Risky Standing: Data Breach, Leaks, and Injury-in-Fact

Abstract

As personal data continues to be increasingly stored in electronic form, the risk of data breaches, and so the risk of identity theft, keeps pace. Victims of data breach may find the need to employ credit monitoring and other measures to reduce the damage threatened. But there is a circuit split as to whether such victims have standing to bring suit before the threatened identity theft has materialized, and whether, in particular, the increased risk of identity theft alone constitutes an injury-in-fact sufficient to confer Article III standing.This piece argues that standing should be denied. Part I provides background on probabilistic standing and describes the circuit split. Part II explores the authority that has been used to support standing, concluding that the analogies fail. It then considers the case for denying standing, concluding that the problem is a lack of statutory authority. Part III resolves the puzzles this conclusion creates.This is, perhaps, a lamentable result. Victims of data breach face increased risk of severe and irreparable harm. But that this may be a regrettable outcome does not entail that courts are the right place to turn for a solution — at least, not yet. Until and unless a statutory regime is created, the risk of injury-in-fact from mere data breach is not itself injury-in-fact, and, as such, is insufficient grounds for standing.