Fear, Standing, & Speculation for Data Breach Victims

future injury must be "certainly impending" in order to have standing

Justice Alito's 2013 majority opinion in Clapper v. Amnesty Int'l clearly laid down the Court's view on standing based on fear of future harm:

"We hold that respondents lack Article III standing because they cannot demonstrate that the future injury they purportedly fear is certainly impending and because they cannot manufacture standing by incurring costs in anticipation of non-imminent harm." Clapper v. Amnesty Int'l Usa, 26–27 No. 11-1025. (U.S. Feb 26, 2013) (emphasis added).

Although Clapper involved facts that are very different than those in data breach cases--Clapper involved the Foreign Intelligence Surveillance Act--the Supreme Court made important points that apply to data breach victims seeking to obtain standing. After a data breach involving personally identifiable information, the affected individuals confront uncertainty and fear about the potential ways in which their personal information could be used fraudulently.

However, data breach victims may find it difficult to seek redress in the courts based on the longstanding principle of standing:

"To establish Article III standing, an injury must be "concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling." Clapper v. Amnesty Int'l Usa, 13 No. 11-1025. (U.S. Feb 26, 2013)

Specifically, in Clapper the Supreme Court reiterated that standing cannot be based on speculation of future actions: "We decline to abandon our usual reluctance to endorse standing theories that rest on speculation about the decisions of independent actors." Clapper v. Amnesty Int'l Usa, 18 No. 11-1025. (U.S. Feb 26, 2013). Further, any harm must be "certainly impending" not just "objectively reasonable" in order for a potential plaintiff to suffer an injury sufficient to obtain standing.Clapper v. Amnesty Int'l Usa, 13–14 No. 11-1025. (U.S. Feb 26, 2013)

Thus, as applied to data breach cases, the data thieves represent the "independent actors." Data breach victims often are left wondering how these independent actors will use their information.

In data breach cases before lower courts, many remain consistent with the Clapper holding and disallowed standing. For example, district courts have found that future harm cannot be a basis for standing: "The majority of courts dealing with data-breach cases post-Clapper have held that absent allegations of actual identity theft or other fraud, the increased risk of such harm alone is insufficient to satisfy Article III standing." In Re Zappos.com, Inc., 7 3:12-cv-00325-RCJ-VPC (D. Nev. Jun 01, 2015)

Specifically, incurring expenses after a data breach does not automatically qualify as a harm that would create standing: "Her assertion is one that claims injury for expenses incurred in anticipation of future harm, and is not sufficient for purposes of establishing Article III standing." Polanco v. Omnicell, Inc., 988 F.Supp.2d 451, 470–471 (D.N.J. 2013).

But some courts find standing, post-Clapper, despite the lack of misuse of stolen data if a plaintiff can show a "credible threat of harm:"

"Courts in the Ninth Circuit, however, have held the opposite [i.e. and allowed standing]. See In re Adobe Sys., Inc. Privacy Litig., ---F. Supp. 3d---, No. 13-cv-05226-LHK, 2014 WL 4379916, at *8 (N.D. Cal. Sept. 4, 2014) (finding standing where hacker "spent several weeks" in Adobe's servers collecting customers' information despite no allegations that the plaintiffs' data had been misused); In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 962 (S.D. Cal. 2014) (finding standing where the plaintiffs "alleged a 'credible threat' of impending harm" based on a data breach)." In Re Zappos.com, Inc., 9 3:12-cv-00325-RCJ-VPC (D. Nev. Jun 01, 2015)

As a consequence of the lingering uncertainty, there are a few questions that courts must answer. The questions include the following:

  • What exactly does "certainly impending" mean regarding potential harm after a data breach?
  • And when does an injury resulting from a data breach become "certainly impending?"
  • What facts must be plead in these types of cases in order to obtain standing?
  • Does the harm begin immediately upon the data theft? Or must a concrete fraudulent use of the data occur first?
  • How does time factor into the equation of determining when harm is "certainly impending?" One district court remarked that lengthy time after the breach without actual fraud is a factor that weighs against finding harm: "The years that have passed without Plaintiffs making a single allegation of theft or fraud demonstrate that the risk is not immediate." In Re Zappos.com, Inc., 14 3:12-cv-00325-RCJ-VPC (D. Nev. Jun 01, 2015)

Practically speaking, what is happening here is that a longstanding constitutional principle--standing--is being applied to modern, technology-based injuries that may occur from data breaches. And we may continue to see some varying answers to these questions given the specific facts of each data breach case, until the Supreme Court analyzes the issue and provides additional guidance for these cases.