95 N.C. L. Rev. 201 (2016)
Courts could reduce doctrinal confusion in data breach litigation, and thus encourage more predictable outcomes, by either recognizing a different factual injury or by requiring only a nominal probability of the injury’s occurrence to render that harm sufficiently imminent. Professor Andrew Hessick has persuasively advocated for a low minimum risk requirement to render an injury sufficiently imminent for standing purposes. The ideal solution for the problems that data breach claims pose would be to align the proper constitutional standard for assessing the imminence of future harms, the “substantial risk” standard, with Professor Hessick’s minimum risk requirement. Nonetheless, courts can still remain faithful to contemporary standing doctrine and still reduce the unpredictability that results from their application of the normative factual injury requirement with a simpler solution: adopting the rule that the exposure of sensitive PII resulting from a data breach is itself a cognizable injury.