The U.S. Supreme Court has confirmed a demanding threshold showing for plaintiffs suing based on increased risk of harm in privacy-related litigation. Clapper v. Amnesty International, No. 11-1025 (U.S. Feb. 26, 2013), effectively resolves a circuit split over application of the Article III standing requirement in data breach cases. Plaintiffs must show that the threatened harm that establishes their standing to sue for prospective relief is “certainly impending,” not merely “possible.”

Given that many consumers cannot plead or prove that exposure of their data has resulted, or will result, in identity theft or any other financial injury, the high court’s recent decision should prove very useful to companies seeking early dismissal of individual or class action data breach litigation.

Treatment of Article III Standing By The Court’s 5-4 Majority

Clapper involved issues of constitutional privacy arising out of a challenge to a 2008 amendment to the Foreign Intelligence Surveillance Act of 1978 (FISA), 50 U.S.C. § 1881a. FISA allows the federal government to conduct surveillance on the electronic communications of non-U.S. persons located outside the United States, but only after obtaining approval from a Foreign Intelligence Surveillance Court (FISC). Plaintiffs in Clapper were several attorneys and human rights, labor, legal, and media organizations who sued to obtain a declaration that FISA is unconstitutional, and an injunction against the surveillance on the ground that it would encompass plaintiffs’ own sensitive international communications with individuals believed to be likely federal government targets.

Under the well-established U.S. Supreme Court precedent of Lujan v. Defenders of Wildlife, to establish Article III standing, plaintiffs are required to show an “invasion of a legally protected interest” that is both “concrete and particularized” and “actual or imminent, not conjectural or hypothetical,” along with a causal connection between the injury alleged and the conduct complained of. The district court dismissed the Clapper complaint upon concluding that plaintiffs had failed to show the requisite “injury in fact” necessary to confer Article III standing. The Second Circuit reversed, holding that the injuries plaintiffs claimed were sufficiently concrete and imminent.

In the Supreme Court, the Clapper plaintiffs offered two arguments to support their claim of Article III standing. First, they argued that there was an “objectively reasonable likelihood” that their communications would be monitored under FISA at some point in the future, thus satisfying the imminent injury requirement. Second, they claimed that, to avoid having their confidential communications compromised by surveillance that might occur under FISA, they had incurred actual harm by undertaking costly and burdensome measures, including international travel to conduct meetings in person.

The Supreme Court rejected both arguments. First, the Court held that any threatened injury sufficient to confer Article III standing must be “certainly impending,” not merely “possible.” It found that plaintiffs had not met this standard because their standing argument relied on a “speculative chain of possibilities,” including assumptions about the actions of an independent third party – actions that simply could not be predicted. The Court expressly refused to “endorse standing theories that rest on speculation about the decisions of independent actors.”

Plaintiffs’ second argument was equally ill-fated. The Court declined to accept the notion that plaintiffs could “manufacture standing by inflicting harm on themselves based on fear of hypothetical future harm that is not certainly impending.” Were it to do so, “an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.”

Key Takeaways for Data Security Defendants

Despite its particular focus on governmental intrusions into privacy, Clapper broadly reinforces a stringent Article III standing requirement applicable in every data breach case where plaintiffs seek prospective relief based on an increased risk of future harm.

Companies facing data breach litigation can and should consider moving to dismiss the complaint on the ground that plaintiffs lack Article III standing and may rely on Clapper to argue:

  • The mere possibility that a third-party criminal might someday misuse information obtained in a data breach is too speculative to demonstrate the “imminent” harm required to establish standing;
  • The actions of third-party hackers and/or criminals are utterly unpredictable; any assertion of standing premised on the probable acts of such persons improperly assumes the existence of a criminal who has both the ability and the desire to act on information obtained by way of a data breach;
  • Consumers cannot be permitted to “manufacture” standing for purposes of data breach litigation by voluntarily incurring costs to monitor their credit or otherwise guard against the mere possibility of harm that has yet to—and may never—materialize.