Life is Short. Go to Court: Establishing Article III Standing in Data Breach Cases – Note by Megan Dowty

From Volume 90, Number 3 (March 2017)


This is the digital age. As “the ratings machine, DJT [Donald J. Trump],” says, “all I know is what’s on the internet,” or “the cyber,” as he calls it. People’s use of and dependency on the Internet has made data breaches a serious and widespread threat to people’s privacy and security. In 2016, there were 1,093 data breaches, up from 780 in 2015. 75.6% of companies suffered at least one successful attack. Essentially “there are only two types of companies left in the United States, according to data security experts: ‘those that have been hacked and those that don’t know they’ve been hacked.’”

Major companies such as LinkedIn, Target, Ebay, Yahoo, Anthem, and Ashley Madison have been subject to data breaches, and subsequently to lawsuits. Not only can data breaches threaten people’s financial security, but breaches like Ashley Madison’s—a dating site whose slogan up until July 2016 was “Life is Short. Have an Affair”—can threaten people’s home lives and shatter careers. The government is not immune to dangerous cyber attacks either. Both the U.S. Office of Personnel Management and the Democratic National Committee (“DNC”) have suffered breaches. Presidential candidate Hillary Clinton’s e-mails were leaked as part of the DNC breach, which became a source of controversy throughout her campaign. Further, the U.S. intelligence community has concluded that the hack was tied to and possibly directed by the Russian government, which sets a troubling precedent for future hacks by hostile foreign governments.

Plaintiffs whose information has been exposed due to a company data breach have attempted to sue the hacked companies storing their information based on causes of action such as negligence, breach of contract, unjust enrichment, breach of fiduciary duty, unfair and deceptive business practices, invasion of privacy, violation of the federal Fair Credit Reporting Act (“FCRA”), and violations of various state consumer protection and data breach notification laws.

Data breach actions are expected to be the “next wave” of class actions. Typically plaintiffs try to bring these claims as class actions because of the large number of plaintiffs and small amount of damages involved. Most data breach actions are brought in federal court based on the Class Action Fairness Act, 28 U.S.C. § 1332(d) (2012), which extends federal diversity jurisdiction to all class actions in which minimal diversity exists and the amount in controversy exceeds $5 million. However, courts dismiss a large portion of these data breach actions because plaintiffs lack a cognizable injury in fact, which is a requirement for Article III standing.

The Supreme Court has not yet set a uniform standard for what constitutes injury in the context of data breaches. As a result, there is a circuit split as to how much injury is sufficient. This split largely centers around whether increased risk of identity theft or fraud and, more recently, “sorting-things-out” costs and monitoring expenditures are sufficient to constitute an injury. But even if an action is dismissed in federal court for lack of Article III standing, it may succeed in state court, which is not subject to the Article III standing requirement.

In the realm of data breaches, technology is progressing rapidly; consequently, there is a lag time between the progress of technology and progress of the law. Because legislatures are slow to act and generally want a consensus to develop in the public or industry before writing protective measures into law, courts bear the burden of first impression, establishing a standard through case law on which the public can rely. This Note will offer a proposed standard for establishing injury under Article III’s standing requirement in federal court. Part I provides background on the requirements of standing under Article III in the context of data breach cases. Part II discusses statutory standing and the effect of a recent Supreme Court statutory standing case on data breach litigation. Part III sets forth a proposed standard for recognizing injury in data breach cases. Part IV explores what effects this proposed standard would have on data breach litigation.