Granting Standing in Data Breach Cases The Seventh Circuit Paves the Way Towards a Solution to the Increasingly Pervasive Data Breach Problem

Data breaches at private companies have occurred with increasing regularity in recent years, causing the exposure and theft of confidential consumer data, such as credit card numbers. Despite these alarming patterns, the current state of the law does not fully regulate the complicated issues that arise from data breach incidents. The existing regulations operate in a piecemeal manner and do not adequately address the situation. They give inadequate protections to consumers and insufficient guidance to private companies that experience breaches and other institutions affected by data breaches, such as credit card companies and banks. This is the data breach problem: the increasing frequency of data breaches in recent years coupled with the lack of appropriate legal response.

Given the current situation, consumers are fighting back by filing class action lawsuits against private companies that have experienced data breaches. They have generally been unsuccessful, however, because many courts are reluctant to grant standing due to the lack of an identifiable injury, especially in cases where plaintiffs allege increased risk of future harm from misuse of their stolen personal information. This has especially been true after Clapper v. Amnesty International USA, one of the most recent U.S. Supreme Court cases on Article III standing. Despite frequent dismissals and confusion about Clapper’s implications in the district courts, the Court of Appeals for the Seventh Circuit granted standing based on victims’ reasonable allegations of increased risk of future harms in Remijas v. Neiman Marcus Group, LLC.

This Note aims to demonstrate why the Seventh Circuit’s approach is the best among the current decisions of the courts of appeals. Lessening the burden of standing requirements for consumer plaintiffs in data breach cases gives plaintiffs a potential avenue for relief, which is especially appropriate since there are inadequate regulatory and legislative mechanisms protecting consumers in data breach situations. In addition, the Seventh Circuit’s approach is a step towards an ultimate solution, which this Note suggests should be in the form of comprehensive federal regulatory framework. The Seventh Circuit’s approach allows for more cases to proceed to trial, and presumably for more companies to be held responsible for the consumer harm resulting from data breaches. This will allow for the responsibility for data security to be shifted to companies, which will hopefully shatter the current status quo and lead to a better solution. Though the Seventh Circuit’s approach is appropriate given the current context, this Note recognizes that there are nonetheless a variety of complications in its practical application. These complications reveal the complexity of the data breach problem and lend further support to the proposition that the solution to the data breach problem will likely be regulatory, not judicial, in nature.