North Carolina Law Review

University of North Carolina School of Law

160 Ridge Road

Chapel Hill, NC 27514

Uncertain Standing: Normative Applications of Standing Doctrine Produce Unpredictable Jurisdictional Bars to Common Law Data Breach Claims

December 15, 2016

95 N.C. L. Rev. 201 (2016) 


Courts could reduce doctrinal confusion in data breach litigation, and thus encourage more predictable outcomes, by either recognizing a different factual injury or by requiring only a nominal probability of the injury’s occurrence to render that harm sufficiently imminent. Professor Andrew Hessick has persuasively advocated for a low minimum risk requirement to render an injury sufficiently imminent for standing purposes. The ideal solution for the problems that data breach claims pose would be to align the proper constitutional standard for assessing the imminence of future harms, the “substantial risk” standard, with Professor Hessick’s minimum risk requirement. Nonetheless, courts can still remain faithful to contemporary standing doctrine and still reduce the unpredictability that results from their application of the normative factual injury requirement with a simpler solution: adopting the rule that the exposure of sensitive PII resulting from a data breach is itself a cognizable injury.



Please reload