Where do we stand on standing in data breach cases? It depends on which court you ask. In December 2014, two courts considered whether plaintiffs alleged sufficient injury in their complaints involving well-known data breaches – and reached different results on standing. In a case against Target Corporation (No. 14-md-2522, D. Minn.), the court held that the plaintiffs had alleged a concrete and particularized injury, traceable to Target’s conduct, based on allegations of “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment or new card fees,” and therefore had standing to sue. In contrast, in a case against P.F. Chang’s China Bistro (No. 14-cv-4787, N.D. Ill.), allegations of overpayment for P.F. Chang’s services, fraudulent charges to a debit card, inability to accrue reward points, and “increased risk of identity theft” were insufficient to confer standing.
The two recent cases illustrate the types of alleged injuries plaintiffs claim they have suffered from the theft of their personal identifying information. These two cases and other recent decisions demonstrate that there are divisions in the courts on standing issues. When personal information is breached by a hacker targeting a favorite retailer, restaurant, bank, or doctor’s office, whether the victim has standing to sue in federal court remains a definite “maybe” depending on the jurisdiction and the nature of any specific out-of-pocket damages allegedly incurred.