January 11, 2018 feature

Your Data Was Stolen, But Not Your Identity (Yet)

Majority consensus grows on the scope of permissible data breach standing

By Kristen L. Burge

Cyberattack victims can sue data custodians despite not suffering actual identity theft. In determining the plaintiffs’ standing, a growing majority of circuit courts now turn to the nature of stolen data to determine whether the victims experience a “substantial risk” of identity theft.

A cybersecurity breach itself can constitute standing for pursuing identity theft claims

A cybersecurity breach itself can constitute standing for pursuing identity theft claims

Photo Illustration by Elmarie Jara | iStockphoto by Getty Images

The U.S. Court of Appeals for the Federal Circuit joined the majority approach—followed by the Sixth, Seventh, and Ninth Circuits—holding that victims alleging personal data theft, including medical identification numbers, have standing to pursue their claims.

A minority of circuits, on the other hand, require data breach compromises to include Social Security or credit card numbers before finding a substantial risk exists. In the wake of significant consumer data breaches, the material circuit split signals a need for U.S. Supreme Court intervention to create a uniform test governing standing in consumer data breach cases.

Premium Content For:
  • Litigation Section
Join - Now