“Although the court sympathized with the plaintiffs’ data breach concerns and recognized that hacking has become commonplace, the court had little trouble dismissing the consolidated case for lack of standing. The court noted that data breach plaintiffs, like all plaintiffs in federal court, have the burden of establishing that they have standing to sue. Judge John E. Jones ruled that the plaintiffs needed to show ‘personal injury [that was] fairly traceable to the defendant’s allegedly unlawful conduct [and that could] be redressed by the requested relief.’ More specifically, that injury must be ‘actual or ‘imminent,’ not ‘conjectural’ or ‘hypothetical’.’
In the context of data breaches, the Third Circuit in Reilly held that, ‘in the event of a data breach, a plaintiff does not suffer a harm, and thus does not have standing to sue, unless [the] plaintiff alleges actual ‘misuse’ of the [plaintiff’s] information, or that such misuse is imminent.’ The Reilly plaintiffs sued the defendant under negligence and breach of contract theories of liability and alleged that, ‘due to the data breach, they were subject to an increased risk of identity theft, had incurred costs to monitor their credit activity and suffered from emotional distress.’ The Third Circuit, however, affirmed the district court’s dismissal of the case on standing grounds because the plaintiffs’ ‘future harm resulting from the security breach was . . . significantly attenuated . . . [and] . . . dependent on entirely speculative, future actions of an unknown third party.’”