As reported in our 2017 Data Security Incident Response Report, plaintiffs allege potential future harm as a basis for injury in 80 percent of data breach lawsuits. But are allegations of future harm sufficient to meet Article III’s cases-and-controversies requirement, specifically with regard to the injury-in-fact element of standing? Despite the prevalence of these allegations, federal courts remain divided on the answer to this question as it applies in the data breach context.

This divide stems from differing interpretations of the Supreme Court’s 2013 decision in Clapper v. Amnesty International USA, which held that plaintiffs must show that future harm is certainly impending, or that they are at a substantial risk of future harm, to satisfy the injury-in-fact requirement of Article III standing.

This divide continues to grow as the federal circuit courts begin to weigh in on the issue, with some circuits finding standing where others have not. Most recently, the Second Circuit joined the First, Third, and Fourth Circuits in holding that plaintiffs must allege more than the fact that their information was stolen to show an Article III injury. See Whalen v. Michaels Stores, Inc., — F. App’x —, 2017 WL 1556116, at *1-2 (2d Cir. May 2, 2017); see, e.g., Beck v. McDonald, 848 F.3d 262, 274 (4th Cir. 2017).

In contrast, the Sixth, Seventh, and Ninth Circuits have held that allegations of future harm are sufficient when plaintiffs allege that their data has been stolen and is in the hands of ill-intentioned criminals. See, e.g., Remijas v. Neiman Marcus Grp., 794 F.3d 688 (7th Cir. 2015); Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).

The circuit split may soon grow, as this issue is currently pending before the Eighth Circuit, which heard oral argument on the matter just last month. See Alleruzzo, et al. v. SuperValu, Inc., No. 16-2378 (8th Cir.).

Is the Divide Real?

Some courts deny that a circuit split exists on this issue, instead reasoning that crucial factual distinctions in each case give rise to seemingly conflicting decisions. See, e.g., Khan v. Children’s Nat’l Health Sys., 188 F. Supp. 3d 524, 532 (D. Md. 2016). Other courts reject this premise, expressly recognizing the divide between the circuits on this issue. See, e.g., Beck, 848 F.3d at 273.

Regardless of which view is correct, there can be no dispute that the fact-intensive nature of the injury-in-fact analysis only contributes to the disuniformity amongst the courts. In evaluating whether an alleged future injury is certainly impending, courts consider an ever-expanding variety of factors. For instance, some courts focus on whether the data thief specifically targeted the compromised information, which may show the thief’s intention to misuse it in the future. See, e.g., In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. 2014). Other courts consider the amount of reported misuse and the length of time that has passed since the breach. See, e.g., In re SuperValu, 2016 WL 81792, at *5 (D. Minn. Jan. 7, 2016).

Courts also review allegations of future harm differently depending on the type of information involved in the data breach. For example, when payment card information was at issue, the Seventh Circuit inferred that the future risk of harm was certainly impending because “presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” Remijas, 794 F.3d at 692. In contrast, when personally identifiable information (PII) is stolen – such as names, dates of birth, Social Security numbers, etc. – other courts have declined to extend this inference, reasoning that plaintiffs need to show actual examples of identity theft resulting from the data breach. See, e.g., Khan, 188 F. Supp. 3d at 532.

In any event, the amorphous framework for analyzing allegations of future harm in the data breach context is particularly troublesome when plaintiffs bring their claims as nationwide class actions, which is often the case. In those situations, the divide between the circuits may encourage plaintiffs to forum shop, which could allow people to participate as putative class members even when they would not have standing to sue in their home circuits. Plaintiffs should not be able to circumvent threshold jurisdictional issues such as Article III standing, which makes this issue particularly appropriate for review by the Supreme Court.