In Roman lore, Damocles, a courtier, told told a king, King Dionysius of Syracuse, that he would switch places with the King without hesitation, given the king’s great power and riches. The King supposedly agreed to swap places, putting Damocles on the throne, but the King rigged up a sword, hanging over Damocles’ head, suspended by a single horse hair. Damocles freaked out as most people would and he quickly changed his tune.
The King’s point, obviously, if heavy-handedly and exaggeratedly: with great power comes great responsibility and the constant threat of imminent death.
And here is how this relates to “standing” in U.S. law: Can someone sue who is placed in a position of potentially great injury, but who has not sustained any injury yet?
Accepting that Damocles experienced trauma and some degree of pain and suffering, assuming the sword did not drop, he might still have trouble bringing suit in a U.S. court. (He might also face jurisdictional defenses, defenses of sovereign immunity, assumption of risk, statute of limitations, and so on, of course.)
A recent putative class action against a Minnesota company comprised of individuals whose personal and private data was compromised by a computer hacker, but who have suffered no actual harm from the reach fared no better.
Minnesota-based Ceridian was sued in the U.S. District Court for the District of New Jersey for a data breach, and, represented by Steven J. Wells of Dorsey & Whitney, LLP. Ceridian won against a class action complaint at the District Court, at the Third Circuit Court of Appeals, and last month the U.S. Supreme Court denied the disappointed plaintiffs’ petition for review.
We conclude that Appellants‟ allegations of hypothetical, future injury are insufficient to establish standing. Appellants’ contentions rely on speculation that the hacker: (1) read, copied, and understood their personal information; (2) intends to commit future criminal acts by misusing the information; and (3) is able to use such information to the detriment of Appellants by making unauthorized transactions in Appellants’ names. Unless and until these conjectures come true, Appellants have not suffered any injury; there has been no misuse of the information, and thus, no harm.
This is an important decision because it does not take either speculation or a crystal ball to know that a vague threat of immeasurable future harm, if allowed to form the basis of data breach class action, would impose large financial burdens civil defendants.