Standing in the Future: The Case for a Substantial Risk Theory of "Injury-in-Fact" in Consumer Data Breach Class Actions

Abstract

The increasing digitalization of our personal and professional lives has generated corresponding growth in the amount of electronically stored private information in the hands of third parties. That private information is at risk of theft, loss, or manipulation. Employers that hold employee tax information and merchants that hold significant troves of consumer credit card data are particularly attractive targets. When hackers strike, victims often band together in federal class actions, naming the custodians of their private data as defendants. More and more, however, district courts are dismissing these class action claims at the doorstep for lack of Article III standing. The corporate defendants argue, and many courts agree, that a plaintiff’s alleged increased risk of future data misappropriation is insufficient to satisfy the U.S. Supreme Court’s test for an “injury in fact,” a critical component of the traditional standing analysis. This Note argues that many consumer data breach class actions do in fact satisfy the Supreme Court’s standing requirements, as outlined in the Court’s 2013 decision in Clapper v. Amnesty International USA and its 2016 decision in Spokeo, Inc. v. Robins.