Identity Crisis: Seeking a Unified Approach to Plaintiff Standing for Data Security Breaches of Sensitive Personal Information
Galbraith, Miles L., American University Law Review
Today, information is largely stored and transmitted electronically, raising novel concerns about data privacy and security. This data frequently includes sensitive personally identifiable information that is vulnerable to theftand exposure through illegal hacking.
A breach of this data leaves victims at a heightened risk of future identity theft. Victims seeking to recover damages related to emotional distress or money spent protecting their identities and finances are often denied Article III standing to pursue a claim against the entity charged with protecting that data. While the U.S. Court of Appeals for the Seventh Circuit in Pisciotta v. Old National Bancorp and the U.S. Court of Appeals for the Ninth Circuit in Krottner v. Starbucks Corp. recognized standing even when harm was limited to the increased risk of identity theft, the U.S. Court of Appeals for the Third Circuit in Reilly v. Ceridian Corp. split with its sister courts and denied standing for data breach victims, citing a lack of injury-in-fact.
The Reilly court's application of the standing doctrine creates an unreasonable barrier for injured plaintiffs to reach the merits of their cases. The circuit split should be resolved in favor of conferring standing for those who suffer a threat of future harm. Data breach plaintiffs' standing should be recognized, just as the plaintiffs' standing in "latent harm" tort law cases is recognized, because the increased risk of future harm in defective medical device, toxic substance exposure, and environmental injury cases is logically analogous and applicable to the increased risk of harm in data breach cases. In addition, the Supreme Court's original purpose of the standing doctrine supports acknowledging that the risk created by a data breach and the resulting expenses to protect against identity theftconstitute a real, present, particularized injury worthy of justiciability.
"We have built our future upon a capability that we have not learned how to protect."1 These words, spoken by former CIA Director George Tenet, acknowledge the critical vulnerabilities of information-age technology on which we rely in modern society. Information in the modern world is increasingly stored and transmitted electronically, rapidly replacing the methods of the past.2 While electronically storing data comes with extraordinary environmental and economic advantages,3 its use raises novel concerns about the privacy and security of digital data.4
Much of the electronic information stored in databases by corporations and organizations includes sensitive personal information, such as social security numbers, phone numbers, birthdates, addresses, financial records, and medical records.5 Electronic data is uniquely vulnerable to theftand exposure on a catastrophic scale.6 Private electronic data can be exposed through illegal hacking,7 employee theft,8 the loss of laptops and hard drives,9 and even through inadvertent exposure on the Internet.10 It is clear that few entities that use online or electronic databases are impervious to data loss, given that between eighty to ninety percent of Fortune 500 companies and government agencies have experienced data breaches of some type.11 Electronic data breaches have become a leading cybersecurity challenge for the private and public sectors alike.12
With the increased use of digital data storage, the frequency and severity of breaches of data security are on the rise,13 and correspondingly, litigation relating to the exposure of personal data has increased.14 Some estimates put the number of records breached since 2005 at over 600 million.15 A breach of personally identifying digital information leaves victims at a heightened risk of future identity theftand misuse of their private information.16
Victims whose private information has been exposed or compromised often bring legal claims despite a lack of actual fraudulent use of their information. …