Despite the rules and security measures that many organizations put in place to protect the personal information of their clients or customers, sensitive information may still fall prey to hackers and other kinds of breaches. Those affected may seek counsel to aid in bringing suit to hold an entity liable for its intermediary role when a third party commits a data breach.. While data breaches have become too common, case law and statutory law governing redress for data breaches is limited. This column explores standing and potential causes of action in data breach suits.

Standing in data breach cases may be impacted or determined by various factors, including especially the types of information stolen, and the action taken after the breach. In Antman v. Uber Technologies, (N.D. Cal. Oct. 19, 2015), the trial court dismissed the plaintiffs’ argument that Uber’s failure to protect their data was sufficient to confer standing because, among other reasons, they failed to establish Article III standing. Article III standing has three constitutional requirements. The plaintiff must have: suffered some actual or threatened injury; the injury can fairly be traced to the challenged action of the defendant; and, the injury is likely to be redressed by a favorable decision.” See Legal Information Institute, “Constitutional Standards: Injury in Fact, Causation, and Redressability.” For example, the court in Antman stated that the plaintiffs had not adequately established injury. But, it suggested the result would have been different had Social Security numbers been stolen (stating that the plaintiff “specifies disclosure only of his name and drivers’ license information. It is not plausible that a person could apply for a credit card without a social security number … plaintiff alludes to the disclosure of unspecified ‘other personal information; this is insufficient’”).