Data breaches are on the rise as consumers continue to exchange personally identifiable information for goods and services in sectors from retail to healthcare. In the aftermath of a data breach, it has been difficult for victims of the breach to establish Article III standing to sue in federal courts. The primary hurdle for those seeking a remedy for the theft of their data has been showing that they have suffered an injury-in-fact. Plaintiffs typically assert an injury based on the increased risk of identity theft following a breach. However, courts have divided on whether such an injury satisfies the standing test. For consumers who feel deeply that they have been harmed, a court’s aversion to increased-risk standing is a devastating barrier to redress.

This Note argues that courts should consider a different point of injury. Rather than looking at the risk of future identity theft, courts should analyze standing based on the injury that consumers suffer the moment their data is stolen. Looking to the Supreme Court’s decisions in Clapper v. Amnesty International USA and Spokeo, Inc. v. Robins, this Note argues that the inherent injury of the data breach is an actual, concrete, and particularized injury that is sufficient to confer standing.

Ultimately, shifting the standing inquiry to the inherent injury of the data breach will ensure that meritorious claims are heard in court. The shift is easily implemented—it comports with existing precedent, requires no new action by Congress or the Supreme Court, and is harmonious with the principles that underlie the doctrine of standing. Most importantly, the shift will ensure access to justice for a growing body of consumers who have been harmed by a data breach.