Request InfoApply Now
Academic Programs
Online Executive Juris Doctor Degree
Online Juris Doctor Degree
Non-Degree Seeking Single Courses
California Bar Exam
California Law Degree
Admissions
Admissions Requirements
Technical Requirements
Who Should Attend Law School?
B&P 6061.7 Disclosure
Tuition and Fees
EJD and JD Students
Non-Degree Seeking Students
About The Law School
Accreditation
Contact Us
Informational Webinars and Events
Faculty
How Online Law School Works
FAQs About the Law School
Our Law School History
News and Media
Student Life
Academic Support
Career Services
Graduation
Law Library
Tech Support
Student Community
Student Satisfaction
Alumni
Alumni Resources
Alumni Success Stories
Blog
Careers
Constitutional Law
Dean's Column
Law Student Life
News and Commentary
Contact US

877-757-8189

Student Login

Request InfoApply Now
HomeblognewsDo Data Breach Victims Have Standing to Sue?
A visual representation of hacked data that includes words related to data breaches including: cyber attack, data breach, and system safety.
NEWS AND COMMENTARY

Do Data Breach Victims Have Standing to Sue?

June 28, 2019 | Purdue Global Law School

Given the growing frequency and scale of data breaches, most security analysts say it’s likely we all have had our personal information stolen or otherwise compromised at some point. The ability to seek redress for any damages caused by a data breach is far from clear-cut, however.

To date, most data breach litigation has turned on the question of standing—whether victims can demonstrate that they’ve suffered an actual injury, rather than merely being exposed to the possibility of an injury. Federal circuit courts have struggled with this issue, resulting in a circuit split with different courts delivering conflicting rulings.

Personal Data of Millions of Americans Exposed

There is good reason for a sense of urgency about settling the law, given the staggering number of data breaches. According to one report from Risk Based Security, 6,515 publicly disclosed data breaches in 2018 exposed more than 5 billion records. It appears as though nearly that many records have been exposed already this year in a number of breaches involving health care organizations, state agencies, the Fortnite video game, Facebook, the Federal Emergency Management Agency, Dow Jones, and many others.

In April, a team of Israeli security researchers discovered an unprotected database on a Microsoft cloud server that exposed the personal information of roughly 65% of U.S. households. The 2017 Equifax breach is reported to have exposed the Social Security numbers, credit card numbers, addresses, phone numbers, and tax ID numbers of nearly 55% of adults in the U.S.

The number of laws and regulations designed to protect consumers against such threats has steadily increased. All 50 states as well as the District of Columbia, Puerto Rico, the Virgin Islands, and Guam have passed such legislation. These laws typically define what constitutes personally identifiable information along with data breach reporting requirements and penalties. Although no comparable legislation exists at the federal level, the Fair Credit Reporting Act (FCRA) establishes the obligation of certain financial institutions and creditors to detect, prevent, and mitigate identity theft.

Is There an ‘Injury’?

Nevertheless, the law remains unsettled about whether data breach victims have legal standing to sue companies that fail to protect their data. In Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992), the Supreme Court established the three elements required for constitutional standing:

  • The plaintiff must plead a “concrete and particularized” injury in fact that is “actual or imminent” and not merely “conjectural or hypothetical.”

  • The injury must be directly traceable to the action of the defendant and not the result of actions by a third party.

  • It must be likely, not merely speculative, that the injury will be redressed by a decision in favor of the plaintiff.

The Third, Sixth, Seventh, Ninth, and D.C. circuits have concluded that a data breach increases the risk of future harm from identity theft, and that risk is tangible enough to confer standing. In Dieffenbach v. Barnes & Noble, No. 17-2408 (7th Cir. 2018), the Seventh Circuit also found that allegations sufficient to confer standing also support claims of damages.

The First, Second, Fifth, and Eighth circuits have found that plaintiffs must allege actual harm in order to meet standing requirements. The Third and Fourth circuits have also held that the possibility of future injury is not sufficient to confer standing, but have allowed cases to proceed when plaintiffs pled actual harm.

A circuit split such as this is one of the main factors the Supreme Court considers when deciding whether to review a case. To date, however, the Court has declined to do so.

Supreme Court’s Failure to Resolve the Circuit Split

In Spokeo, Inc. v. Robins, 578 U.S. ___, 136 S. Ct. 1540 (2016), the Supreme Court found that the Ninth Circuit Court of Appeals had failed to fully analyze the requirements for standing in a data breach case. The Court “[took] no position as to whether the Ninth Circuit's ultimate conclusion—that Robins adequately alleged an injury in fact—was correct.” On remand, the Ninth Circuit found that the plaintiff’s allegations that Spokeo had violated the FCRA, 16 C.F.R. 681, constituted sufficient injury to satisfy standing requirements (Robins v. Spokeo, Inc., No. 11-56843 (9th Cir. 2017)).

The Supreme Court had an opportunity to clarify the matter when the defendant in Attias v. CareFirst, 865 F. 3d 620 (D.C. Cir. 2017), another data breach case, filed a petition for a writ of certiorari. The Court denied the petition in November 2017, leaving in place the D.C. Circuit’s finding that the plaintiffs had established constitutional standing. The D.C. Circuit remanded the case to the district court for further proceedings.

However, the findings by the D.C. district court on remand in Attias create new uncertainty for plaintiffs. CareFirst filed a motion to dismiss on the grounds that “plaintiffs’ alleged damages remain entirely speculative.” The judge found that while the mere risk of identity theft was sufficient to establish standing, the complaint did not support allegations of damages under state law. The plaintiffs have appealed this decision to the D.C. Circuit.

Learn More About the Cybersecurity Legal Field

Given the lack of clarity and the increasing economic and societal impact of data breaches, cybersecurity law looks to be a field that will grow for some time to come. Purdue Global Law School offers an online Executive Juris Doctor program with a law and technology track that provides advanced legal training on cybersecurity issues. Single courses in technology and the law are also available.

If you're interested in gaining a better understanding of cybersecurity law or working in the field of law and technology, explore Purdue Global Law School’s online Executive Juris Doctor degree and our single law and technology courses. You may also request more information today.

About The Author

Purdue Global Law School

Established in 1998, Purdue Global Law School (formerly Concord Law School) is Purdue University's fully online law school for working adults.

Filed In:
Notes and Conditions - Please read

Employment and Career Advancement: Purdue Global Law School cannot guarantee employment or career advancement.

JD Program: Study at, or graduation from, this law school may not qualify a student to take the bar examination or be admitted to practice law in jurisdictions other than California. A student who intends to seek admission to practice law in a jurisdiction other than California should visit Purdue Global’s State Licensure and Certifications page for state-specific requirements. Students are highly encouraged to confirm state requirements from the appropriate bar admissions office for their state of residence. 

EJD Program: Except as provided in rule 4.30 of the Admissions Rules (Legal education in a foreign state or country), completion of a professional law degree program at this law school other than for the Juris Doctor degree does not qualify a student to take the California Bar Examination or satisfy the requirements for admission to practice law in California. It may not qualify a student to take the bar examination or to satisfy requirements for admission to the practice of law in any other jurisdiction. A student who intends to seek admission to practice law should visit Purdue Global’s State Licensure and Certifications page for state-specific requirements. Students are highly encouraged to confirm state requirements from the appropriate bar admissions office for their state of residence.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

© 2024, Purdue Global, a public, nonprofit institution.