Standing is Key Issue in Cyber Lawsuits

A data breach plaintiff, like any federal plaintiff, must establish standing in order to survive a 12(b)(1) motion to dismiss. Traditionally, district courts have dismissed consumer suits for data breaches, reasoning that the plaintiffs could not prove actual harm, a requirement of standing that rests on a 2013 Supreme Court decision, Clapper v. Amnesty International USA.

Courts applying Clapper to data breach complaints have generally found that the damage frequently pleaded by the plaintiffs – the risk of future identity theft – is too speculative to support standing for a lawsuit.

Lower court rulings in the Target and Neiman Marcus data breach cases make it easier for consumer-plaintiffs to sue and succeed at the dismissal stage. Deviating from previous Clapper rulings, a Minnesota federal court held that a class of Target customers had standing to sue because they were temporarily unable to access money in their accounts. Target settled for $10 million.

In Neiman Marcus, the Seventh Circuit reversed a lower court and accepted standing based on allegations of future injury.

The question of standing under Clapper is only one of the important threshold class action lawsuit issues in play right now. Another is whether Congress may confer standing on a plaintiff who has suffered no specific harm but who alleges a violation of a federal statute.

Companies should continue to be aware of this evolving situation so that when breaches occur they are prepared to consider their options.