Cybersecurity, Identify Theft, and Standing Law: A Framework for Data Breaches Using Substantial Risk in a Post-Clapper World
62 Pages Posted: 26 Mar 2017
Date Written: December 15, 2016
Since Clapper v. Amnesty International USA,9 many courts have shut the door on victims alleging a heightened risk of injury, particularly when the injury is identity theft, because Clapper does not permit standing based on a heightened risk of injury alone.10 But recently, the Seventh Circuit disagreed with that view when deciding Remijas v. Neiman Marcus Group,11 a case involving a breach of Neiman Marcus’ systems, holding that Clapper neither altered standing law nor did it foreclose all heightened risk injuries.12 This Article agrees and argues that Clapper did not alter the Article III standing requirements; it merely reemphasized the Court’s demand for a heightened scrutiny for constitutional challenges to government activity. Consequently, the Seventh Circuit correctly applied standing law in Remijas under a “substantial” risk theory. Part I will discuss large scale data breaches and its relationship with identity theft, Clapper, and Article III standing on imminent injuries. Part II argues that the minimum constitutional threshold should allow standing under a heightened-risk-of-identity-theft (HRIT) using a “substantial” or “reasonable” risk threshold. Part III applies Part II to data-breach cases, specifically, and suggests several factors the courts could consider when determining whether a victim faces a sufficiently imminent injury for Article III standing. Part III also demonstrates that the Seventh Circuit used similar factors in Remijas. I then conclude.
Keywords: clapper, cybersecurity, national security, identity theft, data breaches, substantial risk analysis
JEL Classification: K1, K19
Suggested Citation: Suggested Citation