Skip to Content
In re: Google Referrer Header Privacy Litigation involved allegations that Google the search histories of 129 million users in violation of the Stored Communications Act. The Ninth Circuit Court of Appeals entered judgment approving settlement where Google agreed to pay $8.5 million A consolidated class action was filed alleging privacy violations based on Google’s search protocol and failure to alert users of how it search terms are shared with third parties. The plaintiffs sought statutory and punitive damages as well as declaratory and injunctive relief. The settlement approved by the Ninth Circuit required Google to pay $8.5 million in total settlement: $3.2 million in attorney’s fees, administration costs and incentive payments to the named plaintiffs, and $5.3 million to six cy pres recipients – non-profit charities, universities and attorneys but not the unnamed class members.
The settlement was challenged by Competitive Enterprise Institute – a nonprofit think tank – on the basis that it failed to allocate any relief to the unnamed class members and therefore violated Federal Rule of Civil Procedure 23(e) because it was unfair, unreasonable and inadequate. However, in their March 19, 2019 ruling, the Supreme Court declined to address any of the cy pres issues and instead remanded the case back to the Ninth Circuit with instructions that the Appellate Court decide if the search engine users established actual harm and therefore had standing to sue.
Establish Actual Harm
In Spokeo Inc. v. Robins, the US Supreme Court announced that plaintiffs do not have standing to sue in cybersecurity litigation matters based on statutory violations alone and must show they have suffered actual harm. Since Spokeo, the Appellate Circuits have split on what meets the standard of “actual harm.” The Second and Fourth Circuits have held that plaintiffs cannot establish standing without first demonstrating that their stolen information resulted in actual use of the information or harm, such as fraudulent credit card charges. By contrast, the Third, Sixth, Seventh, Eleventh and D.C. Circuits have held that the mere exposure of one’s consumer data is sufficient to establish standing.
Most recently, the Supreme Court declined to resolve this Circuit split and clarify “actual harm” when it denied certification of the D.C. Circuit’s decision in Attias v. CareFirst, Inc. In Attias, policyholders brought a putative class action against CareFirst BlueCross BlueShield after a 2014 data breach in which 1.1 million members of the Maryland-based health insurer had their personal medical information stolen by hackers. The original claim was dismissed in August 2016 when the district court determined that the policyholders lacked subject matter jurisdiction because they could not trace the data breach to a particular injury, but instead relied solely on a violation of various state consumer protection statutes along with other state law causes of action. The D.C. Circuit reversed holding the CareFirst policyholders “cleared the low bar to establish their standing at the pleading stage” by alleging that there was a substantial risk that their stolen personal information could be used for identity theft or medical harm (such as interference with medical devices or implants), even if the actual misuse had not yet occurred.
What’s Next
In remanding the Google settlement back to the Ninth Circuit, the Supreme Court expressly stated that nothing in its remand order should be interpreted as establishing a view on whether the plaintiffs have standing to bring their suit against Google. However, given that the remand order is based solely on the issue of standing and whether the plaintiffs suffered “actual harm” rather than the cy pres settlement (which was the original basis of the challenge), this might signal that the Supreme Court is ready to weigh in on what constitutes actual harm, resolving the Circuit split on standing in cybersecurity litigation matters.
