Life is Short. Go to Court: Establishing Article III Standing in Data Breach Cases – Note by Megan Dowty

From Volume 90, Number 3 (March 2017)


This is the digital age. As “the ratings machine, DJT [Donald J. Trump],” says, “all I know is what’s on the internet,” or “the cyber,” as he calls it. People’s use of and dependency on the Internet has made data breaches a serious and widespread threat to people’s privacy and security. In 2016, there were 1,093 data breaches, up from 780 in 2015. 75.6% of companies suffered at least one successful attack. Essentially “there are only two types of companies left in the United States, according to data security experts: ‘those that have been hacked and those that don’t know they’ve been hacked.’”

Major companies such as LinkedIn, Target, Ebay, Yahoo, Anthem, and Ashley Madison have been subject to data breaches, and subsequently to lawsuits. Not only can data breaches threaten people’s financial security, but breaches like Ashley Madison’s—a dating site whose slogan up until July 2016 was “Life is Short. Have an Affair”—can threaten people’s home lives and shatter careers. The government is not immune to dangerous cyber attacks either. Both the U.S. Office of Personnel Management and the Democratic National Committee (“DNC”) have suffered breaches. Presidential candidate Hillary Clinton’s e-mails were leaked as part of the DNC breach, which became a source of controversy throughout her campaign. Further, the U.S. intelligence community has concluded that the hack was tied to and possibly directed by the Russian government, which sets a troubling precedent for future hacks by hostile foreign governments.

Plaintiffs whose information has been exposed due to a company data breach have attempted to sue the hacked companies storing their information based on causes of action such as negligence, breach of contract, unjust enrichment, breach of fiduciary duty, unfair and deceptive business practices, invasion of privacy, violation of the federal Fair Credit Reporting Act (“FCRA”), and violations of various state consumer protection and data breach notification laws.

Data breach actions are expected to be the “next wave” of class actions. Typically plaintiffs try to bring these claims as class actions because of the large number of plaintiffs and small amount of damages involved. Most data breach actions are brought in federal court based on the Class Action Fairness Act, 28 U.S.C. § 1332(d) (2012), which extends federal diversity jurisdiction to all class actions in which minimal diversity exists and the amount in controversy exceeds $5 million. However, courts dismiss a large portion of these data breach actions because plaintiffs lack a cognizable injury in fact, which is a requirement for Article III standing.

The Supreme Court has not yet set a uniform standard for what constitutes injury in the context of data breaches. As a result, there is a circuit split as to how much injury is sufficient. This split largely centers around whether increased risk of identity theft or fraud and, more recently, “sorting-things-out” costs and monitoring expenditures are sufficient to constitute an injury. But even if an action is dismissed in federal court for lack of Article III standing, it may succeed in state court, which is not subject to the Article III standing requirement.

In the realm of data breaches, technology is progressing rapidly; consequently, there is a lag time between the progress of technology and progress of the law. Because legislatures are slow to act and generally want a consensus to develop in the public or industry before writing protective measures into law, courts bear the burden of first impression, establishing a standard through case law on which the public can rely. This Note will offer a proposed standard for establishing injury under Article III’s standing requirement in federal court. Part I provides background on the requirements of standing under Article III in the context of data breach cases. Part II discusses statutory standing and the effect of a recent Supreme Court statutory standing case on data breach litigation. Part III sets forth a proposed standard for recognizing injury in data breach cases. Part IV explores what effects this proposed standard would have on data breach litigation.




Making Sense of Legislative Standing – Article by Matthew I. Hall

From Volume 90, Number 1 (November 2016)

Legislative standing doctrine is neglected and under-theorized. There has always been a wide range of opinions on the Supreme Court about the proper contours of legislative standing doctrine and even about whether the Court should adjudicate disputes between the other two branches at all. Perhaps owing to these disagreements, the full Court has never articulated a clear vision of the doctrine. While the Court has managed to resolve some cases, it has not achieved the consensus necessary to provide a comprehensive and coherent account of critical doctrinal issues such as what type of injury can give rise to legislative standing and which legislative injuries may support litigation by legislators, as opposed to by a legislative institution. Thus, the so-called “legislative standing doctrine” is less a doctrine than a loosely organized collection of ad hoc results in cases.

For many years, these deficiencies hardly mattered. Legislative standing cases were so rare that the lack of a clear approach to identifying which litigants could assert which legislative injuries caused no great embarrassment. But there has been a dramatic uptick during the Obama administration in the frequency of litigation between Congress and the President. In just the past four terms, the Court has decided three cases raising legislative standing issues, and another one is undoubtedly on the way: in September 2015, the District Court for the District of Columbia granted standing to the House of Representatives to sue over the President’s implementation of the Affordable Care Act (“ACA”). The uncertainty in the doctrine is thus long overdue for correction.

This Article provides that correction. First, it develops an original typology of legislative injury, detailing all the varieties of “injury” that might afflict legislators, legislatures, and other legislative litigants, and illustrating each with examples from past legislative standing cases. Second, it articulates a method for determining which legislative injuries may be asserted by individual legislators, and which require the participation of a full chamber, or both chambers acting bicamerally. Finally, it illustrates this model by applying it to the Court’s recent forays into legislative standing and the pending ACA litigation.