In the absence of federal mandates, data breach litigation should help to establish data security standards to guide corporations and reassure consumers. Regrettably, too many consumers who bring these claims are denied standing under the injury-in-fact requirement before those claims can proceed to the merits. Relatedly, the Supreme Court affirmed the “certainly impending” standard for satisfying the injury-in-fact element of standing on the basis of an increased risk of future harm in a 2013 data collection case, Clapper v. Amnesty International.
Since Clapper, much of the disagreement among federal courts in data breach litigation has concerned the requisite imminence of identity theft that a consumer’s allegations must demonstrate in order for the consumer to establish injury. However, Clapper should be inapposite in these cases because the Court has only applied the exacting injury inquiry that it applied in Clapper to other causes of action that present separation of powers concerns.
More broadly, the application of the injury-in-fact requirement in data breach litigation forces courts to make at least two normative choices that lead to doctrinal unpredictability. In applying the factual injury test, courts enjoy discretion to identify the factual harm at issue and determine the minimum degree of risk necessary to render that harm “imminent.” Imposing either of these choices allows courts to dismiss claims on jurisdictional grounds that may well be compensable under substantive law. Moreover, this result is irreconcilable with the Court’s modern theoretical justification for the injury-in-fact requirement as a restraint on the unconstitutional expansion of judicial power.
Courts could reduce doctrinal confusion in data breach litigation and thus encourage more predictable outcomes by remedying either of these two normative choices: selecting the factual injury or determining the minimum probability of that injury’s occurrence necessary to render that harm imminent.