By following trends and monitoring successful defenses in data breach litigation, companies can often avoid the reputational harm caused by making headlines. For most companies, it is not a question of whether they have been breached; they have. Rather, the more salient inquiry is when the breach is discovered, what steps and actions those companies will take after the discovery.
A frequent response after learning a data breach has occurred is “what is our exposure?” That is not a simple question to answer—primarily because the law surrounding who has standing to sue is unsettled.1 This is true for plaintiffs who seek to sue alone or as members of a class action. Individuals who can demonstrate actual use of their stolen data clearly have a better chance of meeting standing requirements based upon actual harm, but that does not mean that “use” is the threshold element. Actual use is in fact rare. Far more commonly, plaintiffs in data breach cases allege threatened or potential harm that may result from a data breach. Courts have struggled in such cases to draw the line between plausible harm sufficient to establish standing, and harm that is too speculative to satisfy Article III.
To read the full alert, please click the PDF above.