Last Update: 04/05/2026 at 2:50 PM EST
Courts Tighten Data Breach Standing
Coverage from IAPP.org, Hinshaw & Culbertson LLP, and others
Articles
3
Latest Article
05/13
Active Days
8
Executive Summary
Second and Third Circuit rulings narrow when data breach plaintiffs can sue, tying standing to concrete misuse, imminent risk, and current harm.
- The Second Circuit in McMorris adopted a three-factor test for increased-risk standing
- Targeted acquisition, prior misuse, and sensitive data all matter in the standing analysis
- The court said credit monitoring and self-remediation alone do not create standing
- The Second Circuit affirmed dismissal where employee PII was mistakenly emailed internally
- The Third Circuit in Clemens allowed standing where substantial future risk caused present emotional distress or mitigation costs
- Courts in Illinois and Wisconsin are split on whether mitigation expenses and alleged misuse are enough for standing
Quick Facts
- What: They are defining when plaintiffs have standing
- Where: Mostly in the Second and Third Circuits
- Why: To separate concrete injury from speculative future risk
- Who: Federal and state courts handling data breach suits
- When: Decisions from 2021 through 2025
Coverage Timeline: 8 Days
Featured Article
The Third Circuit in Pennsylvania held on Sept. 2 that substantial identity-theft risk plus a separate present harm can establish standing in data-breach suits.
Additional Articles
⭐⭐⭐⭐⭐⭐⭐⭐
U.S. federal and state courts in the 2020s are requiring concrete, traceable injuries—beyond speculative increased risk—for standing in data breach class actions in Illinois and Wisconsin.
The Second Circuit affirmed dismissal for lack of Article III standing in McMorris v. Carlos Lopez & Associates (Apr 26, 2021), endorsing a three-factor increased-risk test after an internal PII disclosure in the United States Second Circuit.