The Standing Requirement Remains an Open Question but Still a Valid Defense to Cyber Claims

By: Jeff Alitz

In litigation proceeding in the Federal Courts, it has always been necessary for a successful plaintiff to in some manner establish that the harm sought to be remedied by a federal lawsuit falls within the

authority of the courts to hear and decide such cases. Put another way, Article III of the Constitution limits the authority of Federal Courts to decide only those cases where the claimant has “standing” –  a cognizable interest in the dispute. That interest must be demonstrated by a showing of  1. A concrete injury, 2. The injury is attributable to the defendant’s actions and 3. The injury can in some way be addressed by a favorable decision in the case. Given the fact that in many cases claimants have demonstrated that a cyber breach has occurred for which a target defendant is responsible, only to be denied standing -and hence denied recovery- where no actual “harm” or loss has been established, just what constitutes that harm is an often-litigated issue that has been in many lawsuits a powerful defense to those parties alleged to have committed some type of cyber misstep. Several recent Supreme Court actions have both done little to clarify that issue – what type of “harm’ must be demonstrated for standing to be proven – but the actions have simultaneously served to preserve standing as a significant hurdle for cyber claim plaintiffs to clear in most states.

Specifically, on March 20, 2019, in reviewing the Frank v. Gaos decision decided by the Ninth Circuit which had approved the class action settlement between Google and a group (class) of Google users, the Supreme Court ordered the Ninth Circuit court to determine if the plaintiffs in that case had suffered a concrete injury before any settlement could be approved. But, in reaching that result, the Court did not give any guidance on how a court need decide if an injury- in- fact had occurred. Less than a week later, in denying certiorari to the parties in Zappos v. Stevens, the Court similarly declined to give any clarity to the injury in fact standard. In effect by refusing to resolve the split among the circuit courts where some have determined that simply identifying theft of information or cyber fraud and the THREAT of future misuse is sufficient to confer standing ( as the Sixth, Seventh, Ninth and D.C. Circuits have done) while others (the First, Second, Third, Fourth and Eighth Circuits) have held that simply alleging the threat of future harm is not enough to establish an actual harm sufficient for standing purposes, the Court has left that issue to the lower courts to continue to resolve on a piecemeal basis.

The Supreme Court’s inaction comes at a time when state legislatures are focusing on the injury -in- fact issue by enacting statutes that attempt to eliminate any requirement that a claimant must establish actual harm to succeed on cyber liability based lawsuit. California’s Privacy Act of 2018, Massachusetts Senate Bill 120 and the Illinois Biometric Privacy Act each either clearly state or simply suggest (in the case of the Illinois act)  that no injury apart from being subject to a theft or disclosure is needed to establish standing. Nevertheless, in those states that have NOT passed such legislation and in those states that are not within the jurisdictions of the Circuit Courts that have watered down the Article III requirement that a concrete injury be established to confer standing, defendants in cyber lawsuits – and their insurers and attorneys – can continue to focus on the lack of provable harm to defeat such claims.

Chair of construction and design law practice section of the national law firm of Freeman Mathis & Gary, Jeff is a partner in the firm’s Boston office. For over two decades, he has been a nationally recognized A&E attorney who has tried cases throughout New England defending an array of construction and design professionals. Jeff can be contacted by email at jalitz@fmglaw.com.

Jeff also serves on the roster of neutrals of REBA’s affiliate, REBA Dispute Resolution.  For more about Jeff’s dispute resolution experience, or to schedule an arbitration or mediation with Jeff, go to adr@reba.net.   For more about REBA/DR, go to www.disputesolution.net.