Sampson, Saikali and Schwaller Pen Piece on Challenging Data Breach Injuries for DRI
Shook, Hardy & Bacon Partners Bill Sampson and Al Saikali and Associate Dan Schwaller’s article, “Standing in Data Breach Cases: A Changing Legal Landscape and a Few Suggestions for Counsel,” was published in the Winter 2016 issue of In-House Defense Quarterly, a publication of DRI.
Most information in the cyber-world is self-posted, in places like Facebook or LinkedIn. But when key information, like banking or password information, is mined or posted online by hackers, consumers frequently turn to the courts for relief. Addressing the doctrine of standing, the requirement that a party demonstrate sufficient connection to and harm from the action challenged, the authors write, “Courts do not hesitate to entertain cases where the plaintiffs suffered actual financial loss, but they are divided when the injury is only threatened. When hackers steal personally identifying information but have not yet exploited it, the victim may not have standing to sue.”
The authors share numerous examples of recent lawsuits with different interpretations of standing in data breach cases, starting with 2013’s Clapper v. Amnesty International USA, and diverging views expressed in following decisions, including In re Adobe Systems, Inc. Privacy Litigation (2014), Remijas v. Neiman Marcus Group, LLC (2015), and In re Zappos, Inc. (2015).
In closing, the authors state: “Standing is powerful because it can be applied early and decisively. For data breach cases where plaintiffs have not yet suffered economic loss, Clapper set a helpful standard with its requirement that harm be ‘certainly impending.’ While not an absolute bar to the lawsuit, it’s a good place to start.”
Most information in the cyber-world is self-posted, in places like Facebook or LinkedIn. But when key information, like banking or password information, is mined or posted online by hackers, consumers frequently turn to the courts for relief. Addressing the doctrine of standing, the requirement that a party demonstrate sufficient connection to and harm from the action challenged, the authors write, “Courts do not hesitate to entertain cases where the plaintiffs suffered actual financial loss, but they are divided when the injury is only threatened. When hackers steal personally identifying information but have not yet exploited it, the victim may not have standing to sue.”
The authors share numerous examples of recent lawsuits with different interpretations of standing in data breach cases, starting with 2013’s Clapper v. Amnesty International USA, and diverging views expressed in following decisions, including In re Adobe Systems, Inc. Privacy Litigation (2014), Remijas v. Neiman Marcus Group, LLC (2015), and In re Zappos, Inc. (2015).
In closing, the authors state: “Standing is powerful because it can be applied early and decisively. For data breach cases where plaintiffs have not yet suffered economic loss, Clapper set a helpful standard with its requirement that harm be ‘certainly impending.’ While not an absolute bar to the lawsuit, it’s a good place to start.”
