Businesses face more than reputational risk when the personally identifiable information (“PII”) of their customers is stolen during a data breach. Many data breaches have spawned multi-plaintiff or class action lawsuits by customers whose PII was accessed by unauthorized third parties as a result of the breach. But, until recently, businesses faced modest litigation risk in these cases because most courts held that litigants lacked standing to sue in federal court, reasoning that plaintiffs had yet to suffer an injury absent allegations that the exposure of their PII resulted in identity theft or unauthorized and unreimbursed charges to their financial accounts. This survey discusses new developments in the law of standing in data breach cases, as well as decisions about the viability of legal claims. Currently, the law is sharply divided, and it is likely to remain so for the foreseeable future.
ARTICLE III STANDING FOR DATA BREACH CASES
The recent evolution in case law concerning the standing of plaintiffs in data breach litigation is the outgrowth of two U.S. Supreme Court decisions that established the framework for analyzing Article III’s “injury-in-fact” requirement. In Clapper v. Amnesty International USA,1 the Supreme Court held that the plaintiffs’ fear that their private communications might be intercepted by government surveillance programs was not an injury in fact because any “threatened injury must be certainly impending to constitute injury in fact,” and “allegations of pos-sible future injury are not sufficient.”2 The plaintiffs’ injury was “too speculative” because its occurrence “relie[d] on a highly attenuated chain of possibilities” that “the Government [would] imminently target communications to which [they were] parties.”3 Nor were “measures that they have undertaken to avoid . . . surveillance” an injury; “otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.”4 Yet, the Clapper Court cautioned that its cases have “not uniformly require[d] plaintiffs to demonstrate that it is literally certain that the harms they identify will come about,” provided there is “a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.”5
In Spokeo, Inc. v. Robins,6 the Court reiterated that the injury-in-fact requirement “does not mean  that the risk of real harm cannot satisfy that requirement.”7 The Spokeo Court held that an alleged Fair Credit Reporting Act (“FCRA”) violation did not, ipso facto, confer standing because “a bare procedural violation, divorced from any concrete harm,” does not “satisfy the injury-in-fact requirement of Article III.”8 It explained that “[i]n determining whether an intangible harm constitutes injury in fact,” two considerations were important: “whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts”; and “because Congress is well positioned to identify intangible harms that meet minimum Article III requirements, its judgment is also instructive and important.”9The Spokeo Court re-manded the case to the Ninth Circuit to determine “whether the particular procedural violations alleged in this case entail a degree of risk sufficient to meet the concreteness requirement.”10
In most data breach cases, the alleged injury resulting from the unauthorized access ...