Apr 222021

Supreme Court Considers Injury and Typicality Questions in Case With Implications for Data Breach and Privacy Class Action Litigation

Daniel C. Craig and Marisa Levitt
, , ,

On March 30, 2021, the Supreme Court heard arguments in TransUnion LLC. v. Ramirez, a case in which Respondent Ramirez brought a class action lawsuit against Petitioner TransUnion, alleging that it incorrectly placed a flag on his credit report; the flag suggested that Ramirez was on a list of potential terrorists and criminals maintained by the U.S. Department of the Treasury’s Office of Foreign Assets Control (the “OFAC list”) because his name was similar to two individuals whose name were on that list. After Ramirez learned he had been flagged, he requested a copy of his credit report from TransUnion. TransUnion sent him a copy of his credit report, which did not include any reference to the OFAC list, and a second mailing indicating that his name was a potential match for a name on the OFAC list. Ramirez sued on behalf of himself and a class of over 8,000 individuals who received similar mailings, alleging that TransUnion violated the Fair Credit Reporting Act (“FCRA”) by (i) incorrectly flagging him as potentially appearing on the OFAC list and (ii) sending him the information about the potential match separately from his requested credit report, which he argued was confusing because the mailing regarding the OFAC list did not include FCRA-required information about how to dispute and correct the incorrect information.

The district court certified a class and the jury found in favor of the class, awarding over $60 million in damages. On appeal, the Ninth Circuit lowered the award, but affirmed the verdict.

TransUnion made two primary arguments on certiorari. First, it contended that the trial evidence failed to establish that the vast majority of class members had standing under Article III of the Constitution because there was evidence that approximately 75% of the class members did not have their possible presence on the OFAC list disclosed to any third party. Second, it argued that the class should not have been certified with Ramirez as class representative because his injuries were atypically severe compared to other members of the class.

Ramirez countered that all class members had Article III standing because they were allegedly “falsely designated terrorists by TransUnion,” even if TransUnion did not notify any third party that his or her name potentially matched a name on the OFAC list. Ramirez also contended that he was an appropriately typical class representative because his legal claims were typical of the class—even if the damages he claimed were not.

At oral argument, several justices asked questions suggesting skepticism as to whether class members whose status as a potential match on the OFAC list was never disclosed to anyone could allege an injury sufficient to confer Article III standing. While Justice Gorsuch asked whether TransUnion’s mailings might constitute actionable publication under common law principles as to members of the class who opened them, he and Justice Kavanaugh suggested that those who did not open the mail, and whose possible presence on the OFAC list was not disclosed to any third party, could not be said to have suffered any injury. On the other hand, Chief Justice Roberts asked whether an individual suffers a cognizable injury by having his or her name “mistakenly or misleadingly on a report that might be disseminated.” The questions asked by the justices were less sympathetic to TransUnion’s typicality argument, with Justice Sotomayor in particular emphasizing that Ramirez’s legal claims were identical to every other class members’ claims, while Justice Breyer asked whether, from an evidentiary and procedural perspective, TransUnion could have objected to Ramirez on typicality grounds before or during trial rather than on certiorari.

The standing issue at the core of Ramirez is common in data breach and privacy class action litigation, so the Court’s decision may have a significant impact on such cases. For example, a holding that the class must prove at trial that all of its members suffered an injury cognizable under Article III, which Ramirez’s counsel conceded during oral argument was required, would pose a significant challenge to Plaintiffs’ counsel in data breach cases where individuals whose data was potentially compromised cannot show that the data was misused—particularly in the Second, Third, Fourth, Eighth and Eleventh Circuits where the appellate courts have held that the risk of future misuse of potentially compromised data is not sufficient to confer lack Article III standing. Plaintiffs’ counsel could respond to such a holding by seeking to certify smaller classes containing only individuals whose data was misused, but this approach would require a time-consuming individual-by-individual assessment of whether an injury was suffered to determine which individuals are in the class, which would raise significant questions about the superiority of the class action device.

Given the many options available to the Court to resolve this case, we will have to wait for their opinion later this term for a resolution to these issues.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Daniel C. Craig

Chicago

dcraig@sidley.com

Marisa Levitt

Chicago

mlevitt@sidley.com

You might also like
EU Commission Adopts New Rules for GDPR Enforcement: the Beginning of a Centralized Enforcement Model?

On 4 July 2023, the EU Commission proposed a new Regulation for procedural rules to standardize and streamline cooperation between EU Member State Data Protection Authorities (DPAs) when enforcing the EU General Data Protection Regulation (GDPR) in cross-border cases (GDPR Procedural Regulation). The GDPR adopts a decentralized enforcement model. National EU Member State DPAs are competent to enforce the GDPR on their respective territories. However, in cases with cross-border elements, the GDPR requires all concerned DPAs to cooperate in accordance with the GDPR’s “one-stop-shop” through cooperation and consistency mechanisms. Although these mechanisms establish key principles of cooperation and provide the basis for consistent application of the GDPR throughout the EU, the EU Commission determined more legislative action was needed to increase efficiency and harmonization of cross-border GDPR enforcement action.

U.S. SEC Public Company Cybersecurity Disclosure Regulation Finalized With Swift Effective Date

On July 26, 2023, the U.S. Securities and Exchange Commission finalized its rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (the Final Rule), which will become effective 30 days following publication in the Federal Register. The Final Rule applies to all public companies subject to the reporting requirements of the Securities Exchange Act of 1934, including foreign private issuers, smaller reporting companies, and business development companies, and will require disclosure of material cybersecurity incidents on Form 8-K and Form 20-F and periodic disclosure of cybersecurity risk management, strategy, and governance in annual reports on Form 10-K and Form 20-F.

Hong Kong New PCPD Guidance on Handling Data Breaches

On June 30, 2023, Hong Kong’s data protection authority (the Office of the Privacy Commissioner for Personal Data, or PCPD) issued an updated version of its Guidance on Data Breach Handling and Data Breach Notifications (the Guidance, accessible here), which aims to guide companies on how they respond to data breaches. In particular, the Guidance contains a new recommendation for companies to adopt written data breach response plans.