by Jennifer Wissinger, a 2014 Judge K.K. Legett Fellow at the Washington Legal Foundation and a student at Texas Tech School of Law.
Data-breach cases were supposed to be a new, lucrative litigation frontier for plaintiffs’ attorneys. Some experts speculated a wave of class-action suits would emerge against companies victimized by unauthorized access of customer data. Media reports of lawsuits filed in the immediate aftermath of high-profile data breaches, like the one that befell Target last December, have created the impression that these cases are proliferating rapidly. Reality belies such perceptions of success, however. Trial courts in fact have routinely dismissed data-breach lawsuits because plaintiffs cannot answer the American legal system’s most fundamental threshold question: have you actually been harmed? As a series of U.S. Supreme Court cases construing the constitutional standing-to-sue requirement dictate, mere fear of possible future harm does not suffice. In many data-breach cases, fear of future harm is the most plaintiffs can prove.
As The Legal Pulse has discussed, the Supreme Court most recently addressed standing two years ago in Clapper v. Amnesty International. Since 2012, federal and state trial courts have consistently applied Clapper’s reasoning to dismiss data-breach cases for lack of standing. In the last two months, three more courts have thrown out data-breach cases because the plaintiffs failed to show that the expected injury was at least “certainly impending.”
Galaria v. Nationwide Mutual Insurance Co. After Nationwide’s computer systems were hacked, the company notified its customers and advised them to safeguard their personally identifiable information (PII). Even though Nationwide offered its customers free credit monitoring for a year, the plaintiff in Galaria sued alleging violations of the federal Fair Credit Reporting Act (FCRA) and unlawful invasion of privacy under Ohio common law. Continue reading