What do Barnes & Noble, Neiman Marcus, Michael’s Stores, Inc., and P.F. Chang’s have in common? The answer is not what you might expect. It is that each of these businesses has fallen prey to cyber-attacks resulting in the theft of customer information.

By all accounts, the number of cyber-attacks is on the rise. These incidents are often the focus of significant media attention, but the media is not the only one paying attention.

A flood of data breach lawsuits have been filed in the wake of these well-publicized cyber-attacks. More often than not, these lawsuits are filed almost immediately after a data breach is reported at a time before actual identity theft or other fraudulent activity has occurred. Whether the data theft will mature into misuse is often unknown at the time most of these lawsuits are filed, and this uncertainty fuels a growing legal debate over whether plaintiffs have constitutional standing to proceed with their data breach lawsuits.

At its most fundamental level, standing means that there is a case or controversy involving a plaintiff who has suffered an injury-in-fact. Actual injury, however, is not required. Over the years, federal courts have found standing to exist in the context of a future injury, but only under limited circumstances.

At the center of the data breach litigation storm is this very issue—what circumstances give rise to constitutional standing in the context of future injury in connection with a data breach. This inquiry turns on the meaning and impact of the United States Supreme Court decision in Clapper v. Amnesty, Inc., where the Supreme Court, in the context of a constitutional dispute involving a federal intelligence statute, stated that a future injury does not confer Article III standing unless the injury is “certainly impending.” These two words, “certainly impending,” seemingly displaced and abrogated earlier Seventh Circuit precedent standing for the proposition that a mere substantial risk of future injury was sufficient to confer Article III standing in the context of a data breach. 

Of course, if there was an actual injury at the time the data breach lawsuits were filed, the Clapper discussion would largely be irrelevant. The problem is that no one really knows what a cyber-thief may do after stealing information.

Since Clapper, the Northern District of Illinois has on five occasions addressed standing in the context of a data breach dispute. Four times, the district court, seemingly confined by Clapper, faithfully applied this decision and dismissed the lawsuits on the basis of lack of standing. Moreover, the court four times concluded that what may happen in the future with stolen information is speculation that cannot support Article III standing.

However, two of these decisions are currently winding their way through the appellate process in the Seventh Circuit. These appeals challenge the district court’s application of Clapper and argue that this decision did not invalidate earlier Seventh Circuit precedent. They support this contention, in part, with later Supreme Court authority that appeared to acknowledge that a substantial risk of future harm can confer standing.  

Thus, the Seventh Circuit is now poised to address the Article III constitutional standing analysis in the context of a data breach, answer the question of whether the “certainly impending” standard is the exclusive standard for determining Article III standing and, if not, announce the applicable standard. 

What will the Seventh Circuit do with this appeal? Well, recently, in Otrompke v. Hill, based on Supreme Court authority subsequent to Clapper, the Seventh Circuit stated “[w]hen an injury is threatened in the future, the risk of harm must be substantial and more than speculative.” On the surface, this statement appears to adopt the view of the data breach plaintiffs. But, is this alternative standard really any less rigorous? That will be the heart of a compelling Seventh Circuit opinion that may open the flood gates to data breach litigation.