FCRA
Subscribe to FCRA's Posts

Data Broker’s Appeal to U.S. Supreme Court Could Reshape Future of Data Privacy Litigation

In a case that could shape the future of data privacy litigation, the Supreme Court recently agreed to review the decision by the U. S. Court of Appeals for the Ninth Circuit under the Fair Credit Reporting Act (FCRA) in Robins v. Spokeo, Inc.  At issue is the extent to which Congress may create statutory rights that, when violated, are actionable in court, even if the plaintiff has not otherwise suffered a legally-redressable injury.

Spokeo is a data broker that provides online “people search capabilities” and “business information search” (i.e., business contacts, emails, titles, etc.).   Thomas Robins (Robins) sued Spokeo in federal district court for publishing data about Robins that incorrectly represented him as married and having a graduate degree and more professional experience and money than he actually had.  Robins alleged that Spokeo’s inaccurate data caused him actual harm by (among other alleged harms) damaging his employment prospects.

After some initial indecision, the district court dismissed the case in 2011 on the grounds that Robins had not sufficiently alleged any actual or imminent harm traceable to Spokeo’s data.  Without evidence of actual or imminent harm, Robins did not have standing to bring suit under Article III of the U.S. Constitution.  Robins appealed.

On February 4, 2014, the Court of Appeals for the Ninth Circuit announced its decision to reverse the district court, holding that the FCRA allowed Robins to sue for a statutory violation: “When, as here, the statutory cause of action does not require proof of actual damages, a plaintiff can suffer a violation of the statutory right without suffering actual damages.” The Court of Appeals acknowledged limits on Congress’ ability to create redressable statutory causes of action but held that Congress did not exceed those limits in this case.  The court held that “the interests protected” by the FCRA were “sufficiently concrete and particularized” such that Congress could create a statutory cause of action, even for individuals who could not show actual damages.

Why Spokeo Matters

If the Supreme Court reverses the Ninth Circuit’s decision, the decision could dramatically redraw the landscape of data privacy protection litigation in favor of businesses by requiring plaintiffs to allege and eventually prove actual damages.  Such a ruling could severely limit lawsuits brought under several privacy-related statutes, in which plaintiffs typically seek statutory damages on behalf of a class without needing to show actual damages suffered by the class members.  Litigation under the FCRA, the Telephone Consumer Protection Act and the Video Privacy Protection Act (among others statutes) all could be affected.




New Data Disposal Law in Delaware Requires Action by Impacted Businesses

While the federal government continues its inaction on data security bills pending in Congress, some U.S. states have been busy at work on this issue over the summer.  A new Delaware law H.B. 295, signed into law on July 1, 2014 and effective January 1, 2015, provides for a private right of action in which a court may order up to triple damages in the event a business improperly destroys personal identifying information at the end of its life cycle.  In addition to this private right of action, the Delaware Attorney General may file suit or bring an administrative enforcement proceeding against the offending business if it is in the public interest.

Under the law, personal identifying information is defined as:

A consumer’s first name or first initial and last name in combination with any one of the following data elements that relate to the consumer, when either the name or the data elements are not encrypted:

  • his or her signature,
  • full date of birth,
  • social security number,
  • passport number, driver’s license or state identification card number,
  • insurance policy number,
  • financial services account number, bank account number,
  • credit card number, debit card number,
  • any other financial information or
  • confidential health care information including all information relating to a patient’s health care history, diagnosis condition, treatment or evaluation obtained from a health care provider who has treated the patient, which explicitly or by implication identifies a particular patient.

Interestingly, this new law exempts from its coverage:  banks and financial institutions that are merely subject to the Gramm-Leach-Bliley Act, but the law only exempts health insurers and health care facilities if they are subject to and in compliance with the Health Insurance Portability and Accountability Act (HIPAA), as well as credit reporting agencies if they are subject to and in compliance with the Fair Credit Reporting Act (FCRA).

Given how broadly the HIPAA and FCRA exemptions are drafted, we expect plaintiffs’ attorneys to argue for the private right of action and triple damages in every case where a HIPAA- or FCRA-covered entity fails to properly dispose of personal identifying information, arguing that such failure evidences noncompliance with HIPAA or FCRA, thus canceling the exemption.   Note, however, that some courts have refused to allow state law claims of improper data disposal to proceed where they were preempted by federal law.  See, e.g., Willey v. JP Morgan Chase, Case No. 09-1397, 2009 U.S. Dist. LEXIS 57826 (S.D.N.Y. July 7, 2009) (dismissing individual and class claims alleging improper data disposal based on state law, finding they were pre-empted by the FCRA).

The takeaway?  Companies that collect, receive, store or transmit personal identifying information of residents of the state of Delaware (or any of the 30+ states in the U.S. that now have data disposal laws on the books) should examine their data disposal policies and practices to ensure compliance with these legal requirements.  In the event a business is alleged to have violated one of [...]

Continue Reading




STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021