Corporate data breaches continue to proliferate and typically trigger consumer class action lawsuits alleging that the breach compromised the plaintiffs’ personal and/or financial information. The threshold question in many of these consumer data breach actions is whether the consumer plaintiffs have plausibly alleged an actual harm sufficient to establish standing to sue in federal court under Article III of the Constitution.
Courts have recently reached different conclusions on this question, often relying on one or both of the U.S. Supreme Court’s recent decisions on Article III standing, neither of which concerned data breach claims: Clapper v. Amnesty International USA,133 S. Ct. 1138 (2013) and Spokeo v. Robins. Spokeo, 136 S. Ct. 1540 (2016). Divergent holdings on standing in the data breach context sometimes reflect materially different facts, though they sometimes reflect varying applications of Supreme Court precedent to data breach cases—i.e., opposing views of the standard for actual injury or a reasonable risk of future harm sufficient to create standing to bring a data breach claim. Recently, the U.S. Court of Appeals for the Second Circuit weighed in on the standing question, holding in Whalen v. Michaels Stores that the plaintiff in that consumer data breach action did not allege injury sufficient to satisfy the constitutional standing requirement. 2017 WL 1556116 (2d Cir. May 2, 2017).
