Risky Business: The Risk of Identity Theft and Standing to Sue

Parker Hudson*

Abstract

Nearly one in five Americans will experience an incident of identity theft during their lifetimes, often as the result of a data breach. These victims come from all different backgrounds, their assailants are indiscriminate. In a time where technology is making it easier than ever for identity thieves to harm people from afar, the law must similarly evolve to protect these victims from further injury.

The Supreme Court has recognized that the threat of future injury may be sufficient to confer standing to sue in an Article III federal court. However, the Court’s precedent is strained where the alleged injury is the increased risk of future identity theft following a data breach. Unsurprisingly, the circuit courts are split on whether the risk of future identity theft is sufficient to confer Article III standing.

Congress has yet to enact legislation providing data-breach victims with a private cause of action against the party responsible for their data’s vulnerability. However, other countries, unions, and several states have enacted such legislation. Notably, the European Union and California have both addressed the issue with robust statutes.

This Comment highlights the magnitude of risk that consumers face when data breaches compromise their personal identifiable information. It also discusses the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”), statutes enacted by the European Union and California, respectively. Ultimately, this Comment argues: (1) that the Supreme Court should take a consumer-minded approach in resolving the current circuit split, and (2) that Congress should enact legislation providing data-breach victims with standing to sue the parties responsible for their data’s exposure, while striking acompromise between the GDPR and the CCPA.

*J.D. Candidate, The Pennsylvania State University, Penn State Law, 2021.

[FULL TEXT]