Data Breach Class Actions: How Article III Standing Analysis Should Evolve After TransUnion, LLC v. Ramirez
By Caleb A. Johnson. Full Text.
Data breaches have become a common occurrence for many people in America. Companies retain consumers’ personal information (SSN, DOB, bank account, credit card, biometrics, etc.) to better serve the consumers as well as to improve their company’s bottom line. Hackers get into those databases to fraudulently use existing consumer accounts as well as steal those consumer identities, with major repercussions.
When hackers go unidentified, class action litigation is taking place between consumers and companies based on theories around negligence, breach of contract, and more. One of the most hotly contested issues is whether all the plaintiffs actually have Article III standing to bring suit in federal courts. This debate arises when consumer data exposed in the breach has not yet resulted in an identity theft or fraudulent charges on accounts. Those plaintiffs come to court based on the theory of risk of future harms. This theory dovetails into the broader lack of clarity in caselaw around what actually qualifies for Article III standing as an “imminent injury-in-fact.”
Nine circuits have weighed in on this data breach standing question so far. Two circuits issued new opinions in 2021, in McMorris v. Carlos Lopez & Associates, LLC, 995 F.3d 295 (2d Cir. 2021) and Tsao v. Captiva MVP Restaurant Partners, LLC, 986 F.3d 1332 (11th Cir. 2021). Article III standing analysis gets more complicated because, in TransUnion, LLC v. Ramirez, 141 S. Ct. 2190 (2021), the Court addressed Article III standing “imminent injury-in-fact” requirements for situations slightly different from data breaches, but with analytic similarities that are likely applicable.
This Note summarizes where data breach litigation currently sits in the federal circuit courts and explains the holding and impact of the Ramirez decision. Additionally, this Note calls on the GAO to renew its efforts to research the impact of identity theft on U.S. citizens. Finally, this Note proposes a rule that should be used as the solution to remedy the circuit differences in data breach standing cases, specifically with an eye towards being in line with the new holding in Ramirez and bringing much needed clarity to consumers.