Data breaches of companies that expose consumer information are a pervasive and growing issue. The United States Courts of Appeals are divided over whether consumers have Article III Standing to sue the hacked organizations that did not protect their personal data. This Comment draws on insights from criminal law to argue that courts should take a more expansive view of the harm to consumers when their personal data is exposed, even where the plaintiffs cannot allege that their data has been misused. This approach would give more consumers the opportunity to have a day in court to vindicate the real but hard-to-define harms of exposure.
Comments Editor, University of Pennsylvania Law Review Volume 172; J.D. Candidate, University of Pennsylvania Carey Law School, Class of 2024; A.B., Brown University, 2019. Thank you to Professor Michael Levy for his guidance. I am grateful to Lisa Goldberg, Ken Ribet, Elena Renken, Emma Dyson, Emily Cooley, and Professor Kermit Roosevelt for comments on drafts. This comment also benefited from conversations with Stephanie Ribet, Jonathan Zisk, Nabil Shaikh, and Will McDonald. Thank you to the editors of the University of Pennsylvania Law Review Volume 172 staff for insightful comments and careful editing.