Vanderbilt Law Review


Devin Urness

First Page



Data breaches are not going away. Yet victims still face uncertainty when deciding whether and where to file cases against companies or other institutions that may have mishandled their information. This is especially true if the victims have not yet experienced a financial harm, like identity theft, as a result of a data breach. Much of the uncertainty revolves around the standing doctrine and the Supreme Court’s guidance (or lack thereof) on what constitutes a substantial risk of harm sufficient to establish an injury in fact. Federal circuit courts have come to divergent results in data breach cases based on the Supreme Court’s guidance. This Note analyzes these divergent results and shows that the circuits are not as far apart as some commentators have suggested.

This Note then proposes two possible clarifying measures—one judicial and one legislative. The judicial solution is a test the Supreme Court should adopt for evaluating standing in data breach litigation. The test would have courts assess three factors and would allow plaintiffs who have not yet had their data misused to establish standing. Under the test, courts would examine (1) whether the breach was targeted; (2) whether the thief attained information that could lead to financial harm; and (3) whether any portion of the compromised data has been misused. For the legislative solution, this Note proposes language for a private right of action that could be inserted into federal legislation, either as part of comprehensive privacy legislation or in sector-specific privacy legislation.