[BreachExchange] Standing In Data Breach Litigation: Will The U.S. Supreme Court Weigh In?

Destry Winant destry at riskbasedsecurity.com
Thu Feb 14 09:27:45 EST 2019


https://www.jdsupra.com/legalnews/standing-in-data-breach-litigation-will-77180/

The U.S. Supreme Court may finally weigh in on the hottest issue in
data breach litigation, whether a demonstration of actual harm is
required to have standing to sue. Standing to sue in a data breach
class action suit, largely turns on whether plaintiffs establish that
they have suffered an “injury-in-fact” resulting from the data breach.
Plaintiffs in data breach class actions are often not able to
demonstrate that they have suffered financial or other actual damages
resulting from a breach of their personal information. Instead,
plaintiffs will allege that a heightened “risk of future harm” such as
identity theft or fraudulent charges is enough to establish an
“injury-in-fact”.

Federal circuits court over the past few years have struggled with the
question whether plaintiffs in a data breach class action can
establish standing if they only allege a heightened “risk of future
harm”.  For example, the 3rd, 6th, 7th,  11th, and D.C. circuits have
generally found standing, while the 1st, 2nd, 4th, 5th, 8th and 9th
circuits have generally found no standing where a plaintiff only
alleges a heightened “risk of future harm”. This circuit court split
is in large part to due to lack of clarity following the U.S. Supreme
Court’s decision in Spokeo, Inc. v. Robins which held that even if a
statute has been violated, plaintiffs must demonstrate that an
“injury-in-fact” has occurred that is both concrete and
particularized, but which failed to clarify whether a “risk of future
harm” qualifies as such an injury.

The U.S. Supreme Court may finally weigh in on the status of standing
in data breach litigation this term, in Frank v. Gaos. The Court
recently requested supplemental briefs addressing whether any of the
name plaintiffs has standing such that federal courts have Article III
jurisdiction over the dispute. The Court’s request is particularly
notable, as the issue before the Court was not initially focused on
standing. Although Frank is not a classic data breach case, rather a
privacy class action settlement based on unauthorized sharing of
website search terms to third-parties, it may still provide the Court
an opportunity to resolve the circuit split and issue further guidance
on standing in data breach litigation.

Similarly, the Illinois Supreme Court recently held that actual harm
was not required to sue under the Illinois Biometric Information
Privacy Law (“BIPA”), likely to increase the already large number of
suits, including putative class actions, filed under the law. It goes
without saying that the U.S. Supreme Court’s decision in Frank v. Gaos
could have significant impact on data breach class action lawsuits.


More information about the BreachExchange mailing list