By Miles L. Galbraith | 62 Am. U. L. Rev. 1365 (2013)
Today, information is largely stored and transmitted electronically, raising novel concerns about data privacy and security. This data frequently includes sensitive personally identifiable information that is vulnerable to theft and exposure through illegal hacking. A breach of this data leaves victims at a heightened risk of future identity theft. Victims seeking to recover damages related to emotional distress or money spent protecting their identities and finances are often denied Article III standing to pursue a claim against the entity charged with protecting that data. While the U.S. Court of Appeals for the Seventh Circuit in Pisciotta v. Old National Bancorp and the U.S. Court of Appeals for the Ninth Circuit in Krottner v. Starbucks Corp. recognized standing even when harm was limited to the increased risk of identity theft, the U.S. Court of Appeals for the Third Circuit in Reilly v. Ceridian Corp. split with its sister courts and denied standing for data breach victims, citing a lack of injury-in-fact.
The Reilly court’s application of the standing doctrine creates an unreasonable barrier for injured plaintiffs to reach the merits of theircases. The circuit split should be resolved in favor of conferring standing for those who suffer a threat of future harm. Data breach plaintiffs’ standing should be recognized, just as the plaintiffs’ standing in “latent harm” tort law cases is recognized, because the increased risk of future harm in defective medical device, toxic substance exposure, and environmental injury cases is logically analogous and applicable to the increased risk of harm in data breach cases. In addition, the Supreme Court’s original purpose of the standing doctrine supports acknowledging that the risk created by a data breach and the resulting expenses to protect against identity theft constitute a real, present, particularized injury worthy of justiciability.