Cardozo Law Review de•novo

Online Data Breaches, Standing, and the Third-Party Doctrine

Adam Lamparello, Indiana Tech Law School



This Essay argues that, in the context of online data breaches, these doctrines hinder consumers from receiving full monetary compensation and do not adequately safeguard privacy rights. For example, courts frequently dismiss consumers’ suits against online service providers for lack of standing, which results in consumers bearing the cost for damages that the providers were in a position to prevent. This Essay argues that the Supreme Court should relax the standing doctrine’s “imminent harm” requirement and permit consumers to sue providers for mitigation damages. In addition, the Court should abandon the longstanding principle that citizens lose all privacy protections in personal information voluntarily given to third parties. Relatedly, the Court should modify the two-pronged framework set forth in Katz v. United States and focus exclusively on whether there exists an objective societal expectation of privacy in personal information that third parties unlawfully access. This approach will ensure that consumers are fully compensated for the direct and foreseeable harms that online data breaches cause, and provide incentives for private companies to adopt stringent policies that minimize the risk of future breaches.