The US Supreme Court Monday handed an interim victory to online people-search company Spokeo in a closely watched case that claimed incorrect information posted on the search site caused harm to the plaintiff.
In a 6-to-2 decision, the high court said that there was no evidence of actual harm as a result of the inaccurate information, according to its opinion posted on the SCOTUS site.
In the case, plaintiff Thomas Robins claimed a profile posted to Spokeo's website inaccurately characterized him as a man in his 50s, who was married with children, has a graduate degree, and is employed in the technical field, according to a copy of the lawsuit obtained by InformationWeek. The lawsuit was filed in the US Central District Court of California in 2010 and cited the Fair Credit Reporting Act as the basis to file the suit.
In the lawsuit, Robins states he was concerned the inaccuracies in the Spokeo report would "affect his ability to obtain credit, employment, insurance and the like." He noted he was currently unemployed and particularly concerned that the inaccuracies in the Spokeo report would affect his ability to land a job.
In its ruling, the Supreme Court noted that the plaintiff not only needed to prove that the inaccurate information affected him in a "personal and individual way," otherwise known as "particularized," but also that the injury actually existed, or was "concrete," the justices stated in their opinion. "We have made it clear time and time again that an injury in fact must be both concrete and particularized," the justices stated in their opinion, pointing to various cases that have come before this one and noting that this particular case only focused on the particularized aspect.
The justices further noted:
Not all inaccuracies cause harm or present any material risk of harm. An example that comes readily to mind is an incorrect zip code. It is difficult to imagine how the dissemination of an incorrect zip code, without more, could work any concrete harm.
The Supreme Court, while adding further definition of what is needed to bring an inaccurate data case to the courts, pushed the Spokeo case back down to the lower courts to reconsider it, noting the lower courts had used an incorrect legal analysis when it allowed the case to move forward to the Supreme Court. In issuing its order, the Supreme Court noted the federal appeals court failed to consider whether Robins suffered concrete injury and only looked at his particularized injury.
"The Spokeo case highlights a number of very important red flags for businesses that aggregate data for sale to the public," Gary D. Nissenbaum, managing principal of the Nissenbaum Law Group, told InformationWeek.
First, the definition of "consumer reporting agency" under the Fair Credit Reporting Act is fairly expansive. It includes persons who assemble or evaluate consumer credit information or other information relating to consumers for the purpose of furnishing consumer reports to third parties through interstate commerce. That means that there are many data aggregators that one would not think of as credit reporting agencies, but in fact are covered by the statute, he said.
Second, added Nissenbaum, the person who is asserting that they were injured by the dissemination of false data does not have to prove that they were actually injured in a particular dollar amount. On the other hand, they do have to show that the injury was more than just the failure to follow the procedures of the Fair Credit Reporting Act.
And lastly, the Supreme Court resisted the opportunity to undermine the ability to file a class-action lawsuit for violations of statutes such as the Fair Credit Reporting Act, said Nissenbaum. Instead, it only imposed a requirement that the damages be better defined by the lower court in a way that was consistent with the statute's requirements.
"The takeaway for Internet businesses that aggregate data is that they must be aware of the legal requirements that impose obligations to protect the integrity of the information, and they must comply with the procedures set in place to prevent consumers from being misled," Nissenbaum said. "Data aggregation and dissemination is a legally complex area of Internet commerce, and pitfalls can arise from both federal law [as in this case] and state or other legal and regulatory schemes."Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio