In 2016, the U.S. Supreme Court in Spokeo, Inc. v. Robins, provided a potentially powerful Article III standing defense under F.R.Civ.P. 12(b)(1) seemingly applicable to a variety of privacy claims, including FCRA, FACTA, TCPA, and FDCPA statutory damage claims. The Court noted for a plaintiff to establish standing to sue in federal court, she must establish an “injury in fact” consisting of an invasion of a legally protected interest, which is both particularized and concrete.
Spokeo dealt with the “concrete” portion. To be concrete, an injury must be real but may also be intangible. Congress’ intent in creating a right is instructive, but not sufficient. Allegations of a bare procedural violation likely would not suffice to maintain standing. Some injuries create harm, others do not. Thanks for that.
In the last 18 months, hundreds of opinions, many concerning privacy claims, have poured out from federal courts on whether an injury is “concrete enough.” The Spokeo results have been wildly mixed and clear trends, other than plaintiff counsel demonstrate greater agility in pleading injury and defense counsel filing far more dispositive motions based on standing, are elusive. Perhaps some national class actions have been derailed as the injury becomes more concrete and particularized, the commonality of class facts becomes less discernible. Many claims likely migrate to state court and you can ask yourself if that is a good thing on a case-by-case basis.
Unsurprisingly, upon remand, the Ninth Circuit found the stated injury was “concrete.” Equally unsurprising, Spokeo recently sought the Supreme Court’s assistance a second time to clarify the “widespread confusion.” I am not suggesting Spokeo isn’t useful, but please realize it is not a panacea to every defendant that reads a complaint and says “really?”
Perhaps in developing a defense, it might be helpful to get back to something more fundamental, say, the contract. Two recent decisions, from the Second and Eighth Circuits, thwarted the respective plaintiff’s privacy claims by examining the claims under the parties’ agreement, finding the contracts at issue contained language which provided for either more defendant protection or less plaintiff protection than plaintiff thought he bargained for.
In Reyes v. Lincoln Automotive Financial Services, the Second Circuit affirmed the dismissal of Plaintiff’s TCPA claim. Reyes leased a vehicle and, in the lease agreement, consented to receive calls, including automated calls to his cellphone. Reyes defaulted on the lease and the defendant called Reyes…a lot… over 500 times. At some point after default, Reyes allegedly mailed a letter to Lincoln “withdrawing his consent” to be contacted. Lincoln denied receiving the letter or otherwise receiving any request to stop calling. Reyes sought over $700,000 in damages for the TCPA violations.
Lincoln filed a motion for summary judgment based upon whether Reyes had alleged sufficient evidence of consent withdrawal and that the TCPA does not allow a party to unilaterally revoke bargained-for consent to be contacted. The district court granted summary judgment under both theories.
While the Second Circuit agreed with Reyes that he provided sufficient evidence to demonstrate a genuine issue of material fact over his consent withdrawal, thereby precluding summary judgment on this argument, the court nevertheless affirmed summary judgment on the other basis – contractually agreed to consent may not be unilaterally revoked. The court found Reyes clearly consented to communication under many methods, including those complained of. The court found the lease provisions were bargained-for-consideration, differentiating two appellate cases and a FCC ruling which involved “gratuitous” consent, which may be revoked at any time. When the consideration is bargained for, any modification of terms must be mutual. Because the lease agreement provided no method for unilateral consent revocation, Reyes had no cause of action under the TCPA as all calls were made with his express consent. The Plaintiff got more than he thought he bargained for – a prohibition of contact consent revocation.
The Eighth Circuit case involved a classic data breach and the variety of claims that normally accompany same. Hackers breached Scottrade, stealing information of 4.6 million customers over a five month period. The hackers used the information to engage in stock manipulation and also operated internet gambling websites and a Bitcoin exchange. The FBI informed Scottrade of the breach and shortly after the FBI investigation concluded, Scottrade informed its customers.
Based upon the data breach, several class actions were filed and later consolidated as Kuhns v. Scottrade, Inc., The claims included breach of contract and implied contract, unjust enrichment, a declaratory judgment, and the Missouri Merchandising Practices Act (“MMPA”, the state law equivalent of FTC §5, but which allows for a private right of action, class action, plaintiff’s fees, etc.). Essentially, the plaintiff argued Scottrade provided “deficient cybersecurity” in violation of its customer agreement and other law. Plaintiff’s alleged injuries included immediate and continuing risk of identity theft, costs of monitoring, costs of risk mitigation, economic damages due to a declining value of their PII, “diminished value” of services provided for cybersecurity (stated another way – the customer “overpaid” for cybersecurity protection subsumed in the brokerage services), for invasion of privacy, and breach of confidentiality. Scottrade filed both 12(b)(1) and (b)(6) motions for, respectively, lack of standing and failure to state a claim. The district court found the plaintiff had not suffered an Article III injury, and, therefore lacked standing under Spokeo, and dismissed under 12(b)(1), but did not rule on the 12(b)(6) argument.
The Eighth Circuit concluded, at least with regard the breach of contract claim, that plaintiff sufficiently alleged he did not receive the full benefit of the bargain with respect to PII protection, the breach of same and actual injury (diminished value of the bargain), and therefore had standing with regard to this claim. In short, the district court was wrong on its Spokeo analysis. However, in prefacing its conclusion, the Eighth Circuit further stated that even if the lower court was wrong on 12(b)(1), the appellate court may affirm dismissal of “clearly meritless” claims under 12(b)(6). Guess how much merit the claims had?
The parties agreed a Brokerage Agreement, which incorporated a Privacy Statement (together the “Agreement”), governed the relationship. The Agreement noted Scottrade protected personal information from unauthorized access and use, employed security measures which complied with federal law, used SSL encryption and other computer safeguards, and maintained physical security of its files and buildings.
The complaint alleged Scottrade breached the Agreement by not complying with applicable laws or otherwise safeguarding PII and did not maintain sufficient security measures to prevent the breach. The Appellate Court was not impressed. These allegations did not plausibly allege breach of contract as these provisions were representations of conditions Scottrade would maintain. Scottrade may have made misrepresentations, which might have amounted to fraud in the inducement had that been pled, which it was not. As the complaint stood, these allegations were bare assertions.
Further, the complaint failed to allege a specific breach of the contract and failed to identify any applicable law or regulation breached. “The implied premise that because data was hacked Scottrade’s protections must have been inadequate is a “naked assertion.”
The complaint also failed to allege any actual damage – an element of a breach of contract claim. Scottrade asserted no customer suffered fraud or identity theft resulting in financial loss and plaintiff did not contest that. “Massive class action litigation should be based on more than allegations of worry and inconvenience.” Finally the court did not find the “overpayment for services” argument persuasive since plaintiff paid on a per order basis, which did not contain any “cost” for data security. No breach, no damages, no breach of contract claim.
The Eighth Circuit dispensed with the remaining claims in quick fashion. Implied contract and unjust enrichment – “we are left to guess how Scottrade failed to take “industry leading” security measures” and besides there is an agreement which covers the same subject matter (or, in this case, does not cover any of the subject matter). The declaratory relief claim was “virtually unintelligible” seeking a remedy for old conduct not current practices. The MMPA claim, based on allegations of unfair and deceptive acts and practices, was not pleaded with the particularity required of F.R.Civ.P. 9(b), Scottrade, in any event, did not sell data security services, and therefore any loss was not attributable to a service not provided. In short, the plaintiff’s contract provided less of what he thought he bargained for – data security protection.
In light of these powerful decisions, it is time to haul out your standard contracts, agreements, and leases and check if it is time for a tune-up.