In the past decade, we have seen a staggering rise in the number of data breaches—episodes in which sensitive information such as names, email addresses, Social Security numbers, bank account numbers, account passwords, credit or debit card numbers, and health records, are exposed either inadvertently or as the result of third-party theft. A leading resource chronicling this phenomenon—the Privacy Rights Clearinghouse—has kept a running tally of all reported breaches since January 2005. To date, almost one billion records have been compromised in 4,419 separate breaches, affecting all types of industries. Chronology of Data Breaches, Security Breaches 2005–Present (updated Dec. 31, 2013). While not all of these breaches are the work of bad actors, data breaches have become a big business for criminal enterprise; some estimates indicate that the cyber crime economy is more lucrative than the drug economy. Andrea M. Matwyshyn, Introduction to Harboring Data: Information Security, Law, and the Corporation 3, 4–5 (2009).
The ubiquity of data breaches and the large number of individuals affected in any given breach invite class litigation. Initially, the plaintiffs’ theory of injury rested solely on the increased risk of some downstream harm (for example, identity theft and account fraud), and complaints did not include allegations of immediate, concrete injury suffered. Courts were reluctant to allow litigation to survive past the pleadings stage, holding that plaintiffs who had their personal or financial information stolen by criminal third parties—but who alleged no further harm—did not sufficiently plead an injury to satisfy either Article III standing or, if properly pled, injury material enough to sustain a negligence claim. Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013), further seemed to prevent data breach plaintiffs from surviving a standing challenge. The trend of dismissal at the pleadings stage continued.