In a recent case in the First Circuit, the court held that the "material risk of future misuse" and "concrete harm caused by exposure to this risk" can plausibly demonstrate standing for consumer class action claims after a data breach. This ruling highlights the evolving legal landscape surrounding data breaches and the potential for possible future harm to be enough to support such claims.
In this particular case, one plaintiff was able to show actual harm resulting from the data breach, while the other plaintiff had not yet suffered any harm. Despite this, the court still recognized the "material" future risk of identity theft and other related issues as creating a current, actionable "concrete harm."
The court's decision in this case relied on a Second Circuit ruling that considered whether the misuse of personal information following a data breach is imminent and substantial. Together, these rulings suggest that courts are becoming more receptive to the idea that the possibility of future harm, without more, can be enough to support consumer class action claims.
Why It Matters
It is unusual, but not unprecedented, to be able to bring legal action where harm has not yet occurred. Generally, a plaintiff trying to sue for an injury that has not yet occurred must persuade a court that the risk of harm is relatively high -- more "probable" than "possible" -- and that the injury would be difficult to remedy.
In the context of data security and privacy, consumer claims based on the likelihood of identity theft and similar issues would be a significant change in risk assessment and planning. If plaintiffs can recover even without showing that someone has used their data, it may be more important for businesses to keep that data safe in the first place.
/Passle/61f3627a0c51c3165820f0e7/MediaLibrary/Images/5ff4a070535488111cdbfec9/2024-01-17-18-25-18-859-65a81b8e3f5d760a89621ac7.png)
