As we move into a new decade, it has become clear that data breach litigation is here to stay. Last year brought us several incremental developments in the data breach litigation landscape but no paradigm shift in the way data breach class actions are brought or resolved.
Federal courts in different circuits continue to disagree on the applicable standards to establish Article III standing. Both the Ninth and Seventh Circuits have issued decisions that have created a relatively low bar for Article III injury, at least at the pleading stage. Courts in other circuits, including the Third and Fourth Circuits, have been more rigorous in requiring a more substantial showing of present or future injury. Most courts agree that a person who has plausibly alleged a financial loss following a data breach has standing, but courts do not agree on how imminent a future injury has to be in order to support standing. In 2019, there were a few more decisions of note, most prominently the D.C. Circuit’s decision, by a 2-1 vote, allowing for Article III standing, based on an alleged increased risk of identity fraud in the case filed following the Office of Personnel Management data breach. See In re United States Office of Personnel Mang’t Data Sec. Breach Litig., 928 F.3d 42, 56-58 (D.C. Cir. 2019), petition for rehearing en banc denied October 21, 2019. All eyes are now on the Supreme Court on this one, as the case presents the Court with the opportunity to finally weigh in on the circuit split over Article III standing in alleged data breach cases. The Solicitor General, however, is still weighing its decision as to whether to file a petition for certiorari in the case, twice moving to extend the time allowed for doing so. The government’s cert petition, if it is to be filed, is presently due on March 19, 2020. Continue Reading