Following a data breach, consumers suffer an increased risk of identity theft because of the exposure of their personal information. Limited protection by data-breach statutes has made it difficult for consumers to seek compensation for these injuries and penalize the companies that fail to protect their information, leading consumers to bring common law claims in court. Yet courts have disagreed about whether an increased risk of identity theft qualifies as an injury-in-fact under Article III standing principles: the Seventh and Ninth Circuits have approved of increased risk standing, while the Third Circuit has rejected it. The Supreme Court has further clouded the issue with its recent examination of the injury-in-fact requirement in Clapper v. Amnesty International USA. This Note argues that courts should recognize increased risk standing in certain circumstances, even after Clapper, by applying a framework examining certain key factors in data breaches. It further contends that courts, in implementing this framework, should borrow certain elements from the damages analysis for common law claims to prevent the prompt dismissal of claims based on increased risk when considered on their merits.
* J.D. Candidate, May 2017, University of Michigan Law School. I would like to thank Ryan Rott and all on the Michigan Law Review team—particularly Danielle Kalil-McLane, Kate Canny, Sommer Engels, Chance Hill, and Andrew Robb—for helping make this Note what it is; my family and friends, especially my parents and Niko, Chris, and Nick, for their lifelong support; and Lauren, for loving me and keeping me sane throughout the writing process.