One of the primary points of contention in data breach actions is when, and whether, sufficient damages exist to meet the standing requirements under Article III. Circuit courts across the country have come to different conclusions, with some requiring a showing of actual damage and others allowing the existence of the breach to essentially serve as confirmation that the data will be used illicitly. According to a recent brief in support of certiorari, the DC Circuit falls into the latter category and a review by the Supreme Court is necessary to resolve the current circuit split.
In the class action that is at issue, allegedly the breach of a health insurer led to the theft of personal information. The plaintiffs allege that this information will be used for ill purposes, although no existing harm has been claimed. According to the health insurer, this allegation is nothing more than a repetition that a breach occurred. It is further argued that if courts allow the allegation of a breach to support an assumption of damages, Article III standing will be conferred as a matter of course in data breach cases and open the door to a flood of litigation.
The Supreme Court’s decision on whether to grant certiorari will likely indicate the immediate future of data breach litigation. If the court opts to review this case, it will signal that some standardization will be provided in the face of a growing number of cyber-security cases. Given the existence of notice requirements in all but two states, allowing an allegation of the breach alone to support the existence of imminent damage essentially guarantees that a data breach will be followed by a lawsuit.
Even for mid-sized businesses, notification to its many customers that a breach occurred is likely to spark at least one customer to file suit, if not a proposed class action. Businesses across the country should take note, as the outcome could have a significant effect on how to respond to data breaches and all the associated costs.