Standing in Data Breach Cases
November 30, 2016
Many data breach and cybersecurity cases have faltered for failure to establish concrete harm necessary to support standing when personally identifiable information has been accessed but no actual harm can be demonstrated. It was hoped that the Supreme Court’s decision in Spokeo, Inc. v. Robins would resolve a split in the courts over what injury was sufficient to support Article III standing. Unfortunately, the split has continued.
Under separation of powers, the legislative branch cannot create standing out of whole cloth, but it can create a right and provide statutory damages as a remedy. Some courts in post-Spokeo cases have indeed found standing in cases where the claim alleged entitlement to damages based on a statutory violation, but no additional harm.
In looking at the standing issue, courts need to examine both the purpose of the statute and the tradition of common law to determine whether the legislature is properly exercising its function or intruding on the judicial branch’s role.
General counsel must remain vigilant to the threat of data breach litigation, and that fact remains unchanged after Spokeo. In the context of data breach litigation, where Congress (or a state legislature) has determined that access to, or disclosure of, data, without further proof of misuse and harm has caused a concrete risk of harm, there is a real risk that standing will be found – particularly in light of the common law tradition of a right to privacy.
Read full article at:
Daily Updates
Sign up for our free daily newsletter for the latest news and business legal developments.