Companies who suffer data breaches continue to be concerned that after providing notice, they will face class action lawsuits. A common defense has been to argue that the plaintiffs have not suffered harm. In the spring of 2016, the Supreme Court ruled in Spokeo, Inc. v. Robins that statutory violations alone were not enough to satisfy the injury requirement for standing because such alleged harms were not concrete. But the justices added the caveat that a concrete harm need not necessarily be tangible. What is “harm” is thus unclear. This confusion played out in the courts in the second half of 2016, and will likely continue.

TIP: Going into 2017 there remains confusion as to whether or not a data breach-related lawsuit will be dismissed because there has been no harm. Read more about this and other issues facing companies in 2017 in our recent Privacy Year in Review.