The Intersection of Standing and Data Breaches

By: Amanda Williams

Today, cybersecurity is a primary concern for every major and minor corporation in the world. The level of sophistication hackers have achieved implies that a data breach is inevitable. Since it cannot be stopped, all that can be done are attempts to mitigate the damage, whether it be to the compromised systems or to the affected consumers. In fact, courts have been reluctant to grant standing to the victims of data breaches where there has yet to be either fraudulent credit card activity or identity theft but personal information was exposed.[1] Article III standing requires that there be an injury in fact, a causal connection between the injury and the conduct, and that injury must be “fairly traceable” to the challenged action of the defendant, and not the result of a third party.[2] Specifically, the injury in fact must be concrete, particularized, and actual or imminent, not merely hypothetical.[3] By using new rationale and distinguishing cases on the facts, courts around the country are beginning to confer standing in instances where in the past, they would not.[4]

Previously, circuit and district courts have said that without actually being harmed by the unauthorized release of personal identifying information, generally via fraudulent credit card activity or identity theft, a consumer did not have standing.[5] Without more than an increased risk of misuse of personal data, the consumers had not suffered a harm the court was prepared to remedy.[6] When analyzing Article III standing, one of the main considerations when looking at standing for an injury that has yet to occur is the concept of how imminent that injury is. [7] “Imminence is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III standing- that the injury is certainly impeding.”[8] Under that framework, courts have required that an injury not simply be threatened, and have found that a mere possible future injury is not sufficient to be considered an injury in fact.[9]

After the court denied standing to those who failed to show a certainly impending future injury, noting that one “cannot manufacture standing by incurring costs in anticipation of non-imminent harm,” courts across the nation began to distinguish data breach cases on the facts.[10] In the past, the Supreme Court has acknowledged it does not necessarily require that the plaintiffs show a harm that is literally certain to have standing; accepting a “substantial risk” that the harm will come to pass, which may incite a person to incur costs in an attempt to mitigate that harm.[11] Requiring the Plaintiffs to wait until they actually suffer fraudulent activity as a result of the breach would be counterintuitive to the concept that the harm not be “literally certain” for standing to be conferred.

Ultimately, while courts are differentiating these cases on the facts, and not appearing to issue new bodies of law, they are granting standing in cases where they would not in the past. They are looking at what type of information has been released and what risk is posed by the release of that specific type of personal information.[12] For example, if only credit card tails were released, and the possibility of fraudulent activity is low, the injury is less likely to be treated as certainly impending.[13] Conversely, if entire credit/debit card numbers, health information, passwords or social security numbers are compromised, the risk of fraudulent activity is significantly higher, and the court generally considers that as sufficient for the “certainly impending” standard.[14] Additionally, the courts have taken the stance that the time and cost incurred in resolving identity theft or illegal credit card activity is sufficient to confer standing, presuming the other two elements of standing, causation and redressability, are met.[15] Ultimately, the courts are beginning to move in a direction that grants standing to the victims of data breaches, regardless of whether they have experience fraudulent activity as a result.


[1] See Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013).

[2] Lujan v. Defs. of Wildlife, 504 U.S. 555, 590 (1992) (Blackmun, J., dissenting).

[3] Id. at 560.

[4] See generally Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015); See also Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384 (6th Cir. 2016); See also Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016).

[5] Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 639 (7th Cir. 2007).

[6] Id.

[7] See Lujan, 504 U.S. at 565.

[8] Id.

[9] See id. at 560-61.

[10] See Clapper, 568 U.S. at 422.

[11] See Galaria, 663 F. App’x at 388.

[12] See Krottner v. Starbucks Corp., 406 F. App’x 129 (9th Cir. 2010); See also In re Adobe Sys. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. 2014).

[13] See Krottner, 406 F. App’x at 129.

[14] See In re Adobe Sys. Privacy Litig., 66 F. Supp. at 1215.

[15] See Galaria, 663 F. App’x at 384; See also Lewert, 819 F.3d at 963.


Leave a Reply

Your email address will not be published. Required fields are marked *