On The Case

7th Circuit: You can’t sue over personal data unless it’s at risk

(Reuters) - In class action litigation after the U.S. Supreme Court’s holding last year in Spokeo v. Robins, there seems to a big difference between cases based on the theft of personal data and those claiming defendants improperly held on to confidential customer information.

I told you last week about an emerging consensus among the federal circuits that, under Spokeo’s definition of constitutional standing, data breach victims can sue even if they haven’t shown hackers actually used their stolen personal information. But even as I was writing that column, an eminent panel of judges from the 7th U.S. Circuit Court of Appeals issued a decision affirming the dismissal of a class action claiming that Time Warner improperly stored confidential cable customer data in violation of the Cable Communications Privacy Act.

The suit’s fatal flaw, according to Judges Richard Posner, Frank Easterbrook and Diane Sykes, was that lead plaintiff Derek Gubala did not plausibly allege that his personal data was at risk as a result of Time Warner’s supposedly improper retention. “His only allegation is that the retention of the information, on its own, has somehow violated a privacy right or entailed a financial loss,” Judge Posner wrote for the panel. “There is unquestionably a risk of harm in such a case. But the plaintiff has not alleged that Time Warner has ever given away or leaked or lost any of his personal information or intends to give it away or is at risk of having the information stolen from it.”

The statute gives only “aggrieved” cable customers the right to sue, the appeals court said. Gubala, who sought only an injunction and no damages, may be distressed that Time Warner failed to remove his confidential data from its servers eight years after he ceased to be a customer. But according to the 7th Circuit, he has no concrete grievance: “Gubala’s problem is that while he might well be able to prove a violation (of the CCPA), he has not alleged any plausible (even if attenuated) risk of harm to himself from such a violation,” the opinion said.

The 7th Circuit agreed with a similar ruling from the 8th Circuit in Braitberg v. Charter Communications, which, perhaps not coincidentally, was filed by the same plaintiffs' lawyer, Joseph Siprut, who brought the Gubala case and asserted the same cause of action. I called Braitberg an outlier in my column last week about circuit courts allowing data breach class actions to proceed despite Spokeo. That’s not really correct, especially after the 7th Circuit’s Gubala decision. It’s more accurate to distinguish Braitberg and Gubala from data breach cases because they claim data was improperly retained – not that it was improperly exposed to theft.

It’s important to remember that the 7th Circuit was the first federal appeals court to recognize, in Remijas v. Neiman Marcus, that the mere theft of personal data gives hacking victims the right to sue corporations for leaving their confidential information vulnerable to hackers. The circuit’s Neiman Marcus decision came before the Supreme Court’s decision in Spokeo, which, of course, has become the guiding light for appellate courts deciding whether plaintiffs have standing to sue for statutory violations. My point is simply that the Gubala opinion does not mean data breach victims are shut out of litigating in the 7th Circuit. The appeals court is instead saying there’s a difference between plaintiffs whose data has been stolen and those whose information has been wrongly stored: one group has been injured and the other has not.

The court roundly rejected the theory that plaintiffs suffer a concrete injury to their privacy rights when defendants fail to destroy their confidential data. Gubala wasn’t deprived of his personal information, the 7th Circuit said, and even if Time Warner were to delete it, that act “is unlikely to have the least effect on him.”

The opinion leaves open a possibility of constitutional standing for plaintiffs who have good reason to suspect their personal data was sold or stolen because cable companies violated the Cable Communications Protection Act. But a case raising those allegations would fall into the same category as data theft class actions blessed by other federal circuits using Spokeo analysis.

I emailed plaintiffs’ lawyer Siprut and Time Warner counsel Bryan Merryman of White & Case but didn’t hear back.