Laura Lee

—

            Have thieves stolen your personal information? The answer is probably yes because data theft is on the rise.[1] Furthermore, the problem will only get worse because online interactions are commonplace.[2] Once thieves steal a consumer’s data, the consumer is left to unravel the wicked web of what a data breach means to their financial health.[3] Of significance here, consumers have turned to the courts in an attempt to hold companies who housed the stolen data accountable for their data theft.[4] However, most consumers have not been able to access the judicial system for relief because many courts have found plaintiffs do not have standing—a threshold legal requirement before the court can turn to the substantive issue.[5] In fact, the federal circuit courts are inconsistent in their approach as to when a plaintiff establishes standing, in particular when a plaintiff has satisfied the injury-in-fact (injury) element of standing.[6] That said, the United States Supreme Court (SCOTUS) now has the opportunity to clarify what establishes the injury element of standing when thieves steal data in Zappos, Inc. v. Stevens. Zappos petitioned for Writ of Certiorari onAugust 20, 2018.[7]

            There is no magic bullet to eliminate data theft. However, data theft is a problem that will likely only get worse. As of July 2, 2018, there have been 668 breaches, exposing 22,408,258 records.[8] Most recently, in September 2018, news outlets estimate that thieves stole personal information of fifteen million Facebook users.[9] The data stolen from Facebook customers was not financial in nature, rather it was gender, religion, relationship status, etc.—considered more accurate than retail data, and at first blush not as important as financial data.[10] However, experts claim thieves can use this type of information to “crack account security questions or scam you or your friends.”[11] In a way this ups the ante, where all data stolen ultimately leads to financial impact.[12]

            This Note will explore the injury element of standing as it relates to data theft, in light of Zappos.com Inc., v. Stevens. Part I will present a brief overview on the data theft epidemic. Part II will explore the value and theory of standing. Part III will frame the Court’s role in relief for the parties. Part IV will detail the factsZappos.com Inc. v. Stevens.Part V will provide legal analysis comparing one case from each circuit court of appeals to Zapposand investigating the question presented, whether, or in what circumstances, a data theft victim has satisfied the injury element of standing. Finally, Part VI will propose a recommendation as to how SCOTUS should hold in Zappos.

[1]See Cybersecurity Data Breaches on the Rise, Security Scoreboard (Aug. 12, 2018), https://securityscorecard.com/blog/cybersecurity-data-breaches-statistics-on-the-rise (explaining there were 668 data breaches between January 1 and June 2, 2018, representing 22,408,258 compromised records).

[2]See generally South Dakota v. Wayfair, Inc., 138 S. Ct. 2080, 2097 (2018) (outlining that online purchases outpaced traditional retail transactions).

[3]See generally The Equifax Data Breach: What to Do, Fed. Trade Comm’n, Consumer Info. (Sept. 8, 2017), https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do (providing consumers impacted by a data breach a list of steps to take to protect their financial well being).

[4]See, e.g., Reilly v. Ceridian Corp., 664 F.3d 38, 40 (3d Cir. 2011) (providing one example of consumers suing a company because their data including social security number, birth date, and bank account information was accessed by an unauthorized hacker).

[5]See U.S. Const. art. III, § 2, cl. 2 (conferring jurisdiction to federal courts which is interpreted to require a plaintiff have “standing” for a lawsuit to be heard by a federal court, in other words the party has a direct stake in the lawsuit the so-called “cases” and “controversies” requirement).

[6]See generally Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 828 (7th Cir. 2018) (holding plaintiffs do satisfy injury and the analysis takes into account more than money); In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F3.d 625, 637 (3d Cir. 2017) (holding violation of the victims statutory rights created a de facto injury); Whalen v. Michaels Stores, Inc., 689 F. App’x 89, 90 (2d Cir. 2017) (holding no standing because the victim’s credit card was canceled quickly, and fraud was avoided); Reilly v. Ceridian Corp., 664 F3.d 38, 40 (3d Cir. 2011) (holding injury could not be established because it was unclear whether or not intrusion was intentional or malicious).

[7]See Allison Frankel, Data Breach Standing Issue is Back at SCOTUS in Zappos Cert Petition, 36 No. 07 Westlaw J. Comput. & Internet 03 (2018) (announcing that SCOTUS has another opportunity to resolve the standing issue in data breach cases).

[8]See New Study by Identity Theft Res. Center Explores the Non-Econ. Negative Impacts, Indep. Theft Res. Ctr., https://www.idtheftcenter.org/new-study-by-identity-theft-resource-center-explores-the-non-economic-negative-impacts-caused-by-identity-theft/ (last visited Nov. 20, 2018) (discussing data theft statistics).

[9]Id.

[10]See Here’s What Makes the Facebook Data Breach so Harmful, Consumer Rep., https://www.consumerreports.org/digital-security/what-makes-the-facebook-data-breach-so-harmful/ (last visited Nov. 10, 2018) (outlining Facebook data theft).

[11]Id.

[12]Id.