This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

For as long as there have been data breaches that expose consumer data to hackers, there have been lawsuits by consumers seeking to hold companies liable for failing to protect the data collected by or entrusted to them. These lawsuits have often struggled to match up the unique realities of data breaches with traditional theories of legal liability, and courts have often dismissed data breach claims by consumers for reasons relating to lack of standing, unclear causation, nebulous harm, and speculative damages. This problem has been especially acute for plaintiffs hoping to bring claims on behalf of a class of all consumers whose personal data was compromised in a security breach.