July 22, 2019

July 19, 2019

Subscribe to Latest Legal News and Analysis

Standing in Data Breach Litigation: Will the U.S. Supreme Court Weigh In?

The U.S. Supreme Court may finally weigh in on the hottest issue in data breach litigation, whether a demonstration of actual harm is required to have standing to sue. Standing to sue in a data breach class action suit, largely turns on whether plaintiffs establish that they have suffered an “injury-in-fact” resulting from the data breach. Plaintiffs in data breach class actions are often not able to demonstrate that they have suffered financial or other actual damages resulting from a breach of their personal information. Instead, plaintiffs will allege that a heightened “risk of future harm” such as identity theft or fraudulent charges is enough to establish an “injury-in-fact”.

Federal circuits court over the past few years have struggled with the question whether plaintiffs in a data breach class action can establish standing if they only allege a heightened “risk of future harm”.  For example, the 3rd6th, 7th,  11th, and D.C. circuits have generally found standing, while the 1st2nd4th5th8th and 9th circuits have generally found no standing where a plaintiff only alleges a heightened “risk of future harm”. This circuit court split is in large part to due to lack of clarity following the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins which held that even if a statute has been violated, plaintiffs must demonstrate that an “injury-in-fact” has occurred that is both concrete and particularized, but which failed to clarify whether a “risk of future harm” qualifies as such an injury.

The U.S. Supreme Court may finally weigh in on the status of standing in data breach litigation this term, in Frank v. Gaos. The Court recently requested supplemental briefs addressing whether any of the name plaintiffs has standing such that federal courts have Article III jurisdiction over the dispute. The Court’s request is particularly notable, as the issue before the Court was not initially focused on standing. Although Frank is not a classic data breach case, rather a privacy class action settlement based on unauthorized sharing of website search terms to third-parties, it may still provide the Court an opportunity to resolve the circuit split and issue further guidance on standing in data breach litigation.

Similarly, the Illinois Supreme Court recently held that actual harm was not required to sue under the Illinois Biometric Information Privacy Law (“BIPA”), likely to increase the already large number of suits, including putative class actions, filed under the law. It goes without saying that the U.S. Supreme Court’s decision in Frank v. Gaos could have significant impact on data breach class action lawsuits.

Jackson Lewis P.C. © 2019

TRENDING LEGAL ANALYSIS


About this Author

Principal

Joseph J. Lazzarotti is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. He founded and currently helps to co-lead the firm's Privacy, e-Communication and Data Security Practice, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals.

In short, his practice focuses on the matrix of laws governing the privacy, security and management of data, as well as the impact and regulation of social media. He also...

973- 538-6890
Attorney

Maya Atrakchi is the Knowledge Management (“KM”) Attorney for Jackson Lewis P.C.’s Privacy, e-Communication and Data Security and International Employment Issues Practice Groups, and is based in the New York City, New York, office of Jackson Lewis P.C.

212-545-4000