2014 witnessed a proliferation of cyber security data breaches and resulting data breach litigation. Most class actions filed in the wake of a data breach assert injuries for increased risk of identity theft, fraudulent financial charges on credit cards, and costs incurred from having to enroll in third-party credit-monitoring services. But realistically, not every data breach results in an injury. Article III standing can be a significant defense for disposing security data breach claims in the relatively early stages of litigation.
Standing derives from Article III of the U.S. Constitution, which limits the powers of the federal judiciary to the resolution of “cases” and “controversies.” U.S. Const. Art. III, §2. To maintain a lawsuit, every plaintiff must plead and ultimately prove that he or she has suffered sufficient injury to satisfy the “case or controversy” requirement. At the pleading stage, a plaintiff must allege: (1) an injury-in-fact that is concrete and particularized, as well as actual or imminent; (2) that the injury is fairly traceable to the challenged action of the defendant; and (3) that the injury can be remedied by a favorable ruling. If the plaintiff cannot satisfy this criteria, the claim must be dismissed. This article discusses some recent data breach decisions that address standing.