Academic journal article Brigham Young University Law Review

Standing Room Only: Solving the Injury-in-Fact Problem for Data Breach Plaintiffs

Academic journal article Brigham Young University Law Review

Standing Room Only: Solving the Injury-in-Fact Problem for Data Breach Plaintiffs

Article excerpt


If something valuable is taken from you without your permission, does it matter who took it? According to modern data privacy law, it does. In fact, the answer to that simple question may end your case before it even begins.

Consider the examples of two people who had their valuable personal data taken from them by an unauthorized third party.1 Person 1 enrolled in a cell phone plan with a major phone company and was required to give the phone company some of his private information, such as his credit card number, phone number, and home address. Person 2 started working for a company, and was required to give her employer her personal information, such as her name, address, Social Security number, date of birth, and bank account number.2 Neither Person 1 nor Person 2 thought much about these transactions, assuming that the companies would take reasonable steps to protect their personal information.

Later, Person 1 discovered that his phone company had been giving "metadata"3 about his (and many other people's) phone calls to the government.4 The phone company had been giving out this data every day for the past five years or more.5 The information given to the government was not inherently sensitive-it was not Person 1's financial information or the contents of his calls. The government had only collected information about the calls, such as which numbers Person 1 had called, how often he had made those calls, and how long he had spent on each call.6 All of this data collection occurred without Person 1's knowledge or permission.7

Person 2 discovered that a hacker broke into the network where her employer stored her personal data and gained access to the database where Person 2's personal information was stored.8 Person 2 was told that the hacker may have stolen Person 2's credit card number, name, home address, bank account number, and even social Security number.9

Concerned about the loss of their personal data, both Person 1 and Person 2 filed lawsuits. Person 1 chose to sue the government for taking his information,10 while Person 2 sued her company for negligence in protecting her financial information.11

when Person 1 and Person 2 appeared in court, they were immediately faced with a question that may have surprised them. Both courts began with the same threshold inquiry: did you suffer an injury?12 In other words, Person 1 was asked whether he was harmed when the government collected his phone call metadata without his permission. Likewise, Person 2 was asked whether she was harmed when a hacker gained access to her personal financial information. The answers to these questions had a much larger impact than either plaintiff may have expected.

The court, upon hearing Person 1's claim, determined that he had suffered an injury, and could therefore bring his case before the court.13 However, the court hearing Person 2's claim determined that she had not actually suffered an injury at all, and therefore could not bring her claim.14 Even though Person 1's compromised information was only metadata, and Person 2's compromised information included her financial information and social security number, Person 1 was able to receive redress from the courts, while Person 2 was barred.

In the current legal environment, two people can have their personal data compromised in similar ways, yet have their claims treated in completely different manners. If the plaintiffs' personal information is accessed by the government, even if the information accessed is simply metadata, they are allowed to present their case in court.15 But if their personal data is accessed by a private third party, no matter how sensitive the information may be, they may not get a chance at redress.16

This apparent discrepancy stems from the doctrine of "standing" contained in Article III of the United States Constitution.17 According to the current interpretation of the standing doctrine, many consumers in private data breach actions have not suffered a sufficient injury-in-fact to qualify for standing, and are therefore unqualified to bring an action in court. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.