Data Breaches and Article III ArticleForthcoming
Date of Publication:
Recommended Citation
Anthony Palermo, Data Breaches and Article III, 78 Fla. L. Rev. (2026)Clicking on the button will copy the full recommended citation.
Cyberattacks, hacks, and data leaks dominate news headlines and federal court dockets. Due to the proliferation of data breaches in the modern digital economy, an entire industry dedicated to protecting our electronic identities has emerged.
The law has not caught up with these realities. Constitutional standing requires a plaintiff to demonstrate an injury, actual or imminent, caused by the defendant. Despite their growing recognition of the significance of electronic personal information, courts struggle to evaluate standing in data breach cases. Federal appellate courts have shifted positions and adopted conflicting approaches. Afraid of costly litigation and uncertainty stemming from the unsettled state of the law--coupled with the potential exposure to catastrophic damages awards--companies ranging from small businesses to Fortune 500 corporations look to settle lawsuits filed by individuals whose information may have been accessed during a data breach, even when these individuals cannot identify any resulting injury.
This Article considers the circuit split dividing federal courts regarding their power to hear and resolve claims resulting from data breaches. It suggests that the mere existence of a breach fails to present the constitutionally required injury-in-fact to establish that a claim or controversy exists, and that courts should refuse to hear cases that cannot demonstrate a concrete and particular harm. By raising the threshold for judicial inquiry, courts can be spared thousands of frivolous lawsuits--thereby conserving their time and resources and enabling them to provide speedier justice to parties who can actually demonstrate harm.
