On June 15, 2022, in Viking River Cruises v. Moriana, the United States Supreme Court ruled that individual claims under the California Private Attorneys General Act (“PAGA”) can be compelled to arbitration under the Federal Arbitration Act, partially preempting the California Supreme Court’s longstanding and contrary Iskanian decision.
To read the full Legal Update, click here.
As we previously reported, employers generally have found success when the United States Supreme Court takes up questions about the arbitrability of workplace disputes. The unanimous decision in Southwest Airlines Co. v. Saxon bucks that trend, holding that those who load cargo onto airplanes engaged in interstate travel are exempt from the Federal Arbitration Act (FAA). The Court’s fact-specific decision, however, rejects any bright-line test. As such, it leaves room for employers looking to enforce their arbitration agreements under federal law and opens the door to future litigation regarding whether workers are actually “engaged in interstate commerce” when they do not cross borders to perform their work.
To read the full Legal Update, click here.
Medical service providers who engage in medical billing, debt collection, and credit reporting are the focus of new regulations and regulatory enforcement efforts. Civil litigation is sure to follow. Under the direction of its new Director, Rohit Chopra, the Consumer Financial Protection Bureau “is working to stop unfair medical debt collection and coercive credit reporting practices that add to the strain on American families.” The Bureau has targeted that “$88 billion of outstanding medical bills are currently in collections – affecting one in five Americans.” Id. A federal consumer protection law, the “No Surprises Act,” came into force this year. It provides billing and collection rights to medical patients, both insured and uninsured. The Bureau has issued a Bulletin, warning that the attempted collection of a medical debt that is barred by the No Surprises Act may violate federal consumer debt collection practice law. A plethora and ever growing number of state laws also heavily regulate medical billing, collection, and credit reporting practices.
To read the full Legal Update, click here.
A federal judge has dismissed a class action lawsuit that challenged the Washington Long-Term Cares Act (“Cares Act”), ruling that because the Cares Act is not established or maintained by an employer and/or employee organization, it is not an employee benefit plan and therefore not governed or preempted by ERISA. The Court also held that the premiums assessed by the Cares Act constitute a state tax. As such, only state courts, not U.S. federal courts, have jurisdiction to rule on the Cares Act.
Click here to read our Legal Update on the dismissal of the law suit.
In the second annual installment of Seyfarth Shaw’s Commercial Litigation Outlook, our nationally-recognized team provides keen insights about what to expect in 2022. It will be a busy year that will call upon clients and their counsel to be flexible, creative, and proactive on many fronts.
As you will read in the full Outlook linked below, reliance on all things online, and remote workforces, has amplified the risks around cyberattacks and privacy and insurance premiums are increasing across the board for all lines of insurance, particularly as insurers adjust their risk to the increase in expensive ransomware attacks. Other key trends in the commercial litigation space addressed in this issue are: Antitrust, Bankruptcy, Consumer Class Action Defense, Consumer Financial Services Litigation, eDiscovery Litigation, Fair Credit Reporting Act, Franchise and Distribution, Health Care Litigation, International Dispute Resolution, Real Estate Litigation, Securities Litigation, and a Trial Outlook.
Looking Ahead: Webinar Series – In the coming weeks, our team of authors will present a two part webinar series covering the topics mentioned above, including any recent developments. Please be on the lookout for further information!
Seyfarth Synopsis: The Illinois Supreme Court issued its long-awaited decision in McDonald v. Symphony Bronzeville Park, LLC, et al., 2022 IL 126511 (Feb. 3, 2022), holding that claims for statutory damages against an employer under the Illinois Biometric Information Privacy Act (“BIPA”) are not preempted by the exclusivity provisions of the Illinois Workers’ Compensation Act (the “IWCA”). This ruling is a major development in the BIPA class action landscape, as it resolves a frequently-contested issue and effectively precludes employers from asserting IWCA preemption as a defense to BIPA claims.
Case Background
The plaintiff in McDonald claimed her former employer, Symphony Bronzeville Park, LLC, violated the BIPA by requiring her and other employees to use a time-clock system that scans their fingerprints without properly providing notice, providing a publicly-available retention policy, or obtaining written consents required by the statute. Defendant moved to dismiss on the basis that plaintiff’s claims were barred by the exclusivity provisions of the IWCA, under which the sole remedies for employees who have suffered work-related injuries are the remedies set forth in the IWCA.
The trial court denied defendant’s motion to dismiss but certified for appeal the question whether the IWCA’s exclusivity provisions bar a claim for statutory damages under BIPA. The Illinois Appellate Court affirmed on the grounds that a BIPA claim for statutory damages is not an injury compensable under the IWCA. See McDonald v. Symphony Bronzeville Park LLC, 2020 IL App (1st) 192398, ¶ 27.
The Illinois Supreme Court’s Decision
On appeal to the Illinois Supreme Court, defendant argued that the IWCA precluded plaintiff’s action because plaintiff’s alleged injury occurred in the course of her employment — meaning her available remedies were limited to those set forth in the IWCA. In opposition, plaintiff argued that the IWCA’s exclusivity provisions applied only to physical or psychological injuries that are compensable under the IWCA and that a privacy injury under the BIPA constitutes a different type of injury.
The Supreme Court agreed with plaintiff. It held unanimously that her BIPA claims could proceed because her alleged privacy injury “is not categorically within the purview of the [IWCA].” McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511, ¶ 44.
The Supreme Court analyzed the BIPA’s purpose, as articulated in the 2019 decision in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186. The Supreme Court reiterated that through the BIPA, the Illinois General Assembly “codified that individuals possess a right to privacy in and control over their biometric identifiers and biometric information,” and that “when a private entity fails to comply with one of section 15’s requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach.” McDonald, 2022 IL 126511, ¶ 24 (quoting Rosenbach, 2019 IL 123186, ¶ 33).
The Supreme Court explained that the IWCA generally provides the exclusive remedy for work-related injuries, unless a plaintiff can establish one of the four recognized exceptions to the IWCA’s exclusivity provisions, including: (1) if the injury was not accidental; (2) if the injury did not arise from employment; (3) if the injury did not occur during the course of employment; or (4) if the injury is not compensable under the IWCA. McDonald presented a question regarding the fourth exception, i.e., whether the injury resulting from a BIPA violation is compensable under the IWCA.
In answering in the negative, the Supreme Court relied primarily on its decision in Folta v. Ferro Engineering, where a plaintiff diagnosed with mesothelioma sued his former employer after allegedly being exposed to asbestos on the job. 2015 IL 118070, ¶ 3. The trial court granted plaintiff’s employer’s motion to dismiss based on the exclusivity provisions of the Workers’ Occupational Diseases Act (the “WODA”), which were interpreted in accordance with the IWCA’s exclusivity provisions. The plaintiff argued the exclusivity provisions did not apply pursuant to the “compensability” exception because he could not recover under the WODA in that he filed his claim beyond the 25-year repose period. The Illinois Appellate Court reversed. It opined that the plaintiff’s inability to recover damages under the WODA placed his case within the exception for “non-compensable injuries.”
The Supreme Court reversed the appellate ruling, concluding that the exclusivity provisions barred the plaintiff’s cause of action even though compensation was unavailable due to the statutory time limits. Folta framed the question of whether an injury is compensable as “not whether an injury was literally compensable, i.e., whether the employee could literally receive compensation for injuries under the acts,” but “whether the type of injury categorically fits within the purview of the” workers’ compensation acts.” McDonald, 2022 IL 126511, ¶ 24 (quoting Folta, 2015 IL 118070, ¶ 23). Because the WODA addressed diseases caused by asbestos exposure, Folta held that the plaintiff’s injury was “the type of injury contemplated to be within the scope of” the WODA. Id. ¶ 39 (quoting Folta, 2015 IL 118070, ¶ 25).
Using Folta’s framework, the Supreme Court in McDonald held that injuries caused by BIPA violations “are different in nature and scope from the physical and psychological work injuries that are compensable under the [IWCA].” Id. ¶ 43. The Supreme Court contrasted “injuries that affect an employee’s capacity to perform employment-related duties, which is the type of injury for which the workers’ compensation scheme was created,” with the privacy injuries “caused by violating [BIPA’s] prophylactic requirements.” Id.
The Supreme Court further noted that the BIPA’s text supported its conclusion because the BIPA “defines the precollection ‘written release’ required by” Section 15(b) of the BIPA “to include ‘a release executed by an employee as a condition of employment.’” Id. ¶ 45 (quoting 740 ILCS 14/10). The Supreme Court reasoned that the legislature knew BIPA claims could arise in the employment context, “yet it treated them identically to nonemployee claims except as to permissible methods of obtaining consent. Therefore, the text of [the BIPA] itself . . . is further evidence that the legislature did not intend for [BIPA] claims to be presented to the Workers’ Compensation Commission.” Id. ¶ 45.
Implications For Employers
McDonald has major implications for employers facing BIPA claims. The decision effectively makes the IWCA preemption defense unavailable in BIPA cases. Moreover, many BIPA cases pending in state and federal courts have been stayed pending the Illinois Supreme Court’s McDonald decision, and those stays may soon be lifted in light of the opinion being released.
Significant questions remain, however, regarding BIPA’s application to companies that collect biometric information. Some questions will be decided in other appeals pending before the Illinois Supreme Court, which may lead courts to maintain previously-entered stays despite the issuance of McDonald. For example, the U.S. Court of Appeals for the Seventh Circuit recently issued a decision in Cothron v. White Castle Systems, 20 F.4th 1156 (7th Cir. 2021), certifying to the Illinois Supreme Court the question whether claims asserted under Sections 15(b) and 15(d) of the BIPA accrue only once upon the initial collection or disclosure of biometric information, or each time a private entity collects or discloses biometric information. (See here). Similarly, the limitations period applicable to BIPA claims remains unresolved. As previously noted (here), the Illinois Appellate Court in Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563 (1st Dist. Sept. 17, 2021), held that a one-year limitations period governs actions brought under BIPA Sections 15(c) and (d), while claims under BIPA Sections 15(a), (b), and (e) are subject to the catch-all five-year limitations period. The Illinois Supreme Court allowed the Tims defendant’s petition for leave to appeal on January 26, 2022 — meaning it is poised to issue two more critical BIPA rulings in the coming months.
On November 9, 2021, the Oklahoma Supreme Court in State ex rel. Hunter v. Johnson & Johnson, No. 118474, 2021 WL 5191372 (Okla., Nov. 9, 2021), overturned a $465 million verdict against opioid manufacturer, Johnson & Johnson (“J&J”). In the 5-1 decision, the court held that the district court erred in holding J&J liable under the state’s public nuisance law because the statute does not extend to the manufacturing, marketing, and selling of products. The court warned that extending public nuisance law to the manufacturing, marketing, and selling of products would allow consumers to convert product liability actions into public nuisance claims. Id. at *11. Such an expansion of public nuisance law could catalyze widespread litigation against large companies for any public health problem.
Like many cities across the United States, Oklahoma has seen the effects of the over-prescription of opioids to its residents. Id. at *1. In an effort to hold large opioid manufacturers accountable, the State sued three opioid manufactures in June 2017, including J&J. Id. The State argued that J&J marketed the benefits of opioid use while downplaying the dangers in an effort to increase sales. Id. at *2. The State settled with the other manufacturers and later dismissed all claims against J&J with the exception of the public nuisance claim. Id.
The district court held a month-long bench trial on the public nuisance issue. Id. The Oklahoma public nuisance statute states, “[a] public nuisance is one which affects at the same time an entire community or neighborhood, or any considerable number of persons, although the extent of the annoyance or damage inflicted upon the individuals may be unequal.” 50 Okl. St. § 2. Thus, the question before the court was whether J&J was liable for creating a public nuisance in the marketing and selling of opioids within the state. State ex rel. Hunter, No. 118474, 2021 WL 5191372 at *1.
The court returned a verdict against J&J, finding them liable for conducting “false, misleading, and dangerous marketing campaigns” about opioids. Id. at *2. In doing so, the court ordered J&J to pay $465 million to fund one year of government programs aimed at combating the opioid crisis. Id. In issuing this hefty damage award, the court did not base the amount on J&J’s specific market interest of prescription opioids sold. Id. The court also did not offset the amount with the amount the State received from the settlement agreements with the other opioid manufacturers. Id.
J&J appealed the verdict and the State cross-appealed, arguing that J&J should be held liable for a higher amount to fund twenty years of the state’s government programs aimed against opioid use. The Supreme Court of Oklahoma retained the appeal. Id. at *3. The issue on appeal was whether the district court correctly determined that J&J’s actions in marketing and selling opioids created a public nuisance. Id.
Origins and History of Oklahoma Public Nuisance Law
The Oklahoma Supreme Court began its opinion by giving a history of the public nuisance doctrine going back to the twelfth century. Id. The court explained how the public nuisance theory began as a criminal remedy used to protect the rights of public property. Id. Many years later during the twentieth century, public nuisance evolved into a common law tort and was later codified by the Oklahoma Legislature. Id. at *4. In applying the state’s nuisance statutes, the court has limited public nuisance liability to defendants “(1) committing crimes constituting a nuisance, or (2) causing physical injury to property or participating in an offensive activity that rendered the property uninhabitable.” Id. Nuisance cases can also be brought in cases in which conduct “annoys, injures, or endangers the comfort, repose, health, or safety of others.” Id. at *5. Yet, the court reminded the State that such conduct has traditionally been criminal or property-based. Id. As such, the court reasoned that applying nuisance law to the manufacturing, marketing, and selling of lawful products would be an overbroad application of the law. Id.
Oklahoma’s Public Nuisance Law Does Not Cover the State’s Alleged Harm
The court refused to extend the public nuisance doctrine to the State’s claim that J&J’s failure to warn of the dangers of opioids constitutes a public nuisance. In reaching this decision, the court identified three reasons for which the doctrine is inapplicable to product liability: (1) the manufacture and distribution of products rarely cause a violation of a public right, (2) a manufacturer does not generally have control of its product once it is sold, and (3) a manufacturer could be held perpetually liable for its products under a nuisance theory. Id. at *6.
In analyzing the first factor, the court concluded that the State failed to show a violation of a public right. The court defined a public right as a right to a public good (i.e. natural resources, public spaces). Id. The court rejected the State’s argument that J&J’s conduct amounted to an interference with the public right of health because prescription opioids do have beneficial uses for pain management and the rise in misuse and addiction could not have been anticipated. Id. at *7 The court distinguished J&J’s conduct from cases of pollution in public water or the discharge of sewer on property, in which injury could have been anticipated. Id. Further, the court reasoned that the State’s argument would promote the notion that an unreasonable interference with a public right could be shown solely by the unanticipated misuse of products by some consumers. Id. “A public right to be free from the threat that others may misuse or abuse prescription opioids—a lawful product—would hold manufacturers, distributors, and prescribers potentially liable for all types of use and misuse of prescription medications.” Id. Thus, the court concluded that the State failed to show a violation of a public right in this case.
As to the second factor, the court reasoned that J&J did not have control over the manner in which opioids were used once they were sold. Id. at *8. “A product manufacturer’s responsibility is to put a lawful, non-defective product into the market. There is no common law tort duty to monitor how a consumer uses or misuses a product after it is sold.” Id. The court reasoned that J&J had no control over its products once they were sold through the multiple levels of distribution which included distributors, wholesalers, pharmacies, hospitals and doctors’ offices. Id. Without control, J&J could also not abate or fix the nuisance. Here, the court attacked the remedy of monetary sanctions imposed by the district court. Id. at *9. Though, the amount awarded to the State was intended to go to the State’s abatement plan to combat opioid addiction, the court did not find this to be a suitable remedy. The court reasoned that the abatement program would not stop the promoting or selling of opioids. Id. Therefore, the court rejected the monetary damage award as it did not address the alleged nuisance. Id.
In addressing the third and final factor, the court plainly rejected the imposition of liability for public nuisance in this case, because J&J could be held continuously liable for its products. Id. J&J’s products entered the stream of commerce more than twenty years ago. Id. The court reasoned that imposing liability under a public nuisance cause of action here would subject manufacturers to endless liability and would sidestep the statute of limitations in traditional tort law. Id.
This Court Will Not Extend Oklahoma Public Nuisance Law to the Manufacturing, Marketing, And Selling of Prescription Opioids
In sum, the court, held that it will not extend the state’s public nuisance law to J&J’s conduct in the manufacturing, marketing and selling of prescription opioids. The court dug its heels into the common law criminal and property-based limitations that have shaped the state’s public nuisance doctrine. Without these limitations, the court warned that businesses could be held boundlessly liable for the manufacturing, marketing or selling of products, i.e. “will a sugar manufacturer or the fast food industry be liable for obesity, will an alcohol manufacturer be liable for psychological harms, or will a car manufacturer be liable for health hazards from lung disease to dementia or for air pollution.” Id. at *11. Though the court does tip its hat to the State’s novel theory of extending public nuisance liability for the marketing and selling of a legal product, the court remained unconvinced. Instead, the court advised that this is an issue that could be more appropriately addressed by the legislature, rather than the courts.
There is a growing trend in which courts are reluctant to apply public nuisance law to opioid-manufacturer cases. This case comes on the heels of a recent tentative decision from a California superior court in which the court also rejected the plaintiffs’ argument that defendants, J&J, Endo Pharmaceuticals, Teva Pharmaceuticals, and Allerfan PLC, created a public nuisance by manufacturing and selling opioids. People v. Purdue Pharma, No. 30-2014-00725287-CU-BT-CXC (Cal. Super. Nov. 9, 2021). Prior to these decisions, North and South Dakota courts have also rejected public nuisance claims against the same defendants for the same alleged conduct. See State ex rel. Stenehjem v. Purdue Pharma, L.P., No. 08-2018-cv-01300, 2019 WL 2245743, at *13 (N.D. Dist. Ct. May 10, 2019) (rejecting the public nuisance claim because public nuisance law does not apply to cases involving a sale of goods); see also State ex rel. Ravnsborg v. Purdue Pharma L.P., No. 32CIV18-000065 (S.D. Cir. Ct. Jan. 13, 2021) (rejecting the public nuisance claim as applied to the sale of good and holding that defendants did not have control of the instrumentality of the nuisance when the damage occurred).
These decisions mark a shift in the landscape of opioid litigation, casting doubt on the use of the public nuisance doctrine as applied to the manufacturers of these drugs. Another important aspect of this ruling is the questionable ability of plaintiffs to receive monetary damage awards to redress harm in these cases. The Oklahoma Supreme Court expressed skepticism in this approach and encouraged redress to be handled by public policy rather than the courts. If plaintiffs continue to allege that that the manufacturing and selling of opioids constitutes a public nuisance, it may become increasingly difficult to prove that the appropriate redress is something other than an injunction on such manufacturing and selling.
As it stands, it is not clear whether these cases are outliers or a projection of a growing national trend. Given differences in states’ public nuisance doctrines, cases certainly could come out on the other side. As more cases are set to go to trial in the coming months, it will be instructive on how courts view this doctrine and its applicability to opioid-related cases.
Thursday, October 28, 2021 
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific
FinTech produces real benefits to consumers, including increased speed, convenience, and new product offerings that make it easier for consumers to manage their financial lives. As FinTech offers thrilling new opportunities, it also poses potentially serious challenges. As consumers increasingly embrace innovative new technologies in our banking system, how can we make certain we include everyone—particularly consumers and small business owners who are currently disconnected from the financial system?
In the sixth installment of the Consumer Financial Services Litigation Webinar Series, Seyfarth attorneys will explore the evolution of FinTech and AI and their resulting impact on lending. Specifically, the presenters will cover:
Given the magnitude of the potential changes ahead, Seyfarth has developed a webinar series designed to convey strategies and best practices to help you to ensure that your company and internal clients are prepared for what is ahead. To stay abreast of these changes, please subscribe to our mailing list.
Subscribe to Seyfarth’s Consumer Financial Services Mailing List.
For updates and insight on Consumer Financial Services Issues, we invite you to click here to subscribe to Seyfarth’s Consumer Class Defense Blog.
Tonya Esposito, Partner, Seyfarth Shaw LLP
Tracee Davis, Partner, Seyfarth Shaw LLP
Anne Dunne, Associate, Seyfarth Shaw LLP
If you have any questions, please contact Colleen Vest at cvest@seyfarth.com and reference this event.
This webinar is accredited for CLE in CA, IL, NJ, and NY. Credit will be applied for as requested for TX, GA, WA, NC, FL and VA. The following jurisdictions accept reciprocal credit with these accredited states, and individuals can use the certificate they receive to gain CLE credit therein: AZ, CT, NH. The following jurisdictions do not require CLE, but attendees will receive general certificates of attendance: DC, MA, MD, MI, SD. For all other jurisdictions, a general certificate of attendance and the necessary materials will be issued that can be used in other jurisdictions for self-application. If you have questions about jurisdictions, please email CLE@seyfarth.com.
A mere three weeks after the application to vacate stay was filed, the United States Supreme Court has effectively ended the year-long row over the lawfulness of the federal Centers for Disease Control’s nationwide eviction moratorium (the “CDC Moratorium”).¹ On August 26, 2021, in a per curiam opinion joined by six members of the Court, with three members dissenting, the Court vacated the District of Columbia Circuit Court’s stay of enforcement pending appeal in Alabama Ass’n of Realtors v. Dep’t of Health & Human Servs., No. 21A23, 594 U.S. __, 2021 WL 3783142 (Aug. 26, 2021). The ruling, while technically not on the merits, rendered the District Court’s judgment, a summary judgment decision which held the CDC lacked statutory authority to impose the moratorium but was stayed pending appeal, immediately enforceable.² And as a practical matter, the opinion’s conclusion to deny stay relief on the grounds that “[i]f a federally imposed eviction moratorium is to continue, Congress must specifically authorize it” renders the CDC Moratorium immediately unenforceable in all of America’s courts, absent such Congressional authorization.
The Supreme Court previously declined to grant this relief when, on a 5-4 vote issued on June 29, 2021, Justice Kavanaugh wrote a concurring opinion which denied an earlier motion for stay relief, stating that only Congressional action could justify further extension beyond its then-July 31, 2021 sunset date.³
The CDC originally ordered its eviction Moratorium in September 2020 as a response to the COVID-19 pandemic, and extended it multiple times in light of the continuing state of emergency. We previously summarized the restrictions of the CDC Moratorium here, and highlighted several extensions of its reach here and here. In short, the CDC Moratorium subjected landlords to possible criminal and civil penalties if they proceeded with actions to evict certain “covered” residential tenants affected by COVID-19 for nonpayment of rent; it did not affect tenants’ underlying rental payment obligations or landlords’ ability to sue for unpaid rent.4
The Court’s decision is the culmination of hotly-contested litigations in multiple federal courts around the country that challenged the CDC Moratorium on various statutory and constitutional grounds. As summarized by the D.C. District Court in Alabama Ass’n of Realtors:
at least six courts have considered various statutory and constitutional challenges to the CDC Order. Most recently, the Sixth Circuit denied a motion to stay a district court decision that held that the order exceeded the CDC’s authority under 42 U.S.C. § 264(a), see Tiger Lily, LLC v. United States Dep’t of Hous. & Urb. Dev., No. 2:20-cv-2692, __ F. Supp. 3d __, __, 2021 WL 1171887, at *4 (W.D. Tenn. Mar. 15, 2021) (concluding that the CDC Order exceeded the statutory authority of the Public Health Service Act), appeal filed, 992 F.3d 518 (6th Cir. 2021); Tiger Lily, LLC v. United States Dep’t of Hous. & Urb. Dev., 992 F.3d 518, 520 (6th Cir. 2021) (denying emergency motion for stay pending appeal); see also Skyworks, Ltd. v. Ctrs. for Disease Control & Prevention, No. 5:20-cv-2407, __ F. Supp. 3d __, __, 2021 WL 911720, at *12 (N.D. Ohio Mar. 10, 2021) (holding that the CDC exceeded its authority under 42 U.S.C. § 264(a)). Two other district courts, however, declined to enjoin the CDC Order at the preliminary injunction stage, see Brown v. Azar, No. 1:20-cv-03702, __ F. Supp. 3d __, __, 2020 WL 6364310, at *9-11 (N.D. Ga. Oct. 29, 2020), appeal filed, No. 20-14210 (11th Cir. 2020); Chambless Enterprises, LLC v. Redfield, No. 20-cv-01455, __ F. Supp. 3d __, __, 2020 WL 7588849, at *5-9 (W.D. La. Dec. 22, 2020), appeal filed, No. 21-30037 (5th Cir. 2021). Separately, another district court declared that the federal government lacks the constitutional authority altogether to issue a nationwide moratorium on evictions. See Terkel v. Ctrs. for Disease Control & Prevention, No. 6:20-cv-564, __ F. Supp. 3d __, __, 2021 WL 742877, at *1-2, 10-11 (E.D. Tex. Feb. 25, 2021), appeal filed, No. 21-40137 (5th Cir. 2021).5
The majority of courts concluded that the CDC lacked statutory authority to pronounce such a sweeping restriction on landlords and property owners’ rights, but did not impose any nationwide remedies. The D.C. District Court, however, invalidated the CDC Moratorium nationwide.6 When the court stayed its order pending the government’s appeal, both the D.C. Circuit and Supreme Court initially upheld the stay. But Justice Kavanaugh’s concurring opinion expressed that in his view the agency had “exceeded its existing statutory authority” in the CDC Moratorium, and that “clear and specific congressional authorization (via new legislation) would be necessary for the CDC to extend the moratorium past July.”7
The CDC reinstated the CDC Moratorium on August 3, 2021. The plaintiffs filed an emergency motion in the D.C. District Court to again vacate the stay pending the federal government’s appeal, based upon Justice Kavanaugh’s concurrence. On August 13, 2021, the District Court denied that motion, ruling that it was still bound by the D.C. Circuit and Supreme Court’s prior stay orders.8 Plaintiffs sought emergency relief from the D.C. Circuit. In a per curiam decision issued on August 20, 2021, the D.C. Circuit denied stay relief, referring to its prior decision.9
Only 10 days passed between the CDC’s reinstatement and the District Court’s stay denial order. Only another 7 days passed between that order and the D.C. Circuit’s stay denial order. And only another six days passed between that order and the Supreme Court’s decision. A multi-staged rocket docket, indeed.
The Supreme Court made quick work of the statutory question. The CDC justified its Moratorium on § 361(a) of the Public Health Service Act, which the Court concluded had specific language authorizing the agency to regulate such things as “inspection, fumigation, disinfection, sanitation, pest extermination, and destruction of contaminated animals and articles” in order to protect public health.10 The CDC Moratorium, by contrast, only had—at most—a very tangential connection to protecting public health by stopping landlords from evicting non-paying tenants who may end up homeless, who may cross state lines seeking shelter, and who may have been infected with COVID-19 and cause possible further spread of the disease. The Court concluded that the statute did not permit the sweeping authority enacted by the CDC in its eviction Moratorium.11
The CDC’s alternative justification that the statutory language granting the agency authority to adopt “other measures, as in [its] judgment may be necessary,” § 361(a), gained no more traction with the Court. The Court found that this language could only encompass measures consistent with the list of things previously referenced in the statute, and that expanding it to include such things as the nationwide CDC Moratorium results in a stretched interpretation that would provide the agency with boundless, unchecked powers. It concluded that Congress is expected to speak clearly when passing legislation that gives executive agencies broad powers, but had not done so in § 361(a) of the Public Health Service Act.12
Turning to the equities of the stay pending appeal, the Court noted that the CDC Moratorium saddled the plaintiffs and landlords all over the country with a risk of irreparable harm through lost rental payments with no guarantee they would be made whole. It further noted that government rental-assistance funds continued to be available to tenants affected by COVID-19, and that several months had passed since it previously upheld the stay.13 It concluded by holding that any further eviction moratorium could only be justified by new Congressional legislation that includes findings that the public interest supports such action.14
With the federal moratorium having come to a close, some states and municipalities have passed their own eviction moratoria.15 Challenges to them will not be governed by the Alabama Ass’n of Realtors Supreme Court decision, which addressed only the CDC’s authority. The local moratoria will no doubt be scrutinized for whether they can withstand challenges to their lawfulness, as well. Given that states and localities possess police powers that the federal government does not, such challenges will likely be unsuccessful, unless they can show that the promulgators lacked the requisite authority or failed to follow the required processes to enact or order their foreclosure moratoria. In those jurisdictions in which there are no longer any moratoria, it remains to be seen how quickly, or slowly, their judiciaries and civil officers will order and carry out evictions while the pandemic is still raging.
1. See “Temporary Halt in Residential Evictions to Prevent the Further Spread of COVID-19,” 85 Fed. Reg. 55292 (Sept. 4, 2020). As originally enacted, and after numerous extensions, the CDC Moratorium expired on July 31, 2021. See Consolidated Appropriations Act, 2021, Pub. L. No. 116-260, § 502, 134 Stat. 1182, 2078-79 (2020) (extending the CDC Moratorium through Jan. 31, 2021); 86 Fed. Reg. 8020 (Feb. 3, 2021) (extending it through March 31, 2021); id. 16731 (March 31, 2021) (extending it through June 30, 2021); id. 34010 (final extension through July 31, 2021). On August 3, 2021, the CDC re-enacted it with a slight narrowing of its geographic scope, but no other material changes. See id. 43244 (Aug. 3, 2021).
2. Alabama Ass’n of Realtors v. Dep’t of Health & Human Servs., No. 20-cv-3377 (DLF), __ F.3d __, 2021 WL 1779282 (D.C. May 5, 2021).
3. Alabama Ass’n of Realtors v. Dep’t of Health & Human Servs., 141 S. Ct. 2320, 2321 (Mem.) (2021).
4. Terkel v. Ctrs. for Disease Control & Prevention, No. 6:20-cv-564, 2021 WL 742877, at *2-3 (E.D. Tex. Feb. 25, 2021), appeal filed, No. 21-40137 (5th Cir. 2021).
5. Alabama Ass’n of Realtors, 2021 WL 1779282, at *3.
6. Id. at *9-10.
7. Alabama Ass’n of Realtors, 141 S. Ct. 2320.
8. Alabama Ass’n of Realtors v. Dep’t of Health & Human Servs., No. 20-cv-3377 (DLF), __ F.3d __, 2021 WL 3577367, at *4-6 (D.C. Aug. 13, 2021).
9. Alabama Ass’n of Realtors v. Dep’t of Health & Human Servs., No. 21-5093, 2021 WL 3721431 (D.C. Cir. Aug. 20, 2021).
10. Alabama Ass’n of Realtors, 2021 WL 3783142, at *3.
11. Id. at *3-4.
12. Id.
13. Id. at *4.
14. Id.
15. Notable examples include New York state and the City of Boston. See “Governor Hochul Signs New Moratorium on COVID-related Residential and Commercial Evictions into Law, Effective Through January 15, 2022” (Sept. 2, 2021), copy located at https://www.governor.ny.gov/news/governor-hochul-signs-new-moratorium-covid-related-residential-and-commercial-evictions-law (last reviewed Sept. 7, 2021); Boston Public Health Comm’n, “Temporary Order Establishing an Eviction Moratorium in the City of Boston” (Aug. 31, 2021), copy located at https://www.bphc.org/onlinenewsroom/Blog/SiteAssets/Lists/Posts/AllPosts/BPHC%20Temporary%20Eviction%20Moratorium%20Order%208%2031%2021%20(003).pdf (last reviewed Sept. 7, 2021).
Now more than ever, it is important for organizations to review and update their basic information security protocols (their incident response, business continuity and crisis communications plans), and to ensure they’re keeping apprised 
of potential and developing security threats that may imperil their organizations (like a catastrophic ransomware attack). Nation state attacks and cyber criminal gangs efforts seem to be aimed daily at US businesses. And the ransomware plague that continues unabated, affects nearly all industry verticals.¹
Unfortunately, sometimes even when threats are known and being addressed, when employees are trained frequently regarding information security, and when the highest security precautions are taken, a threat-actor can quickly capitalize on miniscule vulnerabilities, and an organization is faced with the grueling task of picking up the pieces. This usually includes conducting a forensic investigation, updating written information security protocols, deploying patches and password resets, replacing hardware, conducting additional employee training, as well as analyzing differing state breach legislation and notifying consumers, attorneys general, and credit bureaus in accordance with those laws.
Even after these efforts, an organization is still at risk of privacy class action litigation. This might arise through a state attorney general, federal regulator, or a consumer whose data was wrongly accessed or in fact stolen during the cyber-attack.
But in order for a consumer to sue, the threshold, and hot-button, question is whether the consumer has standing under Article III of the US Constitution. [T]he “irreducible constitutional minimum” of standing consists of three elements. The plaintiff must have (1) suffered an “injury in fact” (2) that is “fairly traceable” to the challenged conduct of the defendant and (3) that is likely to be redressed by a favorable judicial decision.²
This article discusses the first prong of the standing elements: injury in fact. Because it is generally difficult for plaintiffs in these actions to show financial harm, or other actual damages, arguments have been raised by the plaintiffs’ bar that the future risk of harm should suffice to meet the first prong of the standing elements. The Supreme Court stated in Spokeo, Inc. v. Robins that even when a statute has been violated, plaintiffs must show that an “injury-in-fact” has occurred that is both concrete and particularized. While this did provide some additional information, the question of how the future risk of harm fits in was left outstanding. Fortunately, on June 25, 2021 the Supreme Court revisited this issue in TransUnion LLC v. Ramirez, 20-297, 2021 WL 2599472, at *1 (U.S. June 25, 2021), when a credit reporting agency flagged certain consumers as potential matches to names on the United States Treasury Department’s Office of Foreign Assets Control (OFAC) list of terrorists, drug traffickers, or other serious criminals. The Court found that those “flagged” consumers whose information was divulged to third party businesses as being included in this list suffered a concrete injury in fact.. With regards to those consumers who were flagged as potential matches, but the information was never disseminated, the Court was unconvinced that a concrete injury occurred. Id. The Court further examined the risk of future harm for these individuals, but declined to find injury in fact, stating that risk of harm cannot be speculative, it must materialize, or have a sufficient likelihood of materializing. Id. It will be interesting to see how this ruling plays out in the circuits in the context of a data breach. The Court included in its opinion some interesting information regarding certain circumstances that may give rise to a concrete harm. Id. Aside from physical or financial harm, the Court also stated that reputational harm, the disclosure of private information, or intrusion upon seclusion may rise to the level of concrete harm. Id. This then begs the question of whether a risk of harm analysis might be necessary in the context of a breach, where private information is indeed accessed and disclosed (i.e., disseminated) to an unauthorized 3rd party.
In light of this ruling, we surveyed certain of the most active Circuit Court’s behavior on the Article III standing issue (post-data breach). While there are certainly trends in each circuit, it seems risk of future harm in particular, is often evaluated, rightly, based on the specific facts of the matter, which still does cause some variance within each circuit. Below we explore these trends, and the circumstances under which injury in fact is often found. Given the recent TransUnion ruling, we expect the circuits to maintain some variability and look to distinguish the TransUnion case when possible.
The Second Circuit very recently faced this issue, and acknowledged “join[ing] all of [its] sister circuits that have specifically addressed the issue in holding that plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.” The court held that plaintiffs lacked standing due to a failure to plead a sufficient risk of future identity fraud. This is in contrast to its decision in Whalen v. Michael Stores, Inc., 689 F. App’x 89, 90-91 & n.1 (2d Cir. 2017), which seemed to favor the Sixth and Seventh Circuit’s approach.
The Second Circuit also recently looked to this issue in McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, at 11 n.3 (2d Cir. April 26, 2021). When the defendant employer accidentally sent an email containing employee PII, plaintiff employees sued for negligence and violation of state consumer protection laws. Plaintiffs’ PII was not, at the time of the case, misused or stolen. The court remained consistent with its decision in Whalen concluding that despite measures taken to avoid identity theft, the plaintiffs could not show injury in fact.
The Third Circuit has taken its own approach, allowing standing when data is statutorily protected, but rejecting risk of harm arguments for common law claims. This is demonstrated by the court in In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 641 (3d Cir. 2017), which found standing when personal data was breached in violation of the Fair Credit Reporting Act. The court did not delve into the future risk of harm issue, as it had already found a “cognizable injury.” Id.
The future risk of harm issue was discussed however in Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011) (“Unless and until [] conjectures [about alleged future identity theft] come true, Appellants have not suffered any injury; there has been no misuse of the information, and thus, no harm.”), and Kamal v. J. Crew Grp., Inc., 918 F.3d 102, 113 (3d Cir. 2019) (denying standing where no information was stolen or disclosed, or where a threat-actor would need to piece together information from different sources in order to proceed with identity theft, and stating “[i]f a procedural violation does not present a material risk of harm to an underlying interest, a plaintiff fails to demonstrate concrete injury under Article III”).
The Fourth Circuit additionally rejects the risk of future harm argument, finding in Beck v. McDonald, 848 F.3d 262, 274-75 (4th Cir. 2017) that the plaintiffs’ supposed risk of future identity theft was “too speculative” when plaintiffs failed to present evidence that their personal information had been accessed or misused.
A year later however, in Hutton v. Natl. Bd. of Examiners in Optometry, Inc., 892 F.3d 613, 621 (4th Cir. 2018), the court of appeals distinguished the Beck decision and vacated a district court’s dismissal of class action suit. There, the Fourth Circuit found injury in fact when Plaintiffs alleged that they were victims of identity theft and credit card fraud, which constituted misuse and thus satisfied the injury prong of Article III. Id.
The Seventh Circuit favors standing when a breach causes an increased risk of harm to the affected individuals, when the data exposed is likely to lead to identity theft. This is supported by the decisions in Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 634 (7th Cir. 2007), which found injury in fact when plaintiffs claimed an increased risk of data theft after their information had been accessed by a malicious and sophisticated hacker; Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016) where injury in fact was found when plaintiffs spent time resolving fraudulent charges even when the bank prevented charges from going through; and Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692 (7th Cir. 2015), where similarly, victims of identity theft suffered “aggravation and loss of value of time needed to set things straight, to reset payment associations after credit card numbers are changed and pursue relief for unauthorized charges.”
However, some recent cases show that the Seventh Circuit is not quite ready to accept that any potential for identify theft satisfies the injury in fact element of standing. For example, in Kylie S. v. Pearson PLC, 475 F. Supp. 3d 841, 846 (N.D. Ill. 2020), the court did not find standing where the data breached could not “easily be used in fraudulent transactions,” and where plaintiffs were unable to show any consequences of the breach a year following the incident.
The Ninth Circuit has determined that a plaintiff can establish standing by showing injury in fact based on the increased risk of identity theft following a data breach. In Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010), the court found that the plaintiffs had standing where they “alleged credible threat of real and imminent harm stemming from the theft of a laptop containing their unencrypted personal data.” Likewise, the court in In re Zappos.com, Inc., 888 F.3d 1020, 1028 (9th Cir. 2018), found that “Plaintiffs sufficiently alleged an injury in fact based on a substantial risk that the Zappos hackers will commit identity fraud or identity theft.”
The Eleventh Circuit has found that a plaintiff must show more than an increased risk of identity theft to establish injury in fact for Article III standing. In Tsao v. Captiva MVP Rest. Partners, LLC , 986 F.3d 1332, 1343 (11th Cir. 2021), the court explained that the information allegedly accessed by the hackers “generally cannot be used alone to open unauthorized or new accounts” therefore, “it is unlikely that the information allegedly stolen [ ], standing alone, raises a substantial risk of identity theft.
While the Supreme Court did provide further color to the issue of risk of future harm, we have yet to see how this plays out in the context of a data breach. The trends in the circuits tell us that in the absence of a showing that individual data was indeed misused, we can expect courts across the circuits to evaluate each case based on the facts and circumstances at hand, and continue to draw conclusions based on the trends discussed above. However, with the Supreme Court using dissemination of information as the threshold to determine harm, it will be interesting to see what is to come in this space. For now, we can expect the following trends to continue in the circuits:
| Threshold | 1st | 2nd | 3rd | 4th | DC | 5th | 6th | 7th | 8th | 9th | 10th | 11th |
| Actual Harm (Pecuniary Loss) | X | X | X | X | X | X | ||||||
| Threat of Harm/Misuse | X | X | X | X | ||||||||
| Middle Ground | X | X | X | X | X |
1. See Georgia hospital system hit with ransomware attack following Biden-Putin summit Ι Fox Business
2. Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016), as revised (May 24, 2016)