Apr 222021

Supreme Court Considers Injury and Typicality Questions in Case With Implications for Data Breach and Privacy Class Action Litigation

Daniel C. Craig and Marisa Levitt
, , ,

On March 30, 2021, the Supreme Court heard arguments in TransUnion LLC. v. Ramirez, a case in which Respondent Ramirez brought a class action lawsuit against Petitioner TransUnion, alleging that it incorrectly placed a flag on his credit report; the flag suggested that Ramirez was on a list of potential terrorists and criminals maintained by the U.S. Department of the Treasury’s Office of Foreign Assets Control (the “OFAC list”) because his name was similar to two individuals whose name were on that list. After Ramirez learned he had been flagged, he requested a copy of his credit report from TransUnion. TransUnion sent him a copy of his credit report, which did not include any reference to the OFAC list, and a second mailing indicating that his name was a potential match for a name on the OFAC list. Ramirez sued on behalf of himself and a class of over 8,000 individuals who received similar mailings, alleging that TransUnion violated the Fair Credit Reporting Act (“FCRA”) by (i) incorrectly flagging him as potentially appearing on the OFAC list and (ii) sending him the information about the potential match separately from his requested credit report, which he argued was confusing because the mailing regarding the OFAC list did not include FCRA-required information about how to dispute and correct the incorrect information.

The district court certified a class and the jury found in favor of the class, awarding over $60 million in damages. On appeal, the Ninth Circuit lowered the award, but affirmed the verdict.

TransUnion made two primary arguments on certiorari. First, it contended that the trial evidence failed to establish that the vast majority of class members had standing under Article III of the Constitution because there was evidence that approximately 75% of the class members did not have their possible presence on the OFAC list disclosed to any third party. Second, it argued that the class should not have been certified with Ramirez as class representative because his injuries were atypically severe compared to other members of the class.

Ramirez countered that all class members had Article III standing because they were allegedly “falsely designated terrorists by TransUnion,” even if TransUnion did not notify any third party that his or her name potentially matched a name on the OFAC list. Ramirez also contended that he was an appropriately typical class representative because his legal claims were typical of the class—even if the damages he claimed were not.

At oral argument, several justices asked questions suggesting skepticism as to whether class members whose status as a potential match on the OFAC list was never disclosed to anyone could allege an injury sufficient to confer Article III standing. While Justice Gorsuch asked whether TransUnion’s mailings might constitute actionable publication under common law principles as to members of the class who opened them, he and Justice Kavanaugh suggested that those who did not open the mail, and whose possible presence on the OFAC list was not disclosed to any third party, could not be said to have suffered any injury. On the other hand, Chief Justice Roberts asked whether an individual suffers a cognizable injury by having his or her name “mistakenly or misleadingly on a report that might be disseminated.” The questions asked by the justices were less sympathetic to TransUnion’s typicality argument, with Justice Sotomayor in particular emphasizing that Ramirez’s legal claims were identical to every other class members’ claims, while Justice Breyer asked whether, from an evidentiary and procedural perspective, TransUnion could have objected to Ramirez on typicality grounds before or during trial rather than on certiorari.

The standing issue at the core of Ramirez is common in data breach and privacy class action litigation, so the Court’s decision may have a significant impact on such cases. For example, a holding that the class must prove at trial that all of its members suffered an injury cognizable under Article III, which Ramirez’s counsel conceded during oral argument was required, would pose a significant challenge to Plaintiffs’ counsel in data breach cases where individuals whose data was potentially compromised cannot show that the data was misused—particularly in the Second, Third, Fourth, Eighth and Eleventh Circuits where the appellate courts have held that the risk of future misuse of potentially compromised data is not sufficient to confer lack Article III standing. Plaintiffs’ counsel could respond to such a holding by seeking to certify smaller classes containing only individuals whose data was misused, but this approach would require a time-consuming individual-by-individual assessment of whether an injury was suffered to determine which individuals are in the class, which would raise significant questions about the superiority of the class action device.

Given the many options available to the Court to resolve this case, we will have to wait for their opinion later this term for a resolution to these issues.

Daniel C. Craig

Chicago

dcraig@sidley.com

Marisa Levitt

Chicago

mlevitt@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims

For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1

Illinois Supreme Court Clarifies Statute of Limitations for Illinois Biometric Privacy Act Claims: Five Years

Last week, the Illinois Supreme Court held that a five-year statute of limitations applies to all claims under the Illinois Biometric Privacy Act (BIPA), further expanding the already broad scope and application of the Illinois statute.1