Cadwalader attorneys examined recent data privacy and cyber-security cases that may help class action plaintiffs establish Article III standing in federal court. In a memorandum titled "Dual Decisions Provide Narrow Path for Plaintiffs to Establish Standing in Data Breach and Cybersecurity Suits," Cadwalader attorneys reviewed Spokeo, Inc. v. Robins, a Supreme Court case that held that an online search engine's failure to collect and report an individual's personal information accurately was insufficient to establish standing for a class-action lawsuit. The Supreme Court held that a mere technical violation of a consumer protection statute without any indication of alleged harm to the plaintiff failed to constitute an injury that was both "concrete and particularized" and "actual or imminent." Cadwalader attorneys suggested that, going forward, defendants likely will argue that this standard applies to data breach and cybersecurity actions where plaintiffs show speculative, rather than actual, harm, whether economic or otherwise. However, in a Northern District of Georgia case, In re Home Depot, the federal court found that remediation costs incurred by financial institution plaintiffs as the result of a retailer's failure to secure customer information were sufficient to establish standing, even when the plaintiffs were not the ultimate victims of the breach. The attorneys stated:

Together, the two decisions provide a path for certain plaintiffs to establish standing in data breach and cybersecurity lawsuits...

Click here to view the Cadwalader memorandum authored by Joseph Moreno and Keith Gerver.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.