Data breach cases are popular targets for class actions these days because a single incident of hacking or theft can expose the sensitive personal or financial information of millions of people at a time. However, a key hurdle in these cases has been proof of harm sufficient to satisfy the Article III injury-in-fact standard for cases filed in the federal courts (or in state courts that apply a similar injury-in-fact standard). Recently, plaintiffs have been attempting to get around the standing problem by alleging that they had to incur credit monitoring fees or other out-of-pocket expenses due to a fear of identity theft.
Shannon Tan, associate corporate counsel for Raymond James Financial, Inc., in St. Petersburg, FL, recently authored an insightful article for the IAPP newsletter The Privacy Advisor, titled Supreme Court Wiretap Ruling Upholds Stringent Standing-To-Sue Requirements. Tan’s article discusses the potential impact of the Supreme Court’s decision in Clapper v. Amnesty International USA on the question of Article III standing in civil data breach cases. Tan points out that while Clapper is case involving alleged wiretapping by the government, it is likely to make it more difficult for plaintiffs to meet the Article III standing requirements in civil data breach cases because data breaches often don’t result in any immediate harm but only a threat of potential future harm. A threat of harm must be “certainly impending” to satisfy the Article III standard set forth in Clapper. This issue is exacerbated in the class action context, because even if some members of the class can prove actual harm, such as identity theft, it is a rare case where the plaintiff would have some common proof that identity theft occurred for all class members, a problem that recently doomed certification of a class action in In re Hannaford Bros. Co. Customer Data Security Breach Litigation.