Data breach case standing is the critical element in determining the case’s viability to continue along with the relevance of harm incurred. As data security breach occurrences amount with frequency, the menu of their handling also adds to the list of settled and or filed. The usual person is petrified when hearing that his or her personal identifiable information (PII) has been compromised in some way or another. No matter if the compromised data was due to a company’s or agency’s disgruntled former employee, an unidentified hacker, or a nefariously loaded email, the concern is the same. The internal or external manner of intrusion cause is nevertheless and intrusion to acquire PII of hundreds of not thousands of individuals. The consternation that lingers is not to be weighed by the courts as having value. This is despite the apparent value of PII in the open illicit market for social security, birthdate, and credit/debit card numbers. The claim that by the simple fact of the misappropriation of PII there is a harm and that the PII has value to the plaintiff has historically not swayed courts to conclude that Article III criteria are met.
A plaintiff is required, under article III of the U.S. Constitution, to establish certain elements in federal court that constitute its ability to demonstrate case and controversy enough to stay on and be emblematic of “standing” in a case. To support this critical element, the complaint must demonstrate that the plaintiff[s] have incurred an injury-in-fact that is a result of its connection to the act claimed to cause the injury and must also demonstrate that the sought after court’s decision can redress the harm by its own decision. The factor of injury-in-fact must be supported by actual or imminent injury and cannot be out of conjecture. A data breach event presents different circumstances that courts have had to adjust to in order to assess the element of incurred harm by plaintiffs’.
This analytical adjustment took place in the approach taken by the United States Supreme Court to address standing in a data breach case. In Clapper, the Supreme Court set a standard regarding the injury claimed to have been incurred to be ‘certainly impending’. The Court stated that it was not enough to make the conclusion that by virtue of the act to acquire PII one cannot make the logical conclusion that harm has occurred or that there is a likelihood or ability of the intruders to read the data and misuse it. The Court also stated that the nature of the data requires assessment as well in order to ascertain the criticality of the data in unauthorized hands, especially the accessibility of Social Security and credit card numbers with the date of birth data. In Spokeo, despite there being a claimed violation of the D.C. Consumer Protection Procedures Acts, the Court determined that plaintiffs did not demonstrate a concrete harm to substantiate the determination of standing. In Remijas, the Seventh Circuit assessed the possibilities of events from a data breach. In its analysis, it considered the loss of value of the time the plaintiffs incurred in all their involved efforts to address the breach and circumstances that arose out of the breach that required plaintiff’s action. The Remijas court seriously considered the costs of time from work and effort by the plaintiff to deal with credit card companies, law enforcement, investigators, and governmental agencies regarding their misappropriated PII. As the court assessed that the plaintiffs experienced the bother and torment of dealing with the circumstance of their PII being misappropriated.
The element of financial impact has been considered by the Minnesota District Court in In re Target Corp to substantiate the element of standing by virtue of demonstrated financial injuries, including charges, impaired bank account access, the impairment to pay bills, and incurred late payment charges and fees. In determining the financial impact incurred by plaintiffs, the courts are peering into assessing if the costs were indeed incurred or if there were reimbursable costs. In P.F. Chang’s case, the court assessed if the claimed financial harm would uphold the requirement of standing when there were nonmonetary damages. The court decided that actual injury cannot coexist with a reimbursable cost and it denied the plaintiff’s claims for the risk of identity theft and those associated with mitigation of damages.
In In re Zappos.com case, the court shed light on the guessing that is involved in predicting the time and actions unidentified assailant[s] and their capacities to interpret and use the data. The noted that it is not absolutely clear that the stolen data would be misused or that it can be used to construe the event of harm to the plaintiff. Such analysis could be attributed to the Anthem case determination in its second round where the court gave import to the value of PII in the open market and that the disclosure of that information has imputed economic injury. That economic injury, however, was incurred by the merchants and not the plaintiffs.
No matter the twists and turns that standing has undergone in data breach cases the element of causation is unmovable to interpretation. The harm that a plaintiff incurs from a data breach is always open to analysis that begs to question of who, what, where, and how about the harm, value, and costs, including the impact of what future impact the data breach will have.
 See, Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992).