Say you're a large employer using an electronic payroll system that is hacked by nefarious persons unknown. Suddenly, your employees' Social Security numbers, birth dates, earnings history, withholdings, and home and business addresses are now presumed to be open to exploitation. What's worse, the hack occurred as a result of a heretofore unknown but readily discoverable flaw in your corporate IT firewall that, once it was exploited, opened all of the employees' personal data to review by third-party.
Eschewing the traditional pitchforks and torches, a group of your employees file suit alleging potential identity theft, increased costs to monitor credit activity and significant emotional distress as result of the threat of having their financial futures ruined. Big trouble for you, right?
Probably not. A recent decision of the Third Circuit discusses a very similar situation involving a contract payroll processing firm that also suffered a significant breach of security, resulting in tens of thousands of employment records being opened to unauthorized review. But, as the District Court found and the appellate court affirmed, the plaintiffs in this case did not have standing to sue because their allegations of hypothetical future injury were not sufficient to satisfy the requirement that there be an actual injury in fact for a lawsuit to proceed. Or, as the court noted with respect to the plaintiffs' still speculative claim that a hacker took their personal information with the intent to commit a future criminal act involving their identity, "unless and until these conjectures come true, appellants have not suffered an injury; there has been no misuse of the information, and thus, no harm."
This is probably music to the ears of many companies that maintain large amounts of sensitive personal data that is always under the threat of revelation. The short answer is that simply suffering a data breach like this does not open the door to liability; there has to be some manifestation of harm before court will agree to review the case or award a remedy.