In this electronic age, rarely a day goes by without hearing of a cybersecurity incident which has resulted in data being lost, stolen or compromised. Amid the onslaught of data breach reports from around the world, companies are learning just how devastating a breach can be—not only from a reputational standpoint but due to the litany of regulatory and private litigations that may ensue following the breach. While the law in data breach litigation is still developing, it is becoming increasingly clear that defendants are more likely to have a private lawsuit dismissed if they can argue that the only harm alleged from a data breach is hypothetical future harm. The Supreme Court’s recent decision in Clapper v. Amnesty Int’l, moreover, casts further doubt on standing in data breach cases where the only harm alleged is speculative.

Data Breach Cases Involving Allegations of Future Harm

The data breach cases brought to date by private litigants have generally involved hackers gaining access to a company’s database; theft or loss of a company’s unencrypted laptop computer or backup tapes, or claims that a company failed to properly safeguard data before any data was actually lost or stolen. Where actual harm is sufficiently alleged—such as identity theft or fraudulent charges—a claim is more likely to proceed.

In Lone Star Nat’l Bank v. Heartland Payment Systems for example, the court allowed negligence and contract claims to proceed following a breach of credit card processor data when issuer banks alleged they incurred costs associated with replacing compromised cards and reimbursing customers for fraudulent charges.

And in Resnick v. Avmed, plaintiffs sued after two unencrypted company laptops were stolen and plaintiffs became victims of identity theft; the court found that plaintiffs had standing to sue because the complaint “specifically alleged that plaintiffs’ suffered financial injury” and the alleged injury was fairly traceable to defendants conduct.

In the absence of actual identity theft or other quantifiable harm, however, the majority of courts have held that the risk of future harm is insufficient to confer plaintiffs’ constitutional standing under Article III, which requires an injury to be “concrete, particularized and actual or imminent; fairly traceable to the challenged action, and redressable by a favorable ruling.” In those data breach cases where standing was established, moreover, plaintiffs have had difficulty surmounting the additional hurdle of showing requisite harm from the breach.

In Katz v. Pershing, for example, the plaintiff, on her behalf and others similarly situated, claimed a risk of future harm due to Pershing’s failure to protect sensitive nonpublic information in accordance with obligations under contract and consumer protection laws. The plaintiff alleged, among other things, that she was injured for purposes of standing based on expenditures made to protect against fraud, including the purchase of identity theft insurance and credit monitoring services. The Katz court held that the lack of an actual data breach was a “fatal” omission for a standing analysis and suggested that had a hacker actually misappropriated her data she would have satisfied “Article III's requirement of actual or impending injury.” Critically, the court stated that to achieve standing, plaintiffs “must allege and show that they personally have been injured” and the complaint “does not contain an allegation that the plaintiff’s nonpublic personal information has actually been accessed by any unauthorized user.” See Anderson v. Hannaford Brothers Co. in which costs incurred by the store’s customers in obtaining replacement credit cards and identity theft insurance following a data breach were sufficient to confer standing under Maine law regardless of whether any fraud occurred.

Similarly, in Reilly v. Ceridian Corp., law firm employees on behalf of themselves and others similarly situated filed a complaint against Ceridian, a payroll processing firm, after an unknown hacker gained access to personal and financial information of Ceridian’s customers. Plaintiffs alleged an increased risk of identity theft; incurred costs to monitor their credit activity, and emotional distress as a result of the breach.  The Reilly court affirmed the District Court’s opinion that allegations of “an increased risk of identity theft as a result of the security breach are hypothetical, future injuries and are therefore insufficient to establish standing” under Article III. As concerns the alleged time and money expenditures to monitor their financial information, the Reilly court concluded that “costs incurred to watch for a speculative chain of future events based on hypothetical future criminal acts are no more ‘actual’ injuries than the alleged increased ‘risk of injury’ which forms the basis for Appellants’ claims.”

Also, in Lambert v Hartman, the Sixth Circuit—while not explicitly analyzing the issue—found that plaintiff, who had alleged both an actual financial loss as a result of identity theft and an increased risk of additional, future identity theft, had standing only to bring claims for her actual financial injuries. The court stated that the risk of future identity theft was “somewhat ‘hypothetical’ and ‘conjectural’” to confer standing. See also Hammond v. Bank of New York Mellon Corp., concluding that plaintiffs lacked standing in a data breach case because their claims are “future-oriented, hypothetical and conjectural”; and Allison v. Aetna, Inc., in which the court found that plaintiff, who did not allege receipt of phishing e-mails or other misuse of data following the breach of a job notification website, lacked standing.

Despite these holdings, some courts have found that plaintiffs have Article III standing in data loss cases for future harm while then dismissing such cases because plaintiffs had not established damages. In Pisciotta v. Old Nat’l Bancorp, for instance, plaintiffs sought compensation for costs for past and future credit-monitoring services following a data breach. The Seventh Circuit held that “the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant’s actions.” With respect to damages, however, the Pisciotta court “declined to adopt a ‘substantive innovation’ in state law” because “without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy.”  See alsoCaudle v. Towers, Perrin, Forster & Crosby, Inc., following Pisciotta to find that risk of future identity theft or fraud after a security breach were sufficient to confer standing but concluding plaintiffs “have not suffered a harm that the law is prepared to remedy.”

In Krottner v. Starbucks Corp., the court followed the standing analysis in Pisciotta and allowed the claims to proceed without analyzing whether plaintiffs sufficiently alleged damages. In that case, current and former Starbucks employees whose names, addresses and Social Security numbers were stored on a laptop that was stolen from Starbucks alleged the company acted negligently and breached an implied contract. Plaintiffs suffered no financial loss from the theft but alleged they had been “extra vigilant” about monitoring their bank and 401(k) accounts and had generalized anxiety and stress regarding the situation. The Ninth Circuit held plaintiffs “suffered an injury sufficient to confer standing under Article III” due to their “a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data.”

The Standing Analysis in Clapper v. Amnesty

As demonstrated above, while courts have mostly found that an increased risk of harm such as potential identity theft is insufficient to confer standing or establish damages, the law in this area remains unsettled. The Supreme Court’s recent decision in Clapper v. Amnesty Int’l, however, may make it more difficult for plaintiffs who fail to allege concrete harm following a data breach to see their day in court.

In Clapper, the court considered whether respondents had standing to challenge section 1881a of the Foreign Intelligence Surveillance Act based on assertions that there is an “objectively reasonable likelihood” that their communications will be intercepted at some point in the future. Respondents alternatively argued that they were injured-in-fact “because the risk of a §1881a-authorized surveillance already has forced them to take costly and burdensome measures to protect the confidentiality of their international communications.” The Clapper court rejected respondents’ standing arguments explaining that Article III standing requires the threatened injury to “be certainly impending to constitute an injury in fact” and “allegations of possible future injury are not sufficient” Because  it was speculative whether the government will imminently target communications to which respondents are parties, the court found respondents lacked stacking. In so ruling, the court stated that “we decline to abandon our usual reluctance to endorse standing theories that rest on speculation about the decisions of independent actors.”

Although the facts of Clapper did not involve a data breach, the reasoning and language of the opinion gives fuel for defendants to argue that the risk of future harm in data breach cases is insufficient for purposes of Article III standing.

As set forth above, with the exception of a few cases, private lawsuits involving data breaches where there is no concrete injury have not had much traction due to the difficulty of quantifying the harm of a privacy violation in a legally cognizable way.

The Supreme Court’s ruling in Clapper may make it more difficult for such cases to proceed. Until this issue is settled, there will likely be forum shopping and forum selection clauses in contracts to help potential litigants prosecute or defend such cases.

Written By

Dana Post, CIPP/E


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»