In our last article, we examined the challenges plaintiffs encounter in bringing privacy and data breach claims, including difficulties establishing Article III standing, cognizable injury under state law, and the stringent requirements for class certification. Faced with the daunting problem of establishing an economic “injury” from the mere disclosure of personal data, plaintiffs have now begun to turn their attention to legal theories that do not require proof of actual damages. As we will see, some of these theories have gained legal traction, at least for the time being.
In the Sony Gaming Network data breach litigation, Sony faced a class action from consumers after a criminal intrusion into its PlayStation video game network. The original complaint alleged that plaintiffs faced an increased risk that their personal information would be misused. Finding that “the mere ‘damage of future harm, unaccompanied by present damage, will not support a negligence action,’” the court dismissed the case.