During her nearly three years on the Seventh Circuit, Judge Barrett has taken "a rigorous and nuanced approach to Article III standing," signing onto decisions involving consumer protection statutes that have come down on both sides of the divide over whether plaintiffs have alleged sufficient harm to move forward with their claims, said David T. Cohen, of counsel at Orrick Herrington & Sutcliffe LLP.
If she is confirmed to fill the vacancy created by the death of Justice Ruth Bader Ginsburg, Judge Barrett would likely bring that philosophy to the high court and take it "one case at a time and [pair] the facts up against the Article III standards set forth" by the Supreme Court in its landmark decisions in Spokeo v. Robins and Clapper v. Amnesty International , according to Cohen.
"I don't think she'd subscribe to the view that just because there was a breach, there is automatically standing," Cohen said. "Rather, she's going to look very hard at whether the breach at issue really gave rise to the type of concrete, actual or imminent harm that the Supreme Court has said is required."
Pressure has been mounting on the Supreme Court in recent years to address standing in the data breach context, as lower courts have struggled with how to apply the high court's 2016 Spokeo ruling and 2013 Clapper decision to proposed class actions that target companies' alleged data security missteps.
In Spokeo, the justices held that plaintiffs must allege a concrete injury and cannot rely on mere statutory violations to establish standing for their privacy claims, while the court found in Clapper that injuries must be real or imminent and not merely speculative.
The D.C., Sixth, Seventh and Ninth circuits have embraced a low threshold for entry, finding the heightened risk of identity theft stemming from a breach is enough for standing. Yet the First, Second, Third, Fourth and Eighth circuits have set a higher bar, requiring allegations of actual misuse of personal information for plaintiffs to forge ahead with their claims.
The justices have so far declined to tackle the issue, rejecting a petition by shoe retailer Zappos last year to review a Ninth Circuit decision finding standing for data breach claims and passing on health insurer CareFirst Inc.'s similar bid in 2018 to overturn a D.C. Circuit ruling that allowed policyholders to move forward with their data breach suit.
The high court in January also refused to take up a petition from Facebook challenging a Ninth Circuit decision that cleared the way for a class of millions of Illinois users to take the company to trial over its alleged violations of the state's unique biometric privacy law.
The move was notable because no justice requested that the plaintiffs respond to Facebook's arguments they lacked standing, noted Jean-Claude André, a partner and co-chair of the appellate and Supreme Court group at Bryan Cave Leighton Paisner LLP.
"That was a procedurally shocking denial because it only takes one justice to order a response, and I can't think of another case where there's been a credible claim of a circuit conflict where the Supreme Court justices haven't ordered the other side to file a response," he said, adding the development indicates the justices to date haven't had "enough of an appetite" for revisiting the standing question so soon after the Spokeo ruling.
While it's unclear whether that appetite would change with the addition of Judge Barrett, the court will soon have three new justices who didn't take part in Spokeo — Justices Neil Gorsuch and Brett Kavanaugh, plus whomever is confirmed to take Justice Ginsburg's seat — and the growing circuit divide means requests to close the gap will continue to pour in, according to attorneys.
"This split is not going away, and it seems as though the Supreme Court will have to jump in and take up this question sooner or later, and probably sooner," André said. "It's just a question of which case is the right vehicle to clearly implicate the conflict and when the moment will be right."
In attempting to figure out how Judge Barrett would rule on the issue as a Supreme Court justice, attorneys pointed to a pair of statutory privacy decisions she's authored since joining the Seventh Circuit in October 2017.
In a June 2019 decision in Casillas v. Madison Avenue Associates Inc. , Judge Barrett concluded that plaintiff Paula Casillas hadn't alleged an injury sufficient to move forward with claims that Madison Avenue Associates had violated the Fair Debt Collection Practices Act by failing to notify debtors they must respond in writing if they need more information about their debt.
The judge held the debt collector had merely "made a mistake" in failing to include the disclosure in the letter it sent to Casillas, and that the plaintiff's allegation she had been harmed by this omission was insufficient to meet the injury threshold established by Spokeo.
"The bottom line of our opinion can be succinctly stated: no harm, no foul," Judge Barrett wrote in opening the opinion.
"The only harm that Casillas claimed to have suffered ... was the receipt of an incomplete letter — and that is insufficient to establish federal jurisdiction," the judge said.
However, Judge Barrett reached the opposite conclusion in Gadelhak v. AT&T Services Inc. , a Telephone Consumer Protection Act case decided in February.
Aside from narrowly defining what qualifies as an autodialer under the statute — another hot-button issue the justices are set to consider this term — Judge Barrett found in favor of plaintiff Ali Gadelhak on the "preliminary matter" of whether the consumer had standing to sue AT&T over allegedly unsolicited automated text messages.
The judge said the circuit split on whether unwanted texts cause concrete harm necessitated that the court "show our work." She held that the harm Gadelhak claims to have suffered was analogous to invasions of privacy that have long been recognized in common law and was the kind of injury Congress intended to prevent when it passed the TCPA in 1991.
"A few unwanted automated text messages may be too minor an annoyance to be actionable at common law," the judge wrote. "But such texts nevertheless pose the same kind of harm that common law courts recognize — a concrete harm that Congress has chosen to make legally cognizable."
Based on these decisions, "it appears that Judge Barrett could go both ways on Article III standing depending on the statute at issue in a data breach case," said Arsen Kourinian, of counsel with Knobbe Martens.
"For example, similar to the FDCPA's requirement to provide notice to debtors that was at issue in Casillas, Judge Barrett may hold that a company's mere violation of a data breach notification law — without plaintiff showing additional harm — is insufficient for Article III standing," he said.
Kourinian added that the standing debate is somewhat unique in that it isn't necessarily "a purely partisan issue."
He pointed to the justices' 6-2 ruling in Spokeo, in which both liberal and conservative justices joined the majority opinion.
Justice Ginsburg penned the dissent, joined by Justice Sonia Sotomayor, which agreed with much of the court's standing analysis — including the view that a bare procedural violation of a statute is insufficient for standing — while asserting there was no reason to waste judicial resources and remand the dispute, since it was clear the plaintiff had alleged a sufficiently concrete harm.
However, that doesn't mean the issue hasn't split down ideological lines in the past. The high court's 5-4 ruling in Clapper came out that way, with the conservative wing dismissing as speculative the argument that plaintiffs had standing to challenge a U.S. surveillance law because they had shown an "objectively reasonable" likelihood the government would intercept their sensitive communications.
Both of these rulings have contributed to the high court's steady move toward a more restrictive view on standing, a stance that's likely to be strengthened with Judge Barrett on the bench, attorneys noted.
"If the court were to address Article III in the context of data breach litigation, it is far more likely that the court will require more specific, measurable harm than some of the circuits have allowed to this point," said Al Saikali, chair of the data security and privacy group at Shook Hardy & Bacon LLP. "In short, it will be harder for plaintiffs to meet their Article III standing requirement."
André, the Bryan Cave partner, added that the more conservative wing of the court "already has the votes, and if anything Judge Barrett replacing Justice Ginsburg would just make the Spokeo and Clapper majorities stronger."
Still, how the high court in general — and Judge Barrett in particular — comes out on the standing debate is likely to depend a great deal on the nature of the case before the justices, attorneys noted.
In the data breach context, situations where plaintiffs claim their information has been compromised but can't show evidence that it's been misused have generally been tossed for lack of standing, while instances where plaintiffs allege the breach has led to identity theft or fraud are typically allowed to move forward.
The middle ground, where plaintiffs assert that a breach occurred and they had to take steps such as signing up for credit monitoring, is "where we've seen most of the split on whether this type of injury is concrete, particular and tangible enough," according to Ana Tagvoryan, vice-chair of the corporate litigation practice group and chair of the privacy class action defense team at Blank Rome LLP.
"As far as this type of injury is concerned, it's very tricky, given that most times plaintiffs don't allege a consumer protection statute violation that requires economic loss but instead advance more of a negligence claim," Tagvoryan said.
Given Judge Barrett's existing body of work on the standing issue and her embrace of the judicial philosophy of the late Justice Antonin Scalia, for whom she clerked, the high court nominee would likely give significant weigh to not only the concreteness of the alleged injury, but also whether the purported harm was likely to be redressed by a favorable judicial decision — a standard that clearly wasn't met in the FDCPA case involving Madison Avenue Associates, Tagvoryan noted.
Another factor likely to impact the standing debate in the coming years is the enactment of the California Consumer Privacy Act, which took effect in January.
While consumers aren't allowed to sue for violations of the statute's notice, access and transparency requirements, the statute creates a limited private right of action that allows consumers to seek statutory damages for breaches that allegedly result from a company's failure to implement reasonable security procedures.
Should Judge Barrett join the high court, having a statute on the books that permits consumers to seek redress for data breach harms may be enough to convince her and a majority of her colleagues that the claims pass the subjective Spokeo test for concreteness, particularly given her stance in the TCPA case from earlier this year that an alleged injury over unwanted texts was the exact harm that Congress intended to curb by enacting the law, according to Tagvoryan.
"The fact that the California Legislature identified the particular harm for which consumers can bring a private right of action, and said that bare violations of the law's procedural requirements aren't enough to bring lawsuits, will make it hard for any justice to say that's still a procedural violation because your identity wasn't stolen, if the case is filed in federal court," she said.
However, even if the Supreme Court continues to view standing through a relatively narrow lens, Saikali said he was confident the plaintiffs bar would "find a way to plead around any decision," including by bringing CCPA and other statutory privacy claims in state courts and stepping up emerging efforts to move beyond data breach litigation and into the murkier waters of allegations involving the unauthorized sharing of personal data with third parties.
"A Supreme Court decision on standing might have a significant impact on those types of cases, where all that is alleged is the unauthorized collection and sharing of personal information," Saikali said.
--Editing by Philip Shea and Marygrace Murphy.
For a reprint of this article, please contact reprints@law360.com.