Journal of Law and Policy


As the number of data breaches continues to rise in the United States, so does the amount of data breach litigation. Many potential plaintiffs who suffered as victims of data breaches, however, find themselves in limbo regarding the issue of standing before a court because of a significant split on standing determinations amongst the federal circuit courts. Thus, while victims of data breaches oftentimes have their personal information fall into the hands of nefarious characters who intend to use the information to a victim’s detriment, that may not be enough to provide victims a right to sue in federal court because of disparate interpretations of standing that create impediments to data breach litigation. This Note examines conflicting holdings of various circuits on issues of standing in data breach contexts and proposes a uniform solution. It posits that applying the “heightened risk of harm” standard to standing would allow victims of stolen personal information to seek recourse in a reasonable set of situations without placing an unfair burden on the breached entities to defend against an avalanche of lawsuits. A “heightened risk of harm” standard would consistently create uniformity in the courts by placing entities that are responsible for the personally identifiable information of others (as defined by each state’s data breach notification statute) on notice that they need adequate security measures to guard against breaches and that they must prepare for lawsuits should those measures be lacking, even if personally identifying information has yet to be used.