Data Breach and Privacy Lawsuits Must Have Real Damages to Succeed

Posted byShawn E. Tuma 3 Comments on Data Breach and Privacy Lawsuits Must Have Real Damages to Succeed

People always want to tell me a little blurb about something that has happened to them and then ask me, the lawyer, the inevitable question: “can I sue?”

My answer is always the same: “of course you can sue!” You can always sue — but that doesn’t mean you will win.

One key element that (nearly) all civil lawsuits must have to be successful is that there be legitimate damages. As I have written about previously, there must be some actual ascertainable harm that constitutes damages in order to have a valid privacy or Computer Fraud and Abuse Act claim. This is a very well settled principal of law.

This principle holds true for data breach claims as well. In the recent case Reilly v. Ceridian, the Third Circuit held that lawsuits for data breach require something more than speculation of what harm might occur — they require proof that some actual ascertainable harm has occurred — that there are damages. In the words of the court,

In this increasingly digitized world, a number of courts have had occasion to decide whether the “risk of future harm” posed by data security breaches confers standing on persons whose information may have been accessed. Most courts have held that such plaintiffs lack standing because the harm is too speculative. See Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1051-1053 (E.D. Mo. 2009); see also Key v. DSW Inc., 454 F. Supp. 2d 684, 690 (S.D. Ohio 2006). We agree with the holdings in those cases. Here, no evidence suggests that the data has been—or will ever be—misused. The present test is actuality, not hypothetical speculations concerning the possibility of future injury. Appellants’ allegations of an increased risk of identity theft resulting from a security breach are therefore insufficient to secure standing. See Whitmore, 495 U.S. at 158 (“[A]llegations of possible future injury do not satisfy the requirements of Art. III.”).

So, we all know that violating privacy rights and hacking others’ computers and data is wrong and, if it happens to you, you too will want to know what rights you have. So don’t ask whether you can sue – ask the better question: whether you can win. A big factor in determining whether you can is whether you have some actual damages.

Published by Shawn E. Tuma

Shawn Tuma is an attorney who is internationally recognized in cybersecurity, computer fraud and data privacy law, areas in which he has practiced for nearly two decades. He is a Partner at Spencer Fane, LLP where he regularly serves as outside cybersecurity and privacy counsel to a wide range of companies from small to midsized businesses to Fortune 100 enterprises. You can reach Shawn by telephone at 972.324.0317 or email him at stuma@spencerfane.com.

Join the Conversation

3 Comments

  1. Pingback: Mind Control, Human Hacking & the Computer Fraud and Abuse Act? « Shawn E. Tuma
  2. Pingback: How Do You Violate the Computer Fraud and Abuse Act? SunPower Lawsuit Shows How! « Shawn E. Tuma
  3. Pingback: Share your password, do the time – lessons under the Computer Fraud and Abuse Act « Shawn E. Tuma

Leave a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Business Cyber Risk

Subscribe now to keep reading and get access to the full archive.

Continue reading