Accenture, to provide IT security services, but Accenture apparently did little to improve the situation. Marriott’s own employees described its security practices as the “cumulative effect” of “having a couple of shots of tequila . . . every night for years,” making Marriott “vulnerable to [a] weak defense in the court of law in case of a breach.”
Plaintiffs brought a large multi-district litigation suit against Marriott and Accenture, alleging that the companies’ negligence led to the data breach and harmed the plaintiffs. As part of their defense, Marriott and Accenture claim that the plaintiffs lack standing to bring a lawsuit. They argue that before a lawsuit can occur, each plaintiff must prove a specific amount of economic harm from having their personal information stolen on top of the obvious privacy harm.
EPIC filed an amicus brief along with the Electronic Frontier Foundation and with help from Morgan & Morgan arguing that the defendant’s standing claims are wrong. As the Supreme Court mentioned in TransUnion, privacy harms like having one’s sensitive personal information stolen are widely recognized harms that confer standing without the need to show downstream harms. Standing in cases like these is not only legally correct but crucially important because data breaches are a serious and growing threat to people’s physical, economic, and mental health. See the Electronic Frontier Foundation’s Deeplinks blog for more analysis. EPIC regularly submits amicus briefs in cases involving standing and consumer protection issues.