After years of hesitation to find standing in data breach cases, federal courts are now viewing factors to base standing. When the matter has been the disclosure of personally identifiable information (PII), the courts have not found standing in data breach cases because they required evidence of actual usage of that PII. The actual suffering of identity theft attacks brings upon the effects that the courts are seeing as highly relevant to finding standing in data breach cases.
In a case where computers were stolen and the files were not encrypted, the court found that the company breached its contract to protect personally identifiable information when the company did not safeguard the computers and did not reasonable invest in cyber security. The court in that light allowed the restitution claim to proceed as well the breach of contract to protect the PII of employees and former employees.
The harm claimed by the plaintiff was demonstrated by the misappropriation of the plaintiff’s identity and its bank account, in addition to credit cards use and financial transaction and employment application filed using plaintiff’s identity. Despite the defendant’s claim that plaintiff’s harms were speculative, the court viewed them as a result of the fraudulent transactions that were made using the plaintiff’s identity and that sufficed to give the plaintiff standing in a data breach case.
See Enslin v. The Coca-Cola Co., No. 2:14-CV-06476 (E.D. Pa. Sept. 29, 2015).