High-profile data hacks are not uncommon. In fact, according to the Privacy Rights Clearinghouse, there have been at least 7,961 data breaches, exposing over 10,000,000,000 accounts in total, since 2005. These shocking numbers are not particularly surprising when taking into account the value of information stolen. For example, cell phone numbers, as exposed in a Yahoo! hack, are worth $10 a piece on the black market, meaning the hackers stood to make $30,000,000,000 from that one hack. That dollar amount does not even consider copies the hackers could make and later resell. Yet while these hackers make astronomical payoffs, the release of this information damages people’s lives in multiple ways. Some suffer immense emotional turmoil, others are left in financial ruin. Nevertheless, there is a deep circuit split as to whether the fact that information was stolen is intrinsically sufficient to grant standing to those whose information was stolen to sue the hacked entity. In particular, the question becomes, “is the increased risk of future injury enough to grant standing?” In Part I of this note, I will briefly discuss the history of constitutional standing and the current test. In Part II, I will explain the aforementioned circuit split. In Part III of this note, I will argue why the courts should answer the question above in the affirmative: The increased risk of future injury is sufficient to grant standing. In Part IV, I will argue alternative ways that courts could and should find sufficient injury to grant standing if the significantly increased risk of future injury is not enough. I note at the outset that this note only deals with the question of standing, not necessarily the merits of any case or any other possible defenses, such as sovereign immunity or the economic loss rule.
Bytes Bite: Why Corporate Data Breaches Should Give Standing to Affected Individuals,
25 Wash. & Lee J. Civ. Rts. & Soc. Just. 243
Available at: https://scholarlycommons.law.wlu.edu/crsj/vol25/iss1/8