Brooklyn Law Review


Data breaches have rapidly increased in volume in the United States since the beginning of the twenty-first century. As entities across the United States have increasingly stored personally identifiable information (PII) in online databases, cybercriminals have developed tools to steal and sell stolen PII. This note explores the devastating consequences felt by data breach victims and the uphill battles victims often face in finding legal remedies. Although data breach victims may be at risk of identity theft, they are often barred from taking legal action against the entity that breached their data due to the “injury in fact” requirement under Article III of the Constitution. Data breach victims who have been notified of a breach but do not have proof that their PII has been used by a third-party must plead future injury as the result of the breach, which is an incredibly difficult task. In 2021, in McMorris v. Carlos Lopez & Assocs., LLC., the Second Circuit Court of Appeals adopted a three-factor test in which data breach victims could plausibly plead a claim for future injury as the result of a breach. However, the court’s decision still puts significant restrictions on data breach victims, and alarmingly, there is no federal data breach notification legislation in place in the United States. This note argues that the test adopted in McMorris must be modified, and federal data breach notification legislation must be implemented in order to give data breach victims a fair chance of being granted standing and a fair chance of recovery. A modified, more rigid test that considers the type of data that has been breached, whether the breach was a targeted attack, whether data has already been misused, and the amount of time that data has been exposed would accurately gauge whether victims are at an increased risk of future harm and help ensure more equitable grants of standing for future injury claimants. Moreover, federal data breach notification legislation that allows for recovery of reasonable expenses incurred while attempting to protect oneself from future injury would allow data breach victims to recover for preventative actions taken after being notified of a breach even if they may not ultimately be granted standing to sue.