Two cases decided within the space of a few weeks show the difficulty courts have in evaluating whether plaintiffs in data breach class actions have standing to pursue their claims.
The Eighth Circuit joined the First, Second, Third, and Fourth Circuits in finding that alleged increased risk of future fraud and identity theft was insufficient to establish Article III standing at the pleading stage. But the D.C. Circuit joined the Sixth, Seventh, and Ninth Circuits in holding that this can be sufficient. And the Supreme Court recently denied a certiorari petition filed by a defendant, thereby letting lower courts sort out the question.
Adam Cooke of Hogan Lovells analyzes the core allegation in these suits: that plaintiffs have suffered a cognizable injury based on the threat of future harm. He presents several arguments that the courts have accepted and thus denied standing, including breaches in which motives other than fraud were apparent or plausible, or where the threat of harm was successfully mitigated.