Over the last year or two, the issue of cybersecurity and data breach has skyrocketed to the top of a long list of concerns that keep general counsel up at night. Thus far, much of the data breach litigation has focused on the issue of standing when Personally Identifiable Information (PII) has been accessed, but not yet used. Federal court jurisdiction to hear such cases is limited by Article III of the Constitution to cases or controversies, requiring (among other things) an “injury-in-fact.” Even where courts find standing based on the likelihood of harm from having PII accessed, this may not amount to a compensable injury under state law. Such was the case in both the Seventh Circuit’s 2007 Pisciotta v. Old National Bancorp and Ninth Circuit’s 2010 Krottner v. Starbucks decisions.
Some statutes, however, provide a private right of action for individuals, including statutory damages that can be awarded without an individual plaintiff needing to quantify or prove the monetary value of the damage. For example, the 10th Circuit’s 2006 decision in Robey v. Shapiro, Marianos & Cejda, the Seventh Circuit’s 1998 decision in Keele v. Wexler decision, the Ninth Circuit’s 1982 decision in Baker v. G.C. Servs., and the Second Circuit’s 2003 decision in Miller v. Wolpoff & Abramson, all found standing based on violations of the Fair Debt Collection Practices Act without proof of actual damages. Because of the uniformity of statutory damage awards, this path to Article III standing is particularly inviting for class action litigation (at least where the statute does not limit the resort to statutory damages to individual claims).
