Hundreds of lower courts have interpreted and applied the Supreme Court’s decision in Spokeo, Inc. v. Robins over the past ten months. We will provide a more comprehensive report on the post-Spokeo landscape in the near future, but the overarching takeaway is that the majority of federal courts of appeals have faithfully applied Spokeo’s core holdings that “Article III standing requires a concrete injury even in the context of a statutory violation,” and that a plaintiff does not “automatically satisf[y] the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” Nonetheless, a handful of other decisions have been receptive to arguments by the plaintiffs’ bar that Spokeo did not make a difference in the law of standing, and that the bare allegation that a statutory right has been violated, without more, remains enough to open the federal courthouse doors to “no-injury” class actions.

Two recent decisions by the Seventh and Third Circuits illustrate these contrasting approaches.

Judge Posner’s opinion for the court in Gubala v. Time Warner Cable, Inc. reflects the majority view. Gubala is a classic example of a no-injury class action: the plaintiff, a former customer of Time Warner, sued Time Warner, alleging that the company had continued to retain his personal information in violation of the Cable Communications Policy Act, which requires that cable companies destroy customers’ personal information within a certain time period. 47 U.S.C. § 551(e). The plaintiff did not contend that the cable company’s alleged violation—holding on to his information longer than the statute allows—either had harmed him or put him at a material risk of harm in the future. In his view, it was enough that the statute prohibited the cable company’s conduct. The district court dismissed the claim for lack of standing, holding that alleging a bare statutory violation of this kind is no longer enough under “the clear directive in Spokeo.”

In affirming, the Seventh Circuit rejected the argument—commonly raised by the plaintiffs’ bar after Spokeo—that the Supreme Court’s conclusion that Article III mandates “concrete” harm is somehow limited to “procedural” statutory rights. As the court put it, “a failure to comply with a statutory requirement to destroy information is substantive, yet need not (in this case, so far as appears, did not) cause a concrete injury.” An earlier Seventh Circuit opinion had likewise rejected the same argument, holding that regardless of “whether the right is characterized as ‘substantive’ or ‘procedural,’ its violation must be accompanied by an injury-in-fact.” That earlier opinion also noted that its analysis was “in accord with those of our sister circuits in similar statutory injury cases,” citing decisions from the D.C., Fifth, Eighth, and Eleventh Circuits.

The Gubala court also reiterated that a plaintiff does not automatically satisfy Article III simply by alleging the violation of a statutory requirement. He must instead plausibly allege harm or a “risk of harm to himself from such a violation—any risk substantial enough to be deemed ‘concrete.’” If this requirement were not enforced, “the federal courts would be flooded with cases based not on proof of harm but on an implausible and at worst trivial risk of harm.”

Judge Posner also observed that it is hard for plaintiffs to cry foul about federal courts’ enforcement of Article III standing rules. Because the plaintiff in a no-injury class action has, by definition, not suffered any concrete harm as a result of the alleged statutory violation, the only “‘victims’ of the rule are persons or organizations who suffer no significant deprivation if denied the right to sue.” At most, such plaintiffs (and their lawyers) are deprived of the opportunity to pursue a statutory damages bounty—and the interest in obtaining such a bounty has never been sufficient to create an Article III case or controversy.

The Third Circuit’s opinion in In re Horizon Healthcare Services Inc. Data Breach Litigation (pdf) adopts a much different view of Spokeo. The case stems from the theft of two laptops containing sensitive personal information from the headquarters of Horizon, a health insurer. The plaintiffs alleged that Horizon failed to protect their personal information adequately in violation of the Fair Credit Reporting Act (FCRA); they also brought several state law causes of action.

Prior to Spokeo, the district court dismissed the claims for lack of Article III standing. For three of the four named plaintiffs, the district court relied heavily on the Third Circuit’s earlier decision in Reilly v. Ceridian Corp., which held in the context of another data breach that the plaintiffs lacked Article III standing to bring their common-law claims in the absence of any misuse of their data or allegations showing “imminent” and “certainly impending” future harm. (The fourth named plaintiff in the Horizon Healthcare case had alleged that he was the victim of identity theft, but the district court ruled that he had not adequately tied the identity theft to the challenged breach.)

The Third Circuit reversed. Judge Jordan’s opinion for the panel majority acknowledged Reilly, but held that it did not control because the plaintiffs in this case had alleged a violation of the FCRA (rather than common-law claims alone). The court held that the “passage of the FCRA” made Horizon’s alleged failure to prevent the disclosure of plaintiffs’ personal information “an injury in and of itself”—“whether or not the disclosure of that information increased the risk of identity theft or some other future harm.”

The court acknowledged that “it is possible to read the Supreme Court’s decision in Spokeo as creating a requirement that a plaintiff show a statutory violation has caused a ‘material risk of harm’ before he can bring suit.” And it acknowledged that other courts have done so, including the district court in the Gubala case discussed above and the Eighth Circuit in Braitberg v. Charter Communications, Inc.—and many other decisions not explicitly referenced by the court. But the panel majority expressly parted ways with those decisions, instead concluding that Spokeo had little or no effect on the law of standing and embracing pre-Spokeo decisions holding that technical violations of statutes cause Article III injury.

Judge Shwartz concurred in the judgment. She disagreed with the majority that the alleged statutory violation on its own amounted to a concrete injury, but she would have concluded that the plaintiffs had standing based on the alleged loss of their privacy. (We think this alternative conclusion is troubling too, but will save that discussion for another day.)

In our view, the majority’s reasoning is hard to square with Spokeo. The argument that Congress’s creation of a cause of action in the FCRA automatically satisfies Article III is precisely the argument that the Supreme Court rejected, instead requiring “concrete injury even in the context of a statutory violation.” Moreover, if, as the panel’s opinion indicates, mere exposure to the statutory violation automatically amounts to a present concrete harm, it is unclear why the Supreme Court would have held—citing its decision in Clapper v. Amnesty International USA requiring alleged future injury to be certainly impending—that “the risk of real harm can[] satisfy the requirement of concreteness.” And while the Third Circuit panel cited passages from Justice Thomas’s concurrence in Spokeo in support of its conclusion that the case did not change the law, no other member of the Court signed on to that concurrence, nor did Justice Thomas provide the deciding vote for the majority opinion.

Finally, we do note one bright spot in the panel’s opinion for data breach defendants. The court rejected the plaintiff’s argument that Horizon’s offer of free credit monitoring to those affected by the breach could be used “as a concession or recognition that the Plaintiffs have suffered injury.” Recognizing that a contrary rule would disincentivize companies from taking remedial steps following a breach, the court found instructive the provisions in the Federal Rules of Evidence that protect such efforts by excluding evidence of subsequent remedial measures or settlement offers as proof of culpability.

As these cases illustrate, the debate over the meaning of Spokeo is far from over. We will continue to report on significant developments.