Access Denied: Data Breach Litigation, Article III Standing, and a Proposed Statutory Solution

By Patrick Lorio

As businesses and individuals increasingly rely on electronic technology to facilitate transactions, hackers have taken advantage of the weaknesses of data security systems intended to protect sensitive information. As a result, hackers have gained access to individuals’ personal and financial information. American law, however, has been slow to catch up to the threat posed by data security breaches. Although breaches have become commonplace in the past decade, victims of data breaches are often denied their day in court. Instead, many federal courts find that plaintiffs who sue companies for failing to adequately protect their private information lack Article III standing, the constitutional doctrine that requires plaintiffs to show an “injury-in-fact” in order to sue in federal court. While some jurisdictions hold that hackers having access to individuals’ information is sufficient to confer Article III standing, other jurisdictions dismiss plaintiffs’ cases unless the plaintiffs can demonstrate unreimbursed financial loss directly attributable to the data breach, a very high bar to reach.

The purpose of this Note is threefold. First, I analyze the existing split within the U.S. Courts of Appeals with regard to the correct theory of Article III standing to apply in data breach cases. The circuit split primarily involves disputes over the correct interpretation of Clapper v. Amnesty International, a 2013 U.S. Supreme Court case dealing with the “imminency” requirement of Article III standing’s injury-in-fact component. Second, I predict what the recent holding in Spokeo v. Robbins (2016) portends for data breach victims. Spokeo heightened the scrutiny that federal courts must place on the “concreteness” of injury in addition to the inquiry into “imminency.” Finally, I propose that the strict Article III standing requirements articulated by the Supreme Court in both Clapper and Spokeo necessitate action by Congress. I argue that Congress should pass a comprehensive data breach statute that would confer standing upon victims of data breach. I conclude by showing how a recent Third Circuit decision demonstrates the viability of a statutory solution to the problem encountered by data breach victims.

Download Article