A large reason for the delay in cyber and consumer privacy litigation is due to the difficulty for victims to prove their injuries following a breach or privacy event. Developing standing has proven to be a challenge but some recent cases following in the footsteps of the Neiman Marcus ruling may be indicative of plaintiffs growing stronger legs in cyber and privacy related cases – and you have be able to stand before you can run.

The first decision came from the D.C. Courts in Attias vs Carefirst. Carefirst, a health insurer, suffered a large scale data breach in 2014 which took roughly 1 year to discover, at which time it was learned that their customers personal information had been exposed (information in the form of names, email addresses, ID numbers and dates of birth). Following this discovery, a number of customers responded with a class action lawsuit despite their lack of any sustained concrete injuries at the time. The customers alleged their harm was sustained in the form of substantial risk of future injuries (ID Theft). Despite the fact that no credit card or social security information was stolen, the lawsuit alleged that the breach still compromised that information, and that the data that had been exposed, on its own, created a significant risk of future injuries. The initial court rejected the customers’ arguments were sufficient enough to establish standing. However the D.C. Courts reversed their ruling, opining that the potential for future injuries (based on the exposed data) was in fact enough to establish standing, stating that it was safe to assume that the information obtained by the hackers would in fact be used maliciously.

Immediately following the Attias' ruling, the 9th circuit issued a (revised) opinion in Spokeo vs Robins – another case which addressed the ability for plaintiffs to allege intangible damages as sufficient injuries for standing. Spokeo is an online search tool which constructs and publishes personal profiles on individuals. After Tim Robbins discovered his public profile contained false information, he filed a class lawsuit against Spokeo for FCRA violations, alleging that this misinformation caused him injuries from stress related to certain difficulties with employment prospects. It should be noted however that there was no clear indication of specific damages – whether in terms of lost employment opportunities or otherwise. Despite these facts, the 9^th circuit ultimately confirmed that the plaintiffs did in fact have enough merit to establish standing. While it’s safe to expect this case will have profound effects on future consumer protection class actions, many law firms are reporting that the courts still vary greatly in their opinions on the topic of allowing standing in such cases.

For those interested in reading more in depth technical assessments of each of these rulings, D&O Diary has a good write up on each case here, and here.