The U.S. Supreme Court may finally weigh in on the hottest issue in data breach litigation, whether a demonstration of actual harm is required to have standing to sue. Standing to sue in a data breach class action suit, largely turns on whether plaintiffs establish that they have suffered an “injury-in-fact” resulting from the data breach. Plaintiffs in data breach class actions are often not able to demonstrate that they have suffered financial or other actual damages resulting from a breach of their personal information. Instead, plaintiffs will allege that a heightened “risk of future harm” such as identity theft or fraudulent charges is enough to establish an “injury-in-fact”.
Federal circuits court over the past few years have struggled with the question whether plaintiffs in a data breach class action can establish standing if they only allege a heightened “risk of future harm”. For example, the 3rd, 6th, 7th, 11th, and D.C. circuits have generally found standing, while the 1st, 2nd, 4th, 5th, 8th and 9th circuits have generally found no standing where a plaintiff only alleges a heightened “risk of future harm”. This circuit court split is in large part to due to lack of clarity following the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins which held that even if a statute has been violated, plaintiffs must demonstrate that an “injury-in-fact” has occurred that is both concrete and particularized, but which failed to clarify whether a “risk of future harm” qualifies as such an injury.
The U.S. Supreme Court may finally weigh in on the status of standing in data breach litigation this term, in Frank v. Gaos. The Court recently requested supplemental briefs addressing whether any of the name plaintiffs has standing such that federal courts have Article III jurisdiction over the dispute. The Court’s request is particularly notable, as the issue before the Court was not initially focused on standing. Although Frank is not a classic data breach case, rather a privacy class action settlement based on unauthorized sharing of website search terms to third-parties, it may still provide the Court an opportunity to resolve the circuit split and issue further guidance on standing in data breach litigation.
Similarly, the Illinois Supreme Court recently held that actual harm was not required to sue under the Illinois Biometric Information Privacy Law (“BIPA”), likely to increase the already large number of suits, including putative class actions, filed under the law. It goes without saying that the U.S. Supreme Court’s decision in Frank v. Gaos could have significant impact on data breach class action lawsuits.