The Florida Bar

Florida Bar Journal

Have We Reached the Tipping Point? Emerging Causation Issues in Data-Breach Litigation

Featured Article
Illustration of two data breaches

Illustration by Barbara Kelley

It seems that hardly a day goes by without mention of a large-scale data breach.[1] These breaches typically involve the disclosure of vast amounts of personally identifiable information (PII).[2] In fact, a Pew Research Center survey released in early 2017 concluded that more than half of United States citizens already have experienced a data breach.[3] Additionally, according to a report issued by the Identity Theft Resource Center, more than 1,200 new data breaches occurred in 2018 alone, exposing at least 446,515,334 records of individuals.[4] With more than half of U.S. citizens having already been victimized by at least one data breach, and hundreds if not thousands of other breaches occurring each year, it is increasingly likely that someone will have their PII compromised by multiple data breaches.

Consequently, a critical issue for courts grappling with data-breach litigation is whether the plaintiff can prove that the harm allegedly suffered was caused by the data breach that is the subject of the case in question, versus another prior data breach that also exposed that plaintiff’s PII. Proving causation in data-breach litigation naturally will become an increasingly difficult task as additional data breaches occur and more individuals become the victims of multiple cyber breaches. Indeed, we are perilously close to reaching a causation “tipping point” where it is virtually impossible to determine whether a particular data breach was the proximate cause of subsequent related harm if the claimant’s PII was previously disclosed in one or more other data breaches. Lest data breach litigation devolve into some form of strict liability, courts are beginning to require more than mere “time and sequence” allegations and proof (i.e., that a data breach occurred and then some harm consistent with a data breach followed) to determine whether plaintiffs have sufficiently pled, and ultimately can prove, that a particular data breach was the cause of their harm.

This crucial causation question can arise in a variety of contexts in a data-breach case. For instance, defendants in federal cases often file motions challenging whether plaintiffs have sufficiently alleged causation for Article III standing purposes, whether plaintiffs’ proximate cause allegations are adequate, and whether plaintiffs have properly alleged damages for their substantive claims. In class-action litigation, defendants frequently argue that class plaintiffs have failed to sufficiently plead causation for the putative class as a whole, and that class certification is inappropriate because plaintiffs cannot establish that all putative class members share common facts and claims relating to causation. If these causation challenges fail, plaintiffs still must prove that the relevant data breach was the proximate cause of plaintiffs’ harm to prevail on many of the substantive claims that plaintiffs typically assert in data-breach cases.

Moreover, there is a risk that victims of multiple data breaches might seek and obtain double recovery for a single data breach injury if courts do not require plaintiffs to prove which specific data breach actually caused plaintiffs’ harm. In short, causation is likely to be one of the most hotly contested and challenging issues for litigants and the courts in future data-breach litigation.

Causation at the Pleading Stage

Causation issues are often raised as early as the pleading stage in data breach cases. In federal cases, defendants often challenge whether plaintiffs possess the requisite Article III standing to even bring a data-breach case. To establish Article III standing, plaintiffs must allege that “(1) [plaintiffs have] suffered an ‘injury in fact’ that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.”[5] Additionally, defendants usually contend that plaintiffs have failed to adequately allege proximate causation for their substantive claims because most (but not all) claims commonly asserted by plaintiffs in data-breach litigation require a showing that the relevant data breaches proximately caused the damages claimed by plaintiffs.[6]

To survive defendants’ common standing and proximate cause challenges, plaintiffs must allege enough to show a causal connection between plaintiffs’ harm and the relevant data breach for both standing and proximate cause purposes. However, as discussed below, pleading Article III standing is much less burdensome than alleging proximate causation. Consequently, complaints that sufficiently allege causation for standing purposes do not also automatically satisfy the more onerous proximate cause pleading standard. Unfortunately, however, courts sometimes create confusion at the pleading stage by conflating the differential causation needed to establish an “injury in fact” for standing purposes versus that needed to establish “proximate causation” as an element of a claim.

Pleading Article III Standing — While many of the initial challenges in data-breach lawsuits have focused on the plaintiffs’ ability to establish they have suffered an “injury in fact” (e.g., is an increased risk of identity theft sufficient), the Article III standing analysis includes a causation element — whether the injury is “fairly traceable” to an alleged data breach — that has not yet received the same level of judicial scrutiny as the “injury in fact” assessment.[7] However, as more courts issue decisions staking out the contours of a sufficiently pled “injury in fact” and as a consensus slowly emerges, the analysis likely will shift to the corresponding causation requirement.

To determine whether plaintiffs possess the requisite Article III standing to pursue data-breach claims in federal court, the relevant causation inquiry turns on whether plaintiffs’ alleged harm is “fairly traceable” to defendants’ conduct.[8] The showing required to establish that an alleged injury is “fairly traceable” to the actions of defendants is not burdensome, and requires less than the showing required to establish proximate cause.[9] Indeed, courts often conclude at the pleading stage that even general allegations that harm resulted from defendants’ conduct suffice to demonstrate standing.[10] Thus, when considering the Article III standing question, courts need not (and should not) consider whether plaintiffs have sufficiently alleged proximate causation for their substantive claims.[11]

For instance, in Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012), the court found that plaintiffs adequately established Article III standing merely by alleging that 1) defendant failed to secure plaintiffs’ information on company laptops, 2) the laptops were subsequently stolen, and 3) plaintiffs became victims of identity theft after the laptops were stolen despite plaintiffs’ personal habits of securing their sensitive information.[12] Similarly, in Smith, allegations that 1) plaintiffs entrusted their PII to defendant, 2) defendant did not secure it, 3) a data breach resulted in which plaintiffs’ information was stolen, and 4) the stolen information was utilized to file fraudulent tax returns were deemed sufficient to show that plaintiffs’ alleged injuries were fairly traceable to defendant’s actions.[13]

In short, plaintiffs do not need to plead detailed “causation” facts to overcome preliminary challenges to their Article III standing to maintain data breach claims. In fact, cases like Resnick and Smith suggest that mere “time and sequence” allegations might even be enough to plead Article III standing. But the causation inquiry does not end there.

Pleading Proximate Cause as an Element of a Claim — In contrast to the “fairly traceable” test used to determine whether Article III standing has been adequately pled, Fed. R. Civ. P. 8(a) and 12(b)(6) present “higher hurdles” for plaintiffs attempting to plead proximate cause. To establish proximate cause at the pleading stage, plaintiffs must allege facts sufficient to raise a right to relief above the speculative level.[14] Indeed, courts are increasingly finding that general or conclusory proximate cause allegations are insufficient to support data-breach claims that require a showing of proximate cause.

For example, after initially concluding that plaintiffs had pled enough to demonstrate their Article III standing, the court in Resnick then addressed whether plaintiffs had sufficiently pled proximate causation for certain of their claims. Recognizing that dismissal is appropriate absent adequate “causation facts,” the court explained that, “to prove that a data breach caused identity theft, the pleadings must include allegations of a nexus between the two instances beyond allegations of time and sequence.”[15] Because the complaint alleged extraordinary prophylactic measures that plaintiffs had taken to protect their PII before the data breach, the court concluded that plaintiffs sufficiently had pled causation.[16] However, the court also warned that if plaintiffs had “alleged fewer facts, we doubt whether the [c]omplaint could have survived a motion to dismiss.[17]

The court in Burrows v. Purchasing Power, LLC, No. 1:12-cv-22800-UU, 2012 WL 9391827 (S.D. Fla. Oct. 18, 2012), also recognized the important distinction between pleading causation for Article III standing purposes and pleading proximate causation for purposes of adequately stating substantive claims. Addressing whether plaintiff had pled enough to show that his injuries were fairly traceable to defendants’ conduct for Article III standing purposes, the Burrows court concluded that the more onerous “proximate cause” pleading standard articulated in Resnick was “inapposite to the…question of whether [plaintiff’s] injuries can be fairly traced to defendants’ conduct for standing purposes.”[18] In other words, the plaintiff was not required to plead as much to establish the necessary Article III standing to pursue his alleged data breach claims.

Cases like Resnick and Burrows suggest that plaintiffs must plead more than merely the occurrence of a data breach and subsequent damages consistent with such a breach to sufficiently allege proximate causation. Given that a majority of Americans have now been the victim of one or more data breaches — not to mention that the percentage of victimized individuals is likely to increase during the coming years — requiring plaintiffs to allege facts beyond mere “time and sequence” seems both logical and appropriate. Indeed, it is possible that courts may require even more than the Resnick-type proximate cause allegations in the future as additional data breaches occur and more individuals become the victims of multiple data breaches. Otherwise, a plaintiff who was the victim of more than one data breach could achieve a double, or even a triple recovery, by asserting data breach claims against every business that exposed the plaintiff’s data shortly before the plaintiff’s harm occurred, even if only one of the breaches actually caused the harm.

“Injury in Fact” for Standing Purposes Versus Damages as an Element of a Claim — Much like Resnick’s differentiation between “fairly traceable” causation for standing purposes versus proximate causation as an element of the relevant underlying claim, some courts recognize that more is required to plead damages as an element of a substantive claim than is required to plead injury for Article III standing purposes. For instance, Attias v. CareFirst, Inc., No. 15-cv-00882 (CRC), 2019 U.S. Dist. LEXIS 14387 (D.D.C. Jan. 30, 2019), recently concluded that allegations sufficient to demonstrate damages for Article III standing purposes were nevertheless inadequate to establish the damages element of the plaintiffs’ underlying state-law claims.[19] In Attias, the District of Columbia Circuit Court previously determined that plaintiffs properly alleged injuries for standing purposes and remanded the case for further proceedings.[20] After the defendant renewed a motion to dismiss on remand, the district court dismissed certain of plaintiffs’ claims because the plaintiffs had failed to sufficiently allege that they had incurred the type of actual damages required to sustain their claims under state law.[21] In so holding, the district court stated that “[t]he D.C. [c]ircuit’s standing ruling [did] not control whether plaintiffs have alleged actual harm for purposes of their state law claims[,]” and that “[p]laintiffs may satisfy the Article III injury-in-fact requirement and yet fail to adequately plead damages for a particular cause of action.[22]

The Ninth Circuit reached a similar conclusion in Krottner v. Starbucks Corp., 406 F. App’x 129 (9th Cir. 2010), observing that an injury-in-fact for purposes of Article III standing will not necessarily establish the type of damage necessary to plead a substantive state law claim. In Krottner, the court held that despite having Article III standing due to a risk of future identity theft, the plaintiffs failed to state a negligence claim because, under the relevant law, “[t]he mere danger of future harm, unaccompanied by present damage, will not support a negligence action.”[23] Accordingly, in addition to meeting their relatively “light burden” of establishing damages for standing purposes, plaintiffs also were required (consistent with the requirements for pleading proximate causation) to satisfy a higher burden and sufficiently plead cognizable damages under applicable substantive law to properly state viable data breach claims.

Causation at the Class Certification Stage

In the class-action context, it is clear that Article III standing exists even if only a single class plaintiff or representative can establish the requisite standing. Passive putative class members need not separately establish standing because the standing issue focuses only on whether the named plaintiff, rather than a represented party or absent class member, is properly before the court.[24] Accordingly, to demonstrate standing in a class action, only a single class plaintiff need plead an “injury in fact.”

What is less clear, however, is whether in a class action setting a single plaintiff can establish on behalf of the entire putative class the “proximate causation” and damage needed to satisfy elements of the substantive underlying claims. Plaintiffs probably will argue that if proximate causation and damage were required to be pled on behalf of other class members not before the court, the core function of class actions might be compromised. As support for this view, plaintiffs likely will rely on cases holding that only one named plaintiff needs to demonstrate standing to pursue a class action.[25] Further, plaintiffs almost certainly will contend for certification purposes that any individualized causation or damages questions raised by defendants are merely “background issues” that do not overcome the predominance of significant common questions that otherwise exist in the relevant litigation.[26]

Conversely, defendants likely will assert that the requirements for sufficiently pleading a claim for relief on behalf of a class should be no less stringent than for pleading an individual claim.[27] In the data-breach context, this position would require allegations tying the putative class members’ alleged damages to the subject data breach before those class members may pursue class claims. For instance, without sufficient allegations of prophylactic measures taken by all of the putative class members to protect their PII, there arguably is no way to assess the likelihood that such class members’ alleged damages actually resulted from the data breach in question, versus any of the other numerous data breaches that inundate our headlines almost daily.[28] In other words, absent adequate proximate causation allegations, this view would encourage courts to refrain from making the inferential leap that Resnick warned against — finding that the class plaintiff’s data breach was the proximate cause of the other putative class members’ injuries merely because some of the injuries occurred at various times shortly after the data breach.[29]

Even if this causation issue does not arise at the pleading stage of data-breach litigation, it is almost guaranteed to arise at the class certification stage. To obtain class certification, plaintiffs must establish, among other things, that questions of law or fact common to the class exist and that plaintiffs’ claims are typical of the putative class members’ claims.[30] For instance, given the commonality and typicality requirements of Rule 23, defendants are likely to argue in response to a class certification motion that class plaintiffs can, at best, represent only a class of individuals who undertook the same prophylactic measures taken by plaintiffs to protect their PII. Absent evidence of such measures, the facts and circumstances of class plaintiffs’ claims arguably cannot be common with, or typical of, other putative class members who did not take such preventative actions.[31]

Moreover, causation questions at the class certification stage are likely to become even more challenging as additional data breaches occur and more individuals become victims of multiple data breaches. For example, should a certified class include 1) anyone whose data was exposed in the specific data breach that triggered the litigation; 2) only individuals who took the same prophylactic measures taken by the named plaintiffs to protect their data; or 3) only individuals who were victims of the same multiple data breaches as the named plaintiffs? Does the requisite commonality and typicality exist if 1) different prophylactic measures were taken by various class members; 2) some, but not all, class members are victims of multiple data breaches; or 3) class members with multiple data breaches were subject to some, but not all, of the same data breaches as plaintiffs or other class members? Obviously, as these and other variables are added to the certification analysis, courts will have to wrestle with how to weigh such factors when deciding whether to certify a class. Thus, obtaining class certification in future data breach cases might become even more difficult, even if plaintiffs successfully overcome preliminary standing and pleading challenges to their claims.

Causation at the Merits Stage

Even assuming plaintiffs successfully navigate all of the preliminary causation challenges likely to be raised by defendants at the pleading and certification stages, actually proving at the merits stage of a data breach case that plaintiffs’ harm was proximately caused by the actions of defendants (for those claims that include proximate cause as an element) remains a challenging task. Although plaintiffs might win all of the preliminary causation skirmishes that typically occur in data-breach actions, plaintiffs still can lose the war if they are unable to actually prove on summary judgment or at trial that defendants’ conduct was the proximate cause of plaintiffs’ damages. The task of proving proximate causation will become even more problematic as the PII of more individuals is exposed through future data breaches, and as more people become the victims of multiple data breaches.

A crucial question in data-breach litigation going forward, thus, likely will involve how victims of multiple data breaches can prove a particular data breach resulted in the harm they are seeking redress for in their case. Principles of fairness and due process seemingly dictate that a defendant should not incur liability for a data breach unless the defendant’s own data breach caused a plaintiff to suffer harm. But in a world where data breaches are almost a daily occurrence, determining whether a specific data breach caused a plaintiff’s harm might prove extremely difficult. For example, if a plaintiff is the victim of multiple data breaches involving disclosure of his or her Social Security number before he or she incurred data breach-related harm, how could that plaintiff successfully prove which of the various breaches actually caused the subsequent harm? Because very few data breach cases even reach the summary judgment or trial stage, the answer to this question currently remains unclear.

Although the existing data breach caselaw has yet to provide much guidance regarding how causation questions ultimately will be decided where plaintiffs and class members are the victims of multiple data breaches, similar causation issues arising in mass tort litigation involving multiple manufacturers might provide some guidance. Like most claims usually alleged by plaintiffs in data breach cases, the claims typically asserted in mass tort litigation require proof that damages were caused by a particular named defendant, versus some other unnamed manufacturers. For instance, plaintiffs in tobacco litigation usually must prove that the named defendant’s product caused plaintiffs’ harm because most smokers have used multiple manufacturers’ products over the course of their lives. While not entirely analogous to the data breach context, the manner in which courts have addressed causation questions in such mass tort cases might provide some insight into how courts ultimately will decide causation issues in the data breach litigation context.

Market Share Liability — Whereas mass tort litigation plaintiffs typically are required to prove that a particular defendant caused their harm, the inherent difficulty in meeting that proof requirement where multiple defendants potentially contributed to the loss has prompted courts to resort to alternative theories of causation. A few courts have adopted a “market-share liability” approach for this purpose, which potentially imposes liability on manufacturers even if the plaintiff’s injury is never causally linked to a particular manufacturer’s product.[32] Under the market-share liability theory, a defendant’s liability is calculated based on its share of the relevant market.[33] For instance, in Sindell v. Abbott Labs., 607 P.2d 924 (Cal. 1980), the court held that each of the 11 manufacturers of a drug (DES) administered to plaintiff would be liable to plaintiff based on the defendant’s proportionate share of the DES market, unless a defendant could prove that its product was not the cause of plaintiff’s harm.[34] While this market-share theory might be viable in a mass tort case where multiple companies manufacture essentially the same product, the theory seems at first blush ill-suited to data breach cases in which the defendants do not sell the same product in a common market and, thus, lack a calculable market share.

Concurrent Causation — Another causation theory occasionally relied on by courts in mass tort cases is commonly referred to as “concurrent causation.”[35] Under traditional common law principles, defendants are jointly and severally liable if their tortious acts combine to cause an indivisible injury to a plaintiff.[36] Because each defendant’s conduct constitutes a cause-in-fact of the plaintiff’s injury, this theory does not permit a recovery against a particular defendant without proof that this defendant caused at least some of the plaintiff’s harm.[37] However, a few courts have expanded the “concurrent causation” theory to permit plaintiffs to recover against a defendant without specific proof that the defendant’s actions actually caused at least a portion of plaintiff’s harm, provided the plaintiff can prove that he or she was exposed to the defendant’s product, and the defendant’s product was a substantial factor in contributing to plaintiff’s harm.[38] For example, this expanded theory has been applied in cases involving asbestos-related injuries in which plaintiffs have been unable to prove which specific manufacturer’s product actually caused plaintiffs’ injuries.[39] Such an extension of the “concurrent causation” theory is premised on the rationale that a plaintiff cannot be expected to prove scientifically unknown details of the relevant product (e.g., asbestos) and its ultimate impact on the plaintiff’s condition.[40] But it remains unclear whether courts will apply this theory in the data breach context, particularly if plaintiffs are unable to prove that the relevant defendant caused at least some portion of plaintiffs’ alleged harm.

Alternate Liability Theory — A few courts have also invoked an “alternative liability” theory to allow plaintiffs to overcome proximate cause proof problems in the mass tort context where it cannot be definitively shown which manufacturer’s product caused plaintiff’s harm.[41] This theory traces its roots to the classic case of Summers v. Tice, 199 P.2d 1 (Cal. 1948), in which the court permitted a plaintiff to recover jointly and severally against two simultaneously negligent defendants, absent proof by one of the defendants that the other caused plaintiff’s injury. Traditional application of the “alternative liability” theory depended on a showing that multiple defendants were actually negligent, but a few courts have concluded that use of the theory is unobjectionable:

as long as a plaintiff can prove general causation, i.e., that he was injured by the type of product or substance manufactured by defendants, and as long as there is a rational method for determining the percentage of the total harm caused to all those damaged by each of the possible defendants….[42]

Before applying the “alternative liability” theory, courts generally have required that all potentially liable manufacturers be named as defendants in the litigation (or at least that plaintiffs have made a genuine effort to identify and locate all potential tortfeasors).[43] Further, most courts have rejected resort to this theory altogether as an alternative to requiring proof of proximate cause for fear that a manufacturer might be held liable even though a different manufacturer actually caused the harm.[44] For these reasons, this theory is probably not well-suited for use in data breach litigation, particularly if plaintiffs are unable to identify all potential data breaches that could have exposed their PII and include all of the breached businesses as defendants in the litigation.

Because data-breach litigation continues to evolve, it remains unclear whether courts ultimately will apply any of the causation theories discussed here, or possibly develop others, to permit plaintiffs to prove proximate causation in data-breach cases without establishing that a particular defendant actually caused plaintiffs’ harm.[45] But as more and more individuals become victims of multiple data breaches, the problem of proving causation in cyber litigation is almost certain to draw more judicial attention.

Potential Double Recovery for the Same Data Breach Harm

The foregoing causation issues will be highlighted as more data breaches occur and as resulting data-breach litigation continues to proliferate. As we near a potential tipping point where almost everyone’s data has been compromised, courts will have to confront these challenging causation issues and determine whether plaintiffs who have experienced multiple data breaches can pursue multiple claims for the same harm. Victims of multiple data breaches potentially could end up asserting separate claims against every entity that allowed the victims’ data to be compromised. But as discussed above, perhaps only one of the breaches actually caused the data breach plaintiff’s injury, and it is often difficult (if not impossible) to determine the culprit.

A hypothetical demonstrates the double recovery issues that can arise if victims of multiple data breaches are permitted to pursue multiple data breach cases. Assume that an entity that exposed class members’ data is sued in a class action that ultimately is settled by providing relief to the class members for harm resulting from the breach. Further assume that some of the class members benefitting from the settlement were also the victims of another data breach that occurred before they incurred any actual harm, and that these class members sue to recover for data breach-related harm from the other breached entity in a subsequent, separate class action. At least two obvious questions arise from such a scenario, the second of which raises additional causation issues: 1) should the previous settlement bar the second lawsuit altogether; and 2) if the second lawsuit is permitted to proceed, should courts permit data breach victims to seek recovery in that case for data breach damages that arguably are identical to (or at least substantially overlap with) damages sought in the first data-breach case — and if not, how should the victims’ damages be allocated among the multiple data breaches?

To date, the foregoing questions have yet to be answered by courts in data-breach cases. However, such questions arguably could be eliminated (or the risk of multiple data-breach actions at least minimized) by the terms of the settlement in the initial data breach case. For instance, the parties in the first case might include language in their settlement agreement providing that the settlement is intended to resolve and release all claims for data breach-related harm incurred by the settling class members through the effective date of the settlement, as well as all claims against the defendant in the first case for any data breach-related harm that the settling class members might incur after consummation of the settlement. Such an agreement seemingly would protect the first defendant from being sued again by the settling class members for any past or future damages allegedly caused by the subject data breach, and prevent the settling class members from suing for and recovering against another entity data breach-related damages incurred before, and intended to be encompassed within, the settlement. However, such a clause arguably should not bar the settling class members from seeking to recover from other entities that experienced data breaches breach-related damages that were incurred after the first settlement (either before or after the settlement). Although unclear how such a provision might be interpreted and applied in a subsequent case, such a clause probably would enable pursuit of claims by victims of multiple data breaches against nonsettling entities for harm incurred after a settlement, while also reducing the likelihood of serial litigation to recover for the same underlying loss.


Courts must address causation questions at virtually every step of cyber litigation, including at the pleading stage, the class certification stage, and, if necessary, the merits stage. Although the initial battles in data breach litigation focused on pleading an “injury in fact” for Article III standing purpose, more attention likely will be devoted in the future to pleading causation as an element of the relevant substantive claims, versus an “injury in fact” sufficient merely to establish standing. Further, as more data breaches occur and as PII becomes increasingly compromised in connection with multiple breaches, cyber causation issues will become even more challenging as courts grapple with the extent to which victims must trace any cyber-related harm to the actual precipitating breach. Answers inevitably will unfold to these and other questions, but for now, the causation landscape in data breach litigation appears to be in a state of flux.

[1] Data breaches occur in a myriad of ways. Some result from intentional, targeted “hacks” of businesses’ computer systems. Others involve burglaries in which laptops or computer hard drives are stolen and mined for PII. Sometimes, PII is compromised through a “phishing” scheme in which unsuspecting employees provide information in response to bogus requests that appear to be from high-level company executives, but are instead sent by criminals from outside of the victimized businesses. Additionally, PII sometimes is simply disclosed or released accidently or carelessly, leaving sensitive information readily observable to potential wrongdoers even though no one affirmatively sought initially to obtain the PII through nefarious means.

[2] PII includes such things as names, Social Security numbers, dates of birth, addresses, financial information, medical diagnostic and treatment information, and other types of sensitive and private information.

[3] See Pew Research Center, Americans and Cybersecurity (Jan. 26, 2017), available at

[4] See Identity Theft Resource Center, 2018 End-of Year Data Breach Report, available at

[5] Resnick v. AvMed, Inc., 693 F.3d 1317, 1323 (11th Cir. 2012) (internal citation omitted).

[6] For example, proximate cause is an element of negligence, breach of contract, breach of implied contract, negligence per se, breach of fiduciary duty, and breach of confidence claims, some or all of which generally are asserted in data breach cases. See, e.g., Resnick, 693 F.3d at 1325.

[7] The type of harm required to demonstrate an injury in fact for standing purposes is usually hotly contested by data breach litigants, and the courts so far are divided on this issue. For instance, while some courts have held that increased risk of future identity theft is a sufficient injury in fact for standing purposes, other courts have rejected this view and concluded that such risk is not a cognizable injury in fact. Compare In re, Inc., 888 F.3d 1020, 1023 (9th Cir. 2018), with In re SuperValu, Inc., 870 F.3d 763, 770 (8th Cir. 2017). To date, the 11th Circuit has not yet decided whether increased risk of future identity theft constitutes an injury in fact. See In re 21st Century Oncology Customer Data Security Breach Litigation, 380 F. Supp. 3d 1243, 1250 (M.D. Fla. 2019).

[8] Resnick, 693 F.3d at 1323.

[9] Id. at 1324.

[10] Id. (“Even a showing that a plaintiff’s injury is indirectly caused by a defendant’s actions satisfies the fairly traceable requirement.”); see also In re 21st Century Oncology Customer Data Security Breach Litigation, 380 F. Supp. 3d at 1258 (plaintiffs sufficiently alleged standing because plaintiffs alleged that they had suffered at least some cognizable harm).

[11] See, e.g., Smith v. Triad of Alabama, LLC, No. 1:14-cv-324-WKW-PWG, 2015 U.S. Dist. LEXIS 132514, at *26 n.19 (M.D. Ala. Sept. 2, 2015).

[12] Resnick, 693 F.3d 1317.

[13] Smith, 2015 U.S. Dist. LEXIS 132514, at *30.

[14] Atlantic v. Twombly, 550 U.S. 544, 555 (2007); In re SuperValu, Inc. Customer Data Sec. Breach Litig., No. 14-MD-2586 ADM/TNL, 2018 WL 1189327, at *10 (D. Minn. Mar. 7, 2018).

[15] Resnick, 693 F.3d at 1326 (emphasis added).

[16] Id. at 1327.

[17] Id. (emphasis added).

[18] Burrows, 2012 WL 9391827, at *2 n. 6.

[19] No. 15-cv-00882 (CRC), 2019 U.S. Dist. LEXIS 14387 (D.D.C. Jan. 30, 2019).

[20] Attias v. CareFirst, Inc., 865 F.3d 620, 627-28 (D.C. Cir. 2017).

[21] Attias, 2019 U.S. Dist. LEXIS 14387, at *16-34.

[22] Id. at *15 (emphasis added).

[23] Krottner, 406 F. App’x at 131. See also Carlsen v. GameStop, Inc., 833 F.3d 903, 909 (8th Cir. 2016) (“As we previously have cautioned, [i]t is crucial…not to conflate Article III’s requirement of injury in fact with a plaintiff’s potential causes of action, for the concepts are not coextensive.” (internal quotation marks and citation omitted) (alterations in original)).

[24] American Pipe & Const. Co. v. Utah, 414 U.S 538, 552 (1974).

[25] See, e.g., American Pipe, 414 U.S. at 552.

[26] See, e.g., Smith v. Triad of Alabama, LLC, No. 1:14-CV-324-WKW, 2017 U.S. Dist. LEXIS 38574, at *39-43 (M.D. Ala. Mar. 17, 2017).

[27] In fact, some commentators maintain that the standard for pleading a class action probably should be even higher given what is usually at stake in such litigation. See generally Matthew J.B. Lawrence, Courts Should Apply a Relatively More Stringent Pleading Threshold to Class Actions, 81 U. Cinn. L. Rev. 1225, 1251-57 (2013).

[28] See, e.g., In re Office of Pers. Mgmt. Data Sec. Breach Litig. (“In re U.S. OPM”), 266 F. Supp. 3d 1, 38 (D.D.C. 2017) (To find causation, “the [c]ourt would have to presume that the vast majority of identity thefts plaintiffs experienced were not perpetrated by other criminals or were not the result of data breaches of other entities” and such a presumption “stretches the notion of traceability in this case beyond constitutional limits, particularly given how common identity theft is in the digital age.”); Peters v. St. Joseph Servs. Corp., 74 F. Supp. 3d 847, 854 (S.D. Tex. 2015).

[29] See Resnick, 693 F.3d at 1326; see also Welborn v. Internal Revenue Service, 218 F. Supp. 3d 64, 79-80 (D.D.C. 2016).

[30] See Fed. R. Civ. P. 23(a)(2)-(3).

[31] See Walter v. Int’l Harvester Co., 98 F.R.D. 560, 563 (N.D. Ill. 1983).

[32] See, e.g., Donald G. Gifford, The Challenge to the Individual Causation Requirement in Mass Products Torts, 62 Wash. & Lee L. Rev. 873, 909-12 (2005) (hereinafter “Gifford”); Sindell, 607 P.2d at 937.

[33] Id.

[34] Sindell, 607 P.2d at 937.

[35] See, e.g., Gifford at 908-09.

[36] See, e.g., Walt Disney World v. Wood, 515 So. 2d 198 (Fla. 1987).

[37] Id.; see also Gifford at 908.

[38] See, e.g., Rutherford v. Owens-Illinois, Inc., 941 P.2d 1203, 1223 (Cal. 1997).

[39] Id.

[40] See, e.g., Gifford at 908-09; Rutherford, 941 P.2d at 1223.

[41] See, e.g., Gifford at 909-12.

[42] In re “Agent Orange” Prod. Liab. Lit., 597 F. Supp. 740, 823 (E.D.N.Y. 1984).

[43] See, e.g., Gifford at 911-12.

[44] Id.

[45] But see Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 696 (7th Cir. 2015), in which the court rejected an argument that plaintiffs had to establish for standing purposes that no other data breach was the cause of plaintiffs’ claimed harm. In so ruling, the court concluded that the possibility some other data breach caused plaintiffs’ PII to be exposed had no impact on the standing analysis because it was certainly possible for pleading purposes that plaintiffs’ injuries were fairly traceable to the defendant’s data breach. Id. However, as noted, a lesser showing is required at the pleading stage for standing purposes, and the court in Remijas acknowledged that, although having no bearing on standing, the argument that some other breach caused plaintiffs’ damages was a legal theory that the defendant might later assert as a defense. Id.


Michael HookerMichael Hooker is a partner in the Tampa office of Phelps Dunbar LLP. He is a past member of The Florida Bar Board of Governors and focuses his practice on complex commercial litigation, including class action and data-breach cases. Hooker received his law degree from the University of Virginia School of Law.



Jason A. PillJason A. Pill is a partner in the Tampa office of Phelps Dunbar LLP. He represents employers in various workplace disputes and also handles data-breach litigation. He obtained a B.A., cum laude, from the University of Florida in 2005 and a J.D., magna cum laude, from the University of Florida Levin College of Law in 2009.



Guy P. McConnellGuy P. McConnell is counsel with the Tampa office of Phelps Dunbar LLP. He litigates complex disputes, including data breach litigation, and obtained a B.B.A., summa cum laude, from the University of Cincinnati in 1980 and a J.D. from the University of Michigan Law School in 1983.