Data breach plaintiffs often have a very difficult time stating a concrete injury, and courts have wrestled with whether these plaintiffs can file suit in federal court. We have been watching this issue and writing about it frequently. The issue is whether plaintiffs have suffered an “injury in fact” that gives them Article III standing. The Supreme Court’s 2016 decision in Spokeo v. Robins took a narrow view of Article III standing where the plaintiffs alleged that their federal statutory rights were violated, but did not allege that they suffered any factual injury beyond the statutory violation. Spokeo gave defendants strong arguments to dismiss data-breach cases for lack of standing, but results have been mixed—perhaps because Spokeo addressed federal claims and not state-law negligence claims that are most commonly asserted after data breaches. Spokeo has proven to be a mixed blessing.
Now the issue looks to be heading back to the Supreme Court in Zappos.com, Inc. v. Stevens. That case highlights how the various circuits have taken divergent views on standing in data breach cases. The Supreme Court has not granted certiorari yet, but court watchers have singled this case out as a likely grant. We are monitoring the case closely, as any ruling from the Supreme Court in the data-breach context would have far-reaching effects on this rapidly developing area of the law.