Academic journal article Defense Counsel Journal

Standing in the Midst of a Data Breach Class Action

Academic journal article Defense Counsel Journal

Standing in the Midst of a Data Breach Class Action

Article excerpt

IT'S among an in-house lawyer's greatest nightmares: a call from an employee in the company's information security department reporting anomalous and unauthorized activity in the company's databases. Over the next few days, the reality of the situation unspools quickly--often with inadvertent misinformation at several points along the way. The company has been attacked. Personally identifiable data of its customers or employees has been accessed and possibly exfiltrated by criminals.

Critical decisions must be made immediately, and those initial decisions may have severe implications for inevitable future class action lawsuits brought in response to the data breach or cyberattack. Should the company bring in outside forensic assistance? If so, which outside forensic firm offers the most credibility for the investigation? Should the company offer credit monitoring services? For how long? Through which provider? What mandated notice is required to regulators and affected individuals? How can the company minimize the P.R. damage? The list goes on and on.

Unfortunately, the scene above is playing out more and more frequently. Criminal cyberattacks are a very real danger for corporations (and even law firms). As a result, corporate counsel must grapple with an emerging new area of potential exposure for suits brought by individuals whose personal or financial data may have been affected.

A company's response in the immediate aftermath of a cyberattack or data breach, press releases, forensic investigations, notices to customers, offers of credit monitoring, and all the rest, is merely prelude. No matter how prompt and thorough a corporate victim's response to a data breach is, a breach of any discernible size will inevitably bring large-scale litigation. These cases nearly always take the form of a class action, where a handful of named plaintiffs seek to represent the interests of a purported class of alleged affected individuals seeking recovery for their personal or financial data potentially being compromised as a result of the breach.

As a threshold question, one might reasonably ask whether a cause of action even exists, given that the defendant corporations are, in nearly all cases, victims of a crime themselves. Indeed, in some cases, these cyberattacks are not merely crimes but acts of foreign espionage or foreign military conduct (1) Data breach cases thus create a conundrum where a company is both a victim and a defendant called to account in court for its victim status. Even so, corporations continue to face significant litigation following a cyberattack. Corporate counsel's first best chance to dispose of these cases is often by challenging plaintiffs' standing.

This article will thus focus primarily on Article III standing. There are numerous issues at play in data breach cases (discovery disputes, class certification, etc.), but the fight over standing is particularly salient because i) the landscape continues to mature and ii) a court's ruling on standing determines whether a case can proceed to the costly discovery and class certification stages. Moreover, despite nearly 15 of years of litigating this issue and two applicable Supreme Court rulings, the terrain remains uncertain.

I. Plaintiffs' Most Common Allegation in Support of Standing in Data Breach Litigation Is Heightened Risk of Future Harm

When purported data breach class action cases are filed in federal court the first battleground is likely to be whether the plaintiff class has standing to sue under Article III. Because the federal court system is one of limited jurisdiction, in order to sue in federal court Article III requires that plaintiffs have standing to be there. The constitutional minimum for standing contains three elements: a plaintiff must have suffered an injury-in-fact, the injury must be causally connected to the challenged action of the defendant, and the injury must be redressable by a favorable decision. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.