Federal Class Actions for Data Breach – Who Can Sue?
One of the first things I noticed in law school was how preoccupied the courts seemed to be with finding reasons not to hear a case...
Before any case can be heard by a court, it must be established by the plaintiff that the plaintiff in the suit has “standing” to sue in the first place. If the court finds you do not have standing, your case will be unceremoniously dismissed, and the court will probably be unhappy you have wasted their time.
What does “standing” mean?
For a person to have “standing” to sue, it means that he or she has been in some way particularly aggrieved by the defendant, and the court has the ability to do something to redress the damage caused.
Under the Federal Constitutional standard there is a three prong test for standing, which is as follows:
- The plaintiff has suffered an “injury-in-fact”;
- That injury-in-fact is “fairly traceable” to the defendant’s unlawful conduct; and
- The court has the ability to “redress” the injury.
Numbers two and three are not particularly hard standards to meet in data breach litigation. “Fairly traceable” does not mean proximate cause. It just means that there is a decent likelihood that the injury was caused by a data breach, but it is not at all conclusive. “Redressability” is also usually not an issue in these cases, because the harm alleged is usually pecuniary in nature, and if it weren't, the plaintiff probably wouldn’t bother with the action in the first place.
The standing issue in data breach usually hinges on whether or not a court finds that the plaintiff has suffered an “injury-in-fact.”
There is a lot of disagreement in the courts about what constitutes an injury-in-fact for data breach cases. The U.S. Supreme Court has generally not been very helpful because their holdings are neither altogether clear, or very broad. This has left the decisions of the lower courts somewhat erratic, with decisions falling in line with either the conservative or liberal ideological majority of the court.
What is clear, is that the mere potential of a data breach does not constitute a standing to sue. There has to at least be a breach (Note: This is NOT the case with the FTC who can come after you if it believes your cybersecurity system is sub-optimal).
Assuming there is an actual breach, the real question is whether there was actual damage caused by the breach, or is the damage just a possibility. Actual harm will always get a plaintiff past the “injury-in-fact” hurdle, but where the harm is just possible is a far higher hurdle to jump.
There are two schools of thought on the subject; the “broad view,” and the “narrow view.”
The broad view: The broad view appears to be preferred in the Ninth Circuit and the Seventh Circuit. This view is that it is enough that there is just an increased risk of future harm that was caused by the defendant’s actions.
The narrow view: The narrow view appears to be preferred by the Eigth Circuit and the Third Circuit. This view is that that there must be an imminent and “certainly impending” injury with some indication of potential harm, like an attempt to open an account.
Given what exists of the Supreme Court’s thoughts on the subject, and the court’s current ideological makeup it is likely that the narrow view will win in the end. That being said, it is by no means certain that that will be the case, and the current trend is actually toward the broad view which should concern any business that hasn’t taken very serious precautions. Furthermore, the threat environment is getting more dangerous and sophisticated, not less. So the likelihood of actual harm or very likely imminent harm is itself more likely.
To be safe, or at least as safe as we can be, everyone needs to make sure their systems are locked down with highly effective technical and procedural controls that follow a comprehensive cybersecurity framework based on industry best practices.
Digital Edge's cybersecurity team specializes in all the different ways to ensure the highest level of safety for our clients. Experts in NIST, ISO, GDPR and every other major industry framework, our compliance team can provide services in implementing and maintaining a security system that stays in compliance with these standards.