Access Denied Data Breach Litigation, Article III Standing, and a Proposed Statutory Solution

Abstract

As businesses and individuals increasingly rely on electronic technology to facilitate transactions, hackers have taken advantage of the data security systems intended to protect sensitive information. As a result, hackers have gained access to individuals’ personal identification and financial information. American law, however, has been slow to catch up to the threat posed by data security breaches in the modern age. Although breaches have become commonplace in the past decade, victims of data breaches are often denied their day in court. Instead, many federal courts hold that plaintiffs who sue companies for failing to adequately protect their private information lack Article III standing, the constitutional doctrine that requires plaintiffs to show an “injury-in-fact” in order to sue in federal court. While some jurisdictions hold that hackers having mere access to individuals’ information is sufficient to confer Article III standing, other jurisdictions dismiss plaintiffs’ cases unless the plaintiffs can demonstrate unreimbursed financial loss directly attributable to the data breach, a very high bar to show. The purpose of this Note is threefold. First, I analyze the existing split within the U.S. Courts of Appeals with regards to the correct theory of Article III standing to apply in data breach cases. The circuit split primarily involves disputes over the correct interpretation of Clapper v. Amnesty International, a 2013 U.S. Supreme Court case dealing with the “imminency” requirement of Article III standing’s injury-in-fact component. Second, I predict what the recent holding in Spokeo v. Robbins (2016) portends for data breach plaintiffs. Spokeo heightened the scrutiny that federal courts must place on the “concreteness” of injury in addition to the inquiry into “imminency.” Finally, I propose that the strict Article III standing requirements articulated by the Supreme Court in both Clapper and Spokeo necessitate action by Congress. I argue that Congress should pass a comprehensive data breach statute conferring statutory standing upon victims of data breach and show how a recent Third Circuit decision demonstrates the viability of a statutory solution.