The Million Dollar Question In Data Breach Lawsuits

The threshold question for determining if a consumer class action may proceed following a data breach is whether the plaintiffs have standing. For making that determination, the Supreme Court in the 1992 Lujan decision identified three criteria, the first of which, that the plaintiff must have suffered an “injury in fact,” has arguably been the most problematic and is the subject of this post from law firm Seyfarth. The Court’s 2016 decision in Spokeo, Inc. v. Robins provides some clarification by specifying that the harm must be concrete and particularized. However, as this post says, even with that decision “the question of how the future risk of harm fits in was left outstanding.” That question, as it turns out, is often crucial in cyber breach cases, because immediate financial harm may be absent or difficult to prove. 

Then, in June of this year, in TransUnion LLC v. Ramirez, the Supreme Court opined on the question more directly. In light of TransUnion, the writers look at the circuits that have most actively addressed risk of future harm and provide their take on the rulings.