Journal of Law and Policy


Over the last several years, data breaches have become increasingly more common, due in no small part to the failures of organizations charged with storing and protecting personal data. Consumers whose data has fallen victim to these breaches are more often turning to federal courts in attempts to be made whole from the loss of their information, whether simple credit card information or, as breaches become more sophisticated, social security information, medical and financial records, and more. These consumers are often being turned away from the courthouse, however, due to a failure of many federal courts to find that the plaintiffs have Article III standing to pursue claims.

Many of the district courts hearing data breach claims have refused to grant standing because of their interpretation of a recent case addressing constitutional standing, Clapper v. Amnesty International. These courts have concluded that Clapper represents a “tightening” of the traditional standing test under which data breach plaintiffs’ claims that they will suffer harm are too speculative. These courts are misguided in their analyses.

First, the Supreme Court’s decision in Clapper was based on an especially rigorous application of the traditional standing test due to constitutional and national security concerns present in the case. Data breach claims should not be subject to this same level of rigor. Second, these district courts are misreading Clapper to require a demonstration of an injury in data breach cases that is not necessary. These courts are looking for some type of quantifiable injury stemming from the data breach when all that Clapper requires is a demonstration that the plaintiffs’ data was lost in the breach. Courts should subscribe to this more accurate application of the standing test and of Clapper to grant data breach plaintiffs the day in court to which they are entitled.