Data Breaches, Identity Theft and Article III Standing: Will the Supreme Court Resolve the Split in the Circuits

47 Pages Posted: 18 Feb 2016 Last revised: 24 Mar 2017

See all articles by Bradford C. Mank

Bradford C. Mank

University of Cincinnati - College of Law

Date Written: March 23, 2017

Abstract

In data breach cases, the plaintiff typically alleges that the defendant used inadequate computer security to protect the plaintiff’s personal data. In most, but not all cases, the plaintiff cannot prove that a hacker or thief has actually used or sold the data to the plaintiff’s detriment. In most cases, a plaintiff alleges that the defendant’s failure to protect their personal data has caused them damages by increasing their risk of suffering actual identity theft in the future and therefore imposed costs on the plaintiff when he reasonably takes measures to prevent future unauthorized third-party data access by purchasing credit monitoring services.

In data breach cases, the lower federal courts have split on the question of whether the plaintiffs meet Article III standing requirements for injury and causation. In its 2013 decision Clapper v. Amnesty International USA, the Supreme Court, in a case involving alleged electronic surveillance by the U.S. government’s National Security Agency, declared that a plaintiff alleging that it will suffer future injuries from a defendant’s allegedly improper conduct must show that such injuries are “certainly impending.” Since the Clapper decision, a majority of the lower federal courts addressing “lost data” or potential identity theft cases in which there is no proof of actual misuse or fraud have held that plaintiffs lack standing to sue the party who failed to protect their data. But a significant minority of lower court decisions have disagreed that the Clapper decision requires denial of standing in data breach cases in which there is no proof of present harm because a footnote in Clapper acknowledged that the Court had sometimes used a less strict “substantial risk” test when plaintiffs allege that a defendant’s actions increase their risk of future harm.

Demonstrating its concern for digital privacy, the Court in Riley v. California recently required police to obtain a Fourth Amendment warrant before examining the digital data on the cell phones of arrested suspects. It would be easy for courts to distinguish the government’s seizure of digital data from arrestee’s in Riley from a third party’s hacking of data from a retailer or employer. The Riley decision involves Fourth Amendment warrant issues that are not relevant to private data breach cases. Yet in both cell phone seizure cases and data breach cases, there is the common concern that vast amounts of personal data are often at stake. The new privacy concerns in a digital age should lead the Supreme Court to take a broader view of standing in data breach cases. It is also possible that the Court will follow the Seventh Circuit’s Remijas decision to distinguish between cases where there is only a possible risk of theft from those where actual harm has occurred to some plaintiffs.

Keywords: Article III, standing, data breach, identity theft, privacy, injury, causation

JEL Classification: K10, K40, K41

Suggested Citation

Mank, Bradford C., Data Breaches, Identity Theft and Article III Standing: Will the Supreme Court Resolve the Split in the Circuits (March 23, 2017). Notre Dame Law Review, Vol. 92, pg. 1323 2017, U of Cincinnati Public Law Research Paper No. 16-04, Available at SSRN: https://ssrn.com/abstract=2730798

Bradford C. Mank (Contact Author)

University of Cincinnati - College of Law ( email )

P.O. Box 210040
Cincinnati, OH 45221-0040
United States
513-556-0094 (Phone)
513-556-1236 (Fax)

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
219
Abstract Views
1,238
Rank
253,806
PlumX Metrics