Data Breach and Privacy Lawsuits Must Have Real Damages to Succeed

People always want to tell me a little blurb about something that has happened to them and then ask me, the lawyer, the inevitable question: “can I sue?”

My answer is always the same: “of course you can sue!” You can always sue — but that doesn’t mean you will win.

One key element that (nearly) all civil lawsuits must have to be successful is that there be legitimate damages. As I have written about previously, there must be some actual ascertainable harm that constitutes damages in order to have a valid privacy or Computer Fraud and Abuse Act claim. This is a very well settled principal of law.

This principle holds true for data breach claims as well. In the recent case Reilly v. Ceridian, the Third Circuit held that lawsuits for data breach require something more than speculation of what harm might occur — they require proof that some actual ascertainable harm has occurred — that there are damages. In the words of the court,

In this increasingly digitized world, a number of courts have had occasion to decide whether the “risk of future harm” posed by data security breaches confers standing on persons whose information may have been accessed. Most courts have held that such plaintiffs lack standing because the harm is too speculative. See Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1051-1053 (E.D. Mo. 2009); see also Key v. DSW Inc., 454 F. Supp. 2d 684, 690 (S.D. Ohio 2006). We agree with the holdings in those cases. Here, no evidence suggests that the data has been—or will ever be—misused. The present test is actuality, not hypothetical speculations concerning the possibility of future injury. Appellants’ allegations of an increased risk of identity theft resulting from a security breach are therefore insufficient to secure standing. See Whitmore, 495 U.S. at 158 (“[A]llegations of possible future injury do not satisfy the requirements of Art. III.”).

So, we all know that violating privacy rights and hacking others’ computers and data is wrong and, if it happens to you, you too will want to know what rights you have. So don’t ask whether you can sue – ask the better question: whether you can win. A big factor in determining whether you can is whether you have some actual damages.