A recent article in the Wall Street Journal (paywall) points out a legal issue that judges are increasingly facing as they consider class action lawsuits brought against companies that become victims of criminal hacking:
Data breaches have forced judges to wrestle with a new notions of what it means to suffer an injury. Though cyberattacks against companies can cause widespread damage, any harm to customers is often hard to quantify and tough to trace, making it difficult for them to pursue redress in the courts.
In most cases, the economic damage falls on the primary victim of the hacking, i.e., the company whose systems are breached. In addition to any embarassment, the victim must also spend resources to investigate the hacker's entry point, identify the scope of the compromise, and purge the intruder from its systems.
If the hacker actually obtains data about individuals from the victim company, the victim company may also become a target for legal action from a variety of sources, including state attorneys general, the Federal Trade Commission, and class action lawsuits brought by private parties. As the article explains, plaintiffs bringing private cases often have a hard time showing standing and damage. That's because most of the time, there's no clear indication that the hacker used any particular person's information in a way that caused actual damage.
Many of us expected the Supreme Court to clarify whether these kinds of suits can survive in Spokeo, Inc. v. Robins this year, but the Court dodged. So there's a good chance that the issue will be coming back up to the high court eventually.