US courts mixed on letting data breach suits go forward

Senior policy advisor Jim Dempsey analyzes application of the constitutional rules for access to federal courts in recent data breach.

US courts mixed on letting data breach suits go forward

Last summer, the U.S. Supreme Court seemed to make it much harder to bring privacy lawsuits, including data breach class actions, in federal court. But after about eight months of lower court decisions, the picture seems to be one of complexity rather than certainty.

The Supreme Court has been strict in holding that plaintiffs in federal court must have “standing” to sue. To establish standing, plaintiffs must show that they have suffered an “injury in fact” that is concrete, particularized, and actual or imminent. An intangible injury, such as harm to reputation, can be concrete, and, until last summer, it seemed that future injury could qualify if it was “certainly impending” or there was  a “substantial risk that the harm will occur.”

This was all particularly important in data breach cases: Plaintiffs usually have strong evidence that their data was stolen (frequently in the form of a notification letter directly from the breached company), but quite often they cannot say that all (or even any) of the data subjects had personally experienced fraudulent charges or identity theft. Instead, plaintiffs often allege that they face a risk of ID theft or other future harm from misuse of their data. The courts seemed to be warming to future harm as satisfying the injury-in-fact requirement...