Data Privacy And Security Class Actions Continue To Ripple Through Federal Courts Nationwide | King & Spalding

The plaintiffs’ bar continued to file data privacy and security class actions in record numbers in 2021—a trend that we fully expect to continue into 2022. In 2021, these cases gave rise to an array of important decisions from circuit courts across the country. For example, in Fox v. Dakkota Integrated Systems, LLC, the Seventh Circuit addressed whether the plaintiff had standing to assert class claims under the Illinois Biometric Information Privacy Act (BIPA). In holding that the plaintiff had standing, the court signaled that plaintiffs alleging that their employers unlawfully retained (or failed to destroy) their biometric data could seek relief in federal court for violations of section 15(a) of BIPA (which requires certain employers to develop, publicly disclose, and comply with a biometric data-retention policy). Importantly, Fox made clear that the Seventh Circuit’s earlier decision in Bryant v Compass Group USA Inc. did not shut the federal courts’ doors to section 15(a) claims.

Meanwhile, in the world of data-breach class action litigation, the Eleventh and Second Circuits issued key decisions holding that plaintiffs lacked Article III standing where they alleged only that they faced a future risk of identity theft or fraud, but failed to allege that the risk was sufficiently imminent or likely to materialize. While both courts held that the plaintiffs lacked standing, they took different routes to get there. The Eleventh Circuit’s decision in Tsao v. Captiva MVP Restaurant Partners, LLC held that a plaintiff generally lacks standing to sue based on an alleged increased risk of future identity theft absent allegations that at least some affected consumers’ data was misused as a result of a data breach. In contrast, the Second Circuit’s decision in McMorris v. Carlos Lopez & Associates LLC adopted a nebulous three-factor test for determining whether a data breach plaintiff has standing to sue based on a risk of future identity theft. Nonetheless, both decisions—particularly when considered alongside the Supreme Court’s Ramirez decision—signal that federal courts are clamping down on plaintiffs’ efforts to secure standing based on mere threats of future harm.