Academic journal article Missouri Law Review

The Eighth Circuit Further Complicates Plaintiff Standing in Data Breach Cases

Academic journal article Missouri Law Review

The Eighth Circuit Further Complicates Plaintiff Standing in Data Breach Cases

Article excerpt

In re Super Valu, Inc., 870 F.3d 763 (8th Cir. 2017)

Kuhns v. Scottrade, Inc., 868 F.3d 711 (8th Cir. 2017)


Mass data breaches are a symptom of the digital era and occur with increasing frequency. In the past decade, nearly every sector of the economy has experienced a major breach of personal data, including finance, healthcare, retail, government, hospitality, media, and technology. (1) Breaches affect consumer data, government agencies, voting rolls, healthcare providers, scientific data, business records and trade secrets, attorney work-product, and nearly everything else digital. (2) Fiascos surrounding poor data stewardship at companies, like Facebook and Equifax, arc frequently featured in national media. (3)

As large data caches containing sensitive personally identifiable information continue to expand, the chances for a breach grow in kind. The potential harm from a breach varies depending on the type of data compromised. Breaches of the most sensitive data, such as social security numbers, embarrassing personal information, medical information, and bank account information, can lead to mass disruptions in people's lives. Breaches of less sensitive data, such as credit card information, online account login credentials, email addresses, home addresses, and phone numbers have less potential for direct harm but can have frustrating consequences for those whose data is compromised. No uniform federal law exists governing the legal duties of those who collect and store personally identifiable information ("PII"), and when a breach occurs, the difficulty in identifying actual harm or quantifying a remedy makes the appropriate legal response unclear.

In 2016, reported data breaches increased to a record 1,093 incidents--exposing over thirty-six million identified records. (4) Some estimates suggest that between eighty to ninety percent of Fortune 500 companies and government agencies have experienced a data security breach. (5) The proliferation of data breaches led one federal judge to note that "[t]herc are only two types of companies left in the United State[ according to data security experts: 'those that have been hacked and those that don't know they've been hacked.'" (6) Influential digital security expert Brian Krebs summed up the phenomenon in a blog post identifying the "immutable truths" about data breaches:

There are some fairly simple, immutable truths that each of us should
keep in mind, truths that apply equally to political parties,
organizations and corporations alike: [(1)] If you connect to the
Internet, someone will try to hack it. [(2)] If what you put on the
Internet has value, someone will invest time and effort to steal it.
[(3)] Even if what is stolen does not have immediate value to the
thief, he can easily find buyers for it. [(4)] The price he secures for
it will almost certainly be a tiny slice of its true worth to the
victim. [(5)] Organizations and individuals unwilling to spend a small
fraction of what those assets are worth to secure them against
cybercrooks can expect to eventually be relieved of said assets. (7)

Plaintiffs have brought hundreds of class action lawsuits against organizations that were responsible for maintaining customer PII and subsequently suffered a breach. (8) While data breach cases have been litigated in nearly every federal circuit court, each circuit has treated them differently with respect to standing and whether a claim for damages exists. (9) Most of these cases are appealed on standing issues. (10) This Note examines two recent cases from the U.S. Court of Appeals for the Eighth Circuit and analyzes how these decisions fit into the greater scheme of data breach litigation in the United States today.


This Note examines two cases from the Eighth Circuit, both dealing with the same general issue--an unauthorized breach of consumer data. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.