The unexpected afterlife of a Supreme Court wiretapping opinion
What do human rights advocates have in common with Barnes & Noble credit and debit card customers?
There’s no punchline response to that question (or at least none that I could think of). The answer instead lies in the U.S. Constitution’s strictures on who may bring a claim in federal court – and in the collateral consequences of the U.S. Supreme Court’s latest interpretation of standing, in a 2013 case called Clapper v. Amnesty International.
As you’ve probably guessed, that’s where the human rights advocates come in. After Congress passed amendments to the Foreign Intelligence Surveillance Act in 2008, the American Civil Liberties Union and outside lawyers from Proskauer Rose sued James Clapper, the Director of National Intelligence, on behalf of a group of U.S. lawyers, journalists and human rights groups who alleged that the FISA amendments violated their First and Fourth Amendment rights. The new law made it easier for the government to obtain permission to wiretap intelligence targets outside of the United States. The plaintiffs said their work required them to engage in international phone and Internet communications with likely targets of the stepped-up surveillance, and that the FISA amendments would permit the National Security Agency to access their communications illegally. They sought a declaration that the sweeping, warrantless wiretapping permitted under the new law was a breach of their constitutional free speech and privacy rights.
A threshold issue in their case was whether they satisfied the requirements for bringing a federal-court suit under Article III of the Constitution. U.S. judges, as you know, do not issue strictly advisory rulings but only have jurisdiction over actual controversies. In the Amnesty case, U.S. District Judge John Koeltl of Manhattan said that the human rights groups did not have standing to sue because their injury was only theoretical: They couldn’t show their communications had been monitored or that such monitoring had even been authorized. The 2nd Circuit Court of Appeals reversed Koeltl, holding that the plaintiffs had shown a “realistic danger” that their phone calls or emails would be intercepted. The appeals court also found standing based on the expenses the groups had incurred to preserve the confidentiality of their communications.
The Supreme Court found both of the 2nd Circuit’s rationales to be inadequate. In an opinion in February that clarified the court’s interpretation of standing, Justice Samuel Alito said that you can’t sue based on speculation about what might occur. Standing depends on an actual injury or “certainly impending” injury, Alito wrote, and cannot be satisfied through “a highly attenuated chain of possibilities.” Alito also said that plaintiffs can’t establish standing by spending money to ward off feared injury. “If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a non-paranoid fear,” he wrote. “(Plaintiffs) cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”
After the Clapper ruling came down, Ropes & Gray‘s privacy and data security group put out a very thoughtful client alert about how the ruling could impact class actions based on data breaches. Defendants in these cases, who have shelled out tens of millions of dollars in class action settlements filed in the wake of customer database hacking, had been waiting in vain for the Supreme Court to clarify standing in private litigation involving remote harm to plaintiffs. The Ropes memo said that the Clapper decision gave defense lawyers just the language they needed to challenge standing in privacy breach class actions. Customers couldn’t base suits on the fear that their information would be misused, the Ropes memo said, or on the cost of protecting their personal information after a breach. Without the theories eliminated under Clapper, the memo argued, privacy plaintiffs didn’t have the right to sue.
The Clapper standing argument has indeed turned up in a lot of defense briefs in privacy class actions since last February. And last week, U.S. District Judge John Darrah of Chicago found Clapper to be just as powerful a weapon for defendants as Ropes & Gray had suspected it would be. Darrah dismissed all claims by Barnes & Noble customers who had asserted that their credit and debit card information was skimmed from card processors in 63 Barnes & Noble stores in nine states.
Plaintiffs lawyers at Barnow & Associates, Siprut, and Grant & Eisenhofer (among others) had argued, creatively, that Clapper actually supported the standing of the Barnes & Noble customers. Barnes & Noble had admitted that its systems had been hacked, their brief said. That data theft was exactly the injury-in-fact that the human rights advocates couldn’t show in Clapper. “The injury here is not self-inflicted or conjectural; it is concrete, particularized, and supported by the facts,” plaintiffs asserted.
Darrah disagreed. Customers hadn’t shown their data was actually stolen when Barnes & Noble’s systems were hacked, he said. So under Clapper, he said, the connection between the data breach and any actual injury to them “is too tenuous” to confer standing under any of the plaintiffs’ theories. (Darrah is actually the second federal judge to cite Clapper is dismissing an online privacy case. In July, U.S. District Judge Carlos Murguia tossed a class action against Sam’s Club, which was accused on deceiving customers about the vulnerability of its customer database; the Sam’s Club case, though, was much more speculative than the Barnes & Noble suit because there was no breach of Sam’s Club data.)
Douglas Meal of Ropes & Gray, which has issued a new client alert on Darrah’s ruling, told me the decision shows that Clapper standing arguments “will have legs” in privacy suits. The mere theft of data, he said, doesn’t mean harm to customers is certainly impending, as Clapper holds it must be to establish standing. But Charles Sims of Proskauer, who was co-counsel with the ACLU in the Clapper case, believes that is a misreading of the Supreme Court’s decision. Sims told me that the theft of customer data should be a sufficient injury to confer standing. “Standing depends on whether there’s a breach,” Sims said, not on whether customers suffer additional injury as a result of the breach.
More rulings applying Clapper to privacy class actions and other cases with tenuous injury claims should be coming down soon. I’ll be keeping an eye out.
(Reporting by Alison Frankel)
For more of my posts, please go to WestlawNext Practitioner Insights