With data breach incidents on the rise, federal courts are grappling with the issue of standing in class action lawsuits arising from data breaches. As Lawfare has covered previously, there is arguably a circuit split over whether plaintiffs can establish an “injury in fact,” one of three constitutional standing requirements, on the grounds that a breach has put them at a heightened risk of identity theft.
In a 2-1 decision this past summer titled In re: U.S. Office of Personnel Management Data Security Breach Litigation, the U.S. Court of Appeals for the D.C. Circuit weighed in on that question, ruling that plaintiffs whose personal information was exposed in the 2014 infiltrations of the Office of Personnel Management (OPM) sufficiently alleged an “injury in fact” based on their “risk of future identity theft.” The court, in a per curiamopinion, added clarity as to the bar data breach victims must clear in order to establish that they have standing. And because the Supreme Court passed on two opportunities last term to apply its standing doctrine in data breach class actions, the D.C. Circuit’s decision serves as an important marker of the current state of the law.
This post examines the court’s holding with regard to standing for those plaintiffs who brought statutory claims against the government and a government contractor responsible for the OPM database.