Corporate data breaches continue to proliferate and typically trigger consumer class action lawsuits alleging that the breach compromised the plaintiffs' personal and/or financial information. The threshold question in many of these consumer data breach actions is whether the consumer plaintiffs have plausibly alleged an actual harm sufficient to establish standing to sue in federal court under Article III of the Constitution.

Courts have recently reached different conclusions on this question, often relying on one or both of the U.S. Supreme Court's recent decisions on Article III standing, neither of which concerned data breach claims: Clapper v. Amnesty International USA,133 S. Ct. 1138 (2013) and Spokeo v. Robins. Spokeo, 136 S. Ct. 1540 (2016). Divergent holdings on standing in the data breach context sometimes reflect materially different facts, though they sometimes reflect varying applications of Supreme Court precedent to data breach cases—i.e., opposing views of the standard for actual injury or a reasonable risk of future harm sufficient to create standing to bring a data breach claim. Recently, the U.S. Court of Appeals for the Second Circuit weighed in on the standing question, holding in Whalen v. Michaels Stores that the plaintiff in that consumer data breach action did not allege injury sufficient to satisfy the constitutional standing requirement. 2017 WL 1556116 (2d Cir. May 2, 2017).

Supreme Court Standards

In the 2013 Clapper decision, the Supreme Court reiterated that under Article III, plaintiffs must establish standing to sue by demonstrating an injury that is “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.” Equally importantly, the opinion clarified that “'threatened injury must be certainly impending to constitute injury in fact,' and that '[a]llegations of possible future injury' are not sufficient.”

Clapper addressed whether the respondents had standing to assert a constitutional challenge to §702 of the Foreign Intelligence Surveillance Act, which authorizes the Attorney General and the Director of National Intelligence, after obtaining the approval of the Foreign Intelligence Surveillance Court, “to acquire foreign intelligence information by jointly authorizing the surveillance of individuals who are not 'United States persons' and are reasonably believed to be located outside the United States.” The respondents were “attorneys and human rights, labor, legal, and media organizations whose work allegedly requires them to engage in sensitive and sometimes privileged telephone and email communications with colleagues, clients, sources, and other individuals located abroad” whom respondents believed to be likely targets of surveillance. Seeking a declaration that §702 is unconstitutional and a permanent injunction against authorized surveillance under the provision, the respondents advanced two theories of standing. First, the respondents claimed that “they can establish injury in fact because there is an objectively reasonable likelihood that their communications will be acquired under [§702] at some point in the future.” Second, the respondents asserted that they were suffering present injury, because the substantial risk of surveillance under §702 has already impelled them “to take costly and burdensome measures to protect the confidentiality of their international communications.”