Expert Q&A on Standing in Data Breach Class Actions

April 22, 2015

Practical Law logo newAn expert Q&A with Barry Goheen of King & Spalding, examining the key issues, trends and strategic considerations relating to standing in data breach class action litigation in light of the US Supreme Court’s decision in Clapper v. Amnesty International USA and its progeny.

The failure to establish an injury-in-fact sufficient to support Article III standing has been a key issue in data breach class actions. Data breach defendants frequently challenge plaintiffs’ standing in their initial responsive pleading to the complaint by filing a motion under Federal Rule of Civil Procedure (FRCP) 12, and over the last several years, federal courts have dismissed the majority of these types of cases for lack of standing.

In February 2013, the Supreme Court issued an opinion in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), addressing the standing doctrine. Clapper is the first Supreme Court opinion to address the standing doctrine since the explosion of privacy-related, particularly data breach, litigation roughly a decade ago. While the decision in Clapper mostly reiterated existing standing doctrine and standards, it significantly tightened the well-established requirement that an alleged future injury be “certainly impending.” Specifically, in rejecting the Clapper plaintiffs’ arguments that they suffered injury sufficient for standing purposes, the Supreme Court held that the plaintiffs lacked standing because they:

  • Relied on a speculative chain of possibilities and did not show that the future injury they purportedly feared was certainly impending.
  • Could not manufacture an injury by incurring costs in anticipation of non-imminent harm.

(Clapper, 133 S. Ct. at 1143, 1147-50.)

Clapper has substantially shaped the standing issue in subsequent data breach litigation, but not all courts have embraced Clapper as the basis for dismissing data breach cases. In fact, in the closely watched case against Target arising out of its 2013 data breach, the Minnesota District Court failed to even mention Clapper in finding that the plaintiffs had standing to pursue their case, which ultimately resulted in a proposed $10 million settlement of that litigation.

To learn more from the experts on standing in data breach class actions after Clapper, see Expert Q&A: Standing in Data Breach Class Actions.