Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors


You May Be Victim of a Data Breach, but Do You Have a Right to Sue?

Supreme Court Poised to Rule on Standing Issue

With the recent massive data breaches at health insurance companies Premera Blue Cross and Anthem, Inc., many victims find themselves asking questions such as, “Have I actually been harmed?”, or “How long do I have to wait to see if the theft of my personal information will impact me?”   For those who have already experienced identity theft, the answer is simple.  But for those who have not had illicit charges put on their credit card or had their tax refund application rejected, it is not as simple.  For victims of data breaches who have not experienced identity theft yet, their social security numbers and other personal information are still exposed.  So for them, these are very good questions.  And both are questions that courts have wrestled with, and the answers have not been the same.  Now the Supreme Court might provide the definitive answer.

The uncertainty in the court decisions in data breach cases arises out of a legal concept called “standing.”  Standing is generally defined as the ability of a party to bring a lawsuit in court based on a stake in the outcome.  The law requires that a person has suffered harm, or has been “damaged” in order to have standing to bring a lawsuit.  “Damaged” in the traditional legal sense, means that a person has suffered an actual out-of-pocket loss, i.e., lost money.

In both the recent Premera and Anthem data breach disasters, private consumer data was stolen, leaving customers and employees vulnerable to tax fraud, and other forms of identity theft.  But some courts hold that only those who have lost money have standing to sue.  In those courts, consumers who have not experienced identity theft or fraud, even though their data is still lingering somewhere out there with the thieves, have no standing.  Slowly but surely, related fraud has in fact reared its ugly head.  However, with this type of theft, it may be years before many victims of the data breaches suffer traditional damages, and unfortunately, the linking of the identity thefts to the initial data hacks may be even slower.

Recently, the Supreme Court agreed to hear a case which may help to answer consumers’ questions.  The Court is poised to rule on whether a large internet search engine company, Spokeo, harmed a man by gathering incorrect personal details, in violation or the Fair Credit Reporting Act.

According to Spokeo’s counsel, the Court will look at “Whether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on a bare violation of a federal statute.” Spokeo claims the plaintiff should be barred from bringing his suit; the allegations are merely “speculative anxiety and concern about what might happen.”

The plaintiff, on the other hand, does believe he suffered concrete harm.  He alleges the errors by Spokeo caused him “economic, reputational, and emotional” injuries” and has lessened his prospects of future employment.

According to a Wall Street Journal article, “A ruling in favor of (the plaintiff) could have huge implications for large Internet companies that have millions of users by carving out a more elastic right to sue and giving Congress more power to define the judiciary’s role in settling disputes.”

The Spokeo case is brought under the Fair Credit Reporting Act.  The Court’s ruling could also affect other cases citing the Telephone Consumers Protection Act, the Americans with Disabilities Act, the Truth in Lending Act and many other state and federal laws which allow consumers to sue for statutory damages.

We will be keeping a close eye on the Supreme Court case.

If you have experienced identity theft as a result of the failure by a health care company to protect your private information, or if you are a Premera subscriber and believe that your private information has been compromised or that you are a victim of the Premera Database Breach, please contact a GSP attorney to learn more about your rights. GSP attorneys are actively litigating similar matters against Anthem, Community Health and Target. Please contact Mark Goldman or Paul Scarlato at or or call (484) 342-0700 with any questions you may have.

For more information, see:


In our legal system, every person is innocent until and unless found guilty by a court of law or a tribunal. Whenever we reference “allegations” or charges that are “alleged,” such allegations or charges have not been proven, and are merely accusations, not findings of fault, as of the date of the blog. We do not have, nor do we undertake, a duty to continue to monitor or follow cases about which we report, and/or to publish subsequent updates regarding various developments that may occur in such cases. Readers are encouraged to conduct their own research regarding any such cases and any developments that may or may not have occurred in such cases. Also, the brokercheck report linked to some of our blogs is the up-to-date version as of the date of accessing. Visitors may check the most recent version of each brokercheck report at

Leave a Reply