In a recent decision, the U.S. District Court for the District of Columbia held that the plaintiffs in a data theft case lacked standing when the only injury was an “increased likelihood” of becoming an identity theft victim.
In rendering its decision in In Re Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation, the district court relied on the U.S. Supreme Court’s decision in Clapper v. Amnesty International USA, where the Court held a “mere loss of data” or “increased risk of identity theft” in a data breach case does not constitute an injury that confers standing. Instead, individuals whose data has been stolen must show that injury has actually occurred or is certainly impending.
The facts of the SAIC case are pleasantly low tech. Data back-up tapes were stolen from a car. The tapes were never found. The tapes contained personal information for more than 4.7 million members of military families. In the hands of a tech-savvy cyber criminal, such information could be a jackpot, but, in the hands of a common street criminal, maybe not. The district court in SAIC stated: “At this point, we do not know who [the thief] was, how much [the thief] knows about computers, or what [the thief] has done with the tapes. The tapes could be uploaded onto [the thief’s] computer and fully deciphered, or they could be lying in a landfill somewhere in Texas.”
The court in SAIC provided a simple summary: “In sum, increased risk of harm alone does not constitute an injury in fact [sufficient for standing]. Nor do measures taken to prevent a future, speculative harm.”
Accordingly, in order to have standing to pursue a data breach case, a plaintiff would have to demonstrate much more than an increased likelihood of harm. Rather, a plaintiff would have to show an actual injury that was directly caused by the breach. Even then, of course, that would only establish standing, and a plaintiff would have to prove the other elements of his or her case.