News today that the Supreme Court has granted certiorari in Spokeo v. Robins, which tests whether Congress can confer “standing” by giving consumers a private right of action under a federal law, and entitlement to statutory damages, even if the consumer cannot prove any concrete damages. The Court will review a decision by the Ninth Circuit that said, essentially, “yes” to that question.
In Robins, the plaintiff claimed to have been harmed when Spokeo, an online directory that aggregates publicly-available personal information, published inaccurate information about him on the site. The plaintiff contended that in doing so Spokeo violated the Fair Credit Reporting Act (FCRA), but he could not prove specific damages tied to the inaccurate information. Instead, he claimed entitlement under the FCRA to “statutory damages” (typically set at $1,000 per violation). Robins sued on behalf of a class of people — allegedly numbering in the thousands — who were similarly aggrieved by Spokeo’s failure to report accurate information. The trial court dismissed the suit based on the constitutional requirements that a plaintiff demonstrate “standing” based on “actual or imminent harm.” The Ninth Circuit, however, reversed, reasoning that Congress could create a statutory right and in essence create standing by providing a private right of action for violation of that right. The Supreme Court has agreed to decide whether that view of Congress’ power is correct.
What does this have to do with cyber-insurance? Plenty. For one thing, the decision may undermine state laws that have fueled the market for robust first-party cyber coverage. Many consumer advocates believe that data-breach notification laws will be ineffective at forcing businesses to “fess up” when a breach happens unless the breach law contains a private right of action with a small statutory damages component, modeled on FCRA. Washington’s data-breach law, recently amended, is just such a law. The spread of such laws has driven the market for cyber policies that will cover not just the cost of notifications but also for liability protection relating to breach notification. And just as many predict that legislation working its way through Congress allowing companies to confidentially share data on cyber breaches may eventually bring rates down, state legislation has had an impact on premiums that may be blunted by the Court’s decision in Robins.
Beyond breach-notification laws, the way that the Supreme Court approaches the “actual or imminent harm” question could impact how courts handle data breach consumer lawsuits that do not rely on any federal statute but instead are based on common-law grounds, such as negligence or fiduciary duty. Some courts have dismissed consumer lawsuits that fail to allege specific harm arising from a breach, while other courts have allowed those suits to proceed at least into the discovery phase. The Supreme Court might take this opportunity to address “standing” more generally, leading to fewer consumer class actions, which could further result in lower premiums for cyber coverage.