In data breach cases, the plaintiff typically alleges that the defendant used inadequate computer security to protect the plaintiff’s personal data. In most, but not all cases, the plaintiff cannot prove that a hacker or thief has actually used or sold the data to the plaintiff’s detriment. In most cases, a plaintiff alleges that the defendant’s failure to protect his personal data has caused him damages by increasing his risk of suffering actual identity theft in the future and therefore imposed costs on the plaintiff when he reasonably takes measures to prevent future unauthorized third-party data access by purchasing credit monitoring services.
In data breach cases, the lower federal courts have split on the question of whether the plaintiffs meet Article III standing requirements for injury and causation. In its 2013 decision Clapper v. Amnesty International USA, the Supreme Court, in a case involving alleged electronic surveillance by the U.S. government’s National Security Agency, declared that a plaintiff alleging that it will suffer future injuries from a defendant’s allegedly improper conduct must show that such injuries are “certainly impending.” Since the Clapper decision, a majority of the lower federal courts addressing “lost data” or potential identity theft cases in which there is no proof of actual misuse or fraud have held that plaintiffs lack standing to sue the party who failed to protect their data. But a significant minority of lower court decisions have disagreed that the Clapper decision requires denial of standing in data breach cases in which there is no proof of present harm, because a footnote in Clapper acknowledged that the Court had sometimes used a less strict “substantial risk” test when plaintiffs alleged that a defendant’s actions increase their risk of future harm.
Demonstrating its concern for digital privacy, the Court in Riley v. California recently required police to obtain a Fourth Amendment warrant before examining the digital data on the cell phones of arrested suspects. It would be easy for courts to distinguish the government’s seizure of digital data from arrestees in Riley from a third party’s hacking of data from a retailer or employer. The Riley decision involves Fourth Amendment warrant issues that are not relevant to private data breach cases. Yet in both cell phone seizure cases and data breach cases, there is the common concern that vast amounts of personal data are often at stake. The new privacy concerns in a digital age should lead the Supreme Court to take a broader view of standing in data breach cases. It is also possible that the Court will follow the Seventh Circuit’s Remijas decision to distinguish between cases where there is only a possible risk of theft from those where actual harm has occurred to some plaintiffs.
Bradford C. Mank,
Data Breaches, Identity Theft, and Article III Standing: Will the Supreme Court Resolve the Split in the Circuits?,
Notre Dame L. Rev.
Available at: https://scholarship.law.nd.edu/ndlr/vol92/iss3/7