Data Breach Disputes and Constitutional Standing

August 28, 2017

University of Illinois College of Law

The Constitution is a centuries old document that provides the framework for our country.  Most people are familiar with the First Amendment and its protections for free speech.  Recently, people have also become interested in what an emolument is.  Today though, I will focus on the “standing” requirement in the Constitution and what it means in the digital world where information can become a weapon.

“Standing” refers to the language in Article III of the Constitution that gives federal courts the power to decide “cases and controversies.”  When a person has standing, it means they can sue over the topic in court.  The first requirement for standing is that the person have suffered an injury, and that injury must be actual or imminent.  It is not enough to say that you might be injured at some undetermined future time.

Standing issues come up frequently in lawsuits involving information-based injuries.  In 2013, in Clapper v. Amnesty International, the Supreme Court in a 5-4 opinion said that potential future data collection under the Foreign Intelligence Surveillance Act – FISA – was too speculative to be an injury for standing purposes.  Some lower courts have extended this reasoning to cases involving data breaches.  If your personal data has been compromised by a data breach, then is the risk of future identity theft too speculative an injury for establishing standing to bring a lawsuit?

This issue has created a split among federal appellate courts.  They disagree about whether people whose personal information is stolen have standing in federal court.  The Third Circuit, in an appeal from a federal court in New Jersey, said that the risk of future identity theft is too speculative.  A federal court in Nevada similarly decided that customers of a company that suffered a data breach lacked standing to bring a lawsuit.  Federal appellate courts in the Sixth and Seventh Circuits in appeals from Ohio and Illinois respectively have decided the same issue differently and concluded that data breach victims do have standing.  Most recently, an influential appeals court in Washington D.C. said the increased risk of identity theft was substantial and not speculative.  The courts that have found standing point to efforts that we might take if our personal information is compromised such as looking for fraudulent charges, obtaining new credit cards, and signing up to have our credit histories monitored.   

Some courts have noted that in the Clapper case, the data collection itself was speculative.  But that is not the case with a data breach where someone has already stolen your information.  However, what the persons who have stolen your data will eventually do with that information remains uncertain.

The split among the circuits is significant enough that the Supreme Court might have to weigh in.  So far, courts have been asking “Is an increased risk of identity theft enough of an injury to bring a case?” But maybe this is the wrong question.  Perhaps courts should reconsider what an injury looks like when it involves data.  Identity theft is obvious and has measurable economic impact, but what about other issues relating to data insecurity?  Should courts recognize a legal right for people to control information about themselves?  Are there things that you avoid doing because you would not want to risk your personal information?  Should it be considered a violation of this right for a company to not adequately protect your data? 

Data insecurity interferes with our ability to engage fully with emerging technologies.  Recognizing data insecurity as a legally addressable injury would fix the problem of standing for data breach victims.  More importantly, it would provide a flexible framework that could expand with technology.