A day in court for data breach plaintiffs: preserving standing based on increased risk of identity theft after Clapper v. Amnesty International USA.

AuthorMartecchini, Thomas
PositionNOTE

Following a data breach, consumers suffer an increased risk of identity theft because of the exposure of their personal information. Limited protection by data-breach statutes has made it difficult for consumers to seek compensation for these injuries and penalize the companies that fail to protect their information, leading consumers to bring common law claims in court. Yet courts have disagreed about whether an increased risk of identity theft qualifies as an injury-in-fact under Article III standing principles: the Seventh and Ninth Circuits have approved of increased risk standing, while the Third Circuit has rejected it. The Supreme Court has further clouded the issue with its recent examination of the injury-in-fact requirement in Clapper v. Amnesty International USA. This Note argues that courts should recognize increased risk standing in certain circumstances, even after Clapper, by applying a framework examining certain key factors in data breaches. It further contends that courts, in implementing this framework, should borrow certain elements from the damages analysis for common law claims to prevent the prompt dismissal of claims based on increased risk when considered on their merits.

TABLE OF CONTENTS INTRODUCTION I. A SPLIT IN APPROACHES TOWARD INCREASED RISK STANDING A. Standing Principles B. Increased Risk in Cases Decided Before Clapper II. CLAPPER'S EFFECT IN THE DATA-BREACH CONTEXT A. Clapper's Place in the Article III Standing Framework B. District Courts' Conflicting Interpretations of Clapper 1. Courts Adopting Clapper's Stricter Standard 2. Courts Rejecting Clapper's Effect 3. Resolution of Conflicting Approaches III. PROBLEMS WITH IDENTIFYING AN APPROPRIATE STANDING FRAMEWORK A. Comparison to Medical-Monitoring and Environmental Cases B. Damages-Related Limitation IV. PROPOSED STANDING FRAMEWORK A. Factor-Based Framework B. Preferred Method of Implementation CONCLUSION INTRODUCTION

We live in a world controlled more than ever before by the cybersphere. The amount of data stored on networks has increased exponentially in recent years, (1) changing the way people interact and conduct business. (2) Much of this data is personal information, which consumers must provide for even basic transactions. (3) As a result, "the intimate details of our lives"--addresses, birth dates, Social Security numbers, and credit card and bank account information--are now stored in online databases. (4)

Frequently exchanging personal information can lead to significant consequences. (5) As the amount of online data has increased, so have instances of computer hacking and theft of consumers' personal information. (6) Hacking incidents aside, breaches often follow simple mistakes by employees. (7) As a result, breaches now occur several times a week. (8) Indeed, a recent report by an organization that compiles information about confirmed data breaches showed that the organization tracked a record number of breaches in 2014--18 percent higher than the previous record, and an increase of more than 27 percent from 2013. (9) Data breaches have thus risen to unprecedented levels during "the [d]ecade of the [d]ata [b]reach." (10)

In light of these broad risks, companies have had to fundamentally reorient their approaches to data security. Some have done just that, increasing investments in security technology or creating data-breach response plans. (11) But two factors reduce the impact of those changes on data breaches. First, failure to frequently review and update data-breach response plans often renders them ineffective. (12) Second, new technologies present new opportunities for data breaches, and companies may not be able to properly account for these developments. (13) Moreover, many other businesses still remain in denial about the threat of data breaches, either failing to implement any data-security changes or making only nominal modifications. (14)

Customers suffer enormous harms because of data breaches, including increased risk of identity theft. (15) They have a limited ability, however, to seek redress for these injuries or to compel businesses to provide better data security. There are no unified federal data-security regulations, so state breach-notification statutes are the primary means for holding businesses accountable for their role in the breaches. (16) Yet differences between the state requirements create a "patchwork" that varies by state, (17) making results unpredictable and inconsistent. This statutory scheme thus provides limited protection for consumers in the wake of data breaches.

As a result, consumers have increasingly turned to litigation against the companies responsible for protecting their information--from retail stores to data-storage companies--to address their injuries. These cases are usually class actions since individual consumers incur only small monetary damages. (18) Consumers may assert common law claims like negligence or breach of contract, or claims that arise under consumer-protection statutes. (19) Those claims are based on injuries related to consumers' increased risk of identity theft, with damages including costs for credit monitoring purchased to guard against identity theft. (20)

Courts have disagreed on whether increased risk of identity theft is an injury-in-fact sufficient to create standing, and the Supreme Court has not yet addressed the issue. Departing from an initial trend in district courts to deny standing based on increased risk, the Seventh and Ninth Circuits--in Pisciotta v. Old National Bancorp (21) and Krottner v. Starbucks Corp., (22) respectively--recognized standing based on increased risk. (23) The Third Circuit rejected that approach in Reilly v. Ceridian Corp., (24) which the Supreme Court appeared to indirectly approve through its discussion of future harm in Clapper v. Amnesty International USA. (25) Yet Clapper's applicability is unclear, given its different factual context. (23) Indeed, district courts apply Clapper to data-breach cases inconsistently, (27) clouding the future status of increased risk standing.

This Note argues that courts should adopt a framework to permit plaintiffs in certain data-breach cases to satisfy the injury-in-fact element of the standing analysis by alleging an increased risk of identity theft. Part I examines the purposes of the standing doctrine and the contrasting approaches to standing in Pisciotta, Krottner, Reilly, and similar district court cases. Part II contends that Clapper, when considered in light of Article III standing precedent, simply reiterated the existing standing inquiry instead of imposing stricter requirements. Part III identifies flaws in the current approach to increased risk standing in data-breach cases and contends that an appropriate framework should account for these problems. Part IV then proposes that courts--not Congress--resolve the post -Clapper split by adopting an analysis that focuses on the nature of the data breach and thus anticipates and avoids both of the concerns raised in Part III.

  1. A SPLIT IN APPROACHES TOWARD INCREASED RISK STANDING

    As plaintiffs have turned to litigation in response to data breaches, courts have disagreed on the appropriateness of increased risk standing. This Part examines that conflict in the broader context of Article III standing principles. Section I.A outlines the requirements of and broader purposes furthered by the standing doctrine. Section I.B then considers the trajectory of data-breach cases involving increased risk standing prior to Clapper.

    1. Standing Principles

      Article III of the Constitution limits courts' power by allowing them to decide only actual "Cases" or "Controversies. " (28) The standing doctrine defines who can bring suit for a particular claim. (29) To establish standing, a plaintiff must satisfy the burden of proof for three elements. First, a plaintiff must have suffered an injury-in-fact, defined as "an invasion of a legally protected interest which is (a) concrete and particularized, and (b) 'actual or imminent, not "conjectural" or "hypothetical."'" (30) Second, the injury must have been caused by the defendant's actions. (31) Third, the injury must be likely to be redressed by a favorable decision. (32) Because courts treat Article III standing as an issue of subject-matter jurisdiction that persists through all stages of a case, (33) a court cannot reach the merits of a claim if a plaintiff fails to show any of these requirements. (34)

      The Court has characterized standing as "perhaps the most important" of the Article III "limits on federal judicial power." (35) The central purpose underlying the standing doctrine is the separation of powers--the idea that the Constitution reflects the "common understanding of what activities are appropriate to legislatures, to executives, and to courts." (36) Standing also allows courts to promote judicial efficiency by preventing frivolous lawsuits. (37) Standing principles thus do not proscribe judicial power, but rather confine it to areas in which courts have the most experience.

    2. Increased Risk in Cases Decided Before Clapper

      Standing has been a frequent concern in cases where data-breach plaintiffs have suffered an increased risk of identity theft. Yet, prior to Clapper, courts were unable to reach a consensus on how to treat increased risk as an injury-in-fact within the standing analysis.

      The first district courts to encounter increased risk found it insufficient to create standing. Key v. DSW Inc. (38) and Randolph v. ING Life Insurance & Annuity Co. (39) demonstrate the general approach taken by those courts. Key involved the unauthorized taking of personal financial information of the customers of a nationwide retail outlet. (40) The customers' substantial risk of identity theft was neither actual nor imminent since the customers' pleading did not establish any risk of future misuse of their information. (41) In Randolph, customers of an...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT