Skip to main content
govconCyber — Federal Cybersecurity Law Reference
Case Law

Do Data-Breach Victims Have Standing to Sue? TransUnion, OPM, and the Risk-of-Harm Question

After a breach, the first battle is rarely about cybersecurity — it's about whether the plaintiffs can be in court at all. Three decisions map the line between a real injury and a speculative one, and that line decides how much a contractor's breach will actually cost.

Brandon Hancock, J.D., CMMC-RPPublished June 25, 2021Updated June 18, 20267 min read

# Do Data-Breach Victims Have Standing to Sue? TransUnion, OPM, and the Risk-of-Harm Question

*After a breach, the first battle is rarely about cybersecurity — it's about whether the plaintiffs can be in court at all. Three decisions map the line between a real injury and a speculative one, and that line decides how much a contractor's breach will actually cost.*

A data breach generates lawsuits, but Article III of the Constitution requires plaintiffs to show a "concrete" injury — not just that their data was exposed. Three leading decisions frame when breach victims can sue, and the answer drives the litigation exposure of any contractor that suffers an incident.

TransUnion LLC v. Ramirez (2021): No Concrete Harm, No Standing

TransUnion mislabeled thousands of consumers as potential terrorists in its credit files. A class of 8,185 sued under the Fair Credit Reporting Act. The Supreme Court (5–4, Justice Kavanaugh) held that only the 1,853 class members whose misleading reports were actually disseminated to third parties suffered a concrete injury sufficient for standing. For the rest, the mere existence of inaccurate information in a database — a risk of future harm that had not materialized — was not enough to sue for damages. "No concrete harm, no standing."

In re OPM Data Security Breach Litigation (D.C. Cir. 2019): Risk Can Be Concrete

The 2015 breach of the Office of Personnel Management exposed the detailed background-investigation records of more than 21 million federal employees, contractors, and applicants — exfiltrated by a sophisticated, suspected nation-state actor. The D.C. Circuit held that victims did have standing: given the nature and sensitivity of the stolen data and the attacker's apparent capabilities, the risk of identity theft was substantial and imminent, not speculative.

McMorris v. Carlos Lopez & Associates (2d Cir. 2021): A Framework

The Second Circuit synthesized the case law into a practical test for when an increased risk of future identity theft confers standing, weighing: (1) whether the data was intentionally targeted or stolen (versus inadvertently exposed); (2) whether any part of the data has already been misused; and (3) the sensitivity of the exposed data and the likelihood of harm.

Reconciling the Three

The cases are not in conflict so much as fact-driven. Deliberate theft of highly sensitive data (OPM) points toward standing; a latent error never disseminated (the TransUnion non-disseminated class) points away from it. McMorris gives litigants the rubric in between.

Why It Matters for Contractors

  • Your breach's litigation cost turns on these facts. Whether plaintiffs clear the standing bar often depends on what was taken, whether it was targeted, and whether it has surfaced in fraud — exactly the facts your incident-response investigation will establish.
  • Sensitive, targeted data is the danger zone. Breaches of background-investigation data, SSNs, financial, biometric, or health data are the ones most likely to support standing — and the ones contractors most often hold for the government.
  • Document everything. Forensic findings about exfiltration and misuse will shape both the standing analysis and your regulatory exposure.

Key Takeaways

  • TransUnion (2021): a bare statutory violation or undisseminated risk is generally not a concrete injury for damages standing.
  • OPM (2019): theft of sensitive data by a capable adversary can make the risk of future harm concrete enough to sue.
  • McMorris (2021): courts weigh intent to steal, actual misuse, and data sensitivity to decide standing on a risk-of-future-harm theory.

See how breach exposure becomes enforcement on our Enforcement hub, and the litigation discovery angle in In re Capital One.

*Source: TransUnion LLC v. Ramirez, 594 U.S. 413 (2021); In re U.S. OPM Data Sec. Breach Litig., 928 F.3d 42 (D.C. Cir. 2019); McMorris v. Carlos Lopez & Assocs., 995 F.3d 295 (2d Cir. 2021)*

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Case LawThe DOJ's Civil Cyber-Fraud Initiative: Enforcement Cases and What They MeanDOJ's cyber-fraud enforcement is surging. Recent False Claims Act settlements show the real risk is the false certification.May 6, 2026 · 7 min readCase LawHacking the Hackers' Vendor: WhatsApp v. NSO Group and the CFAA's ReachA messaging company sued the world's most notorious spyware vendor under a 1986 anti-hacking law — and won a nine-figure jury verdict. The case shows the CFAA reaching across borders to a commercial exploit developer.May 6, 2025 · 6 min readCase LawThree State AGs, One $4.5M Breach Settlement: The Enzo Biochem LessonNew York, New Jersey, and Connecticut jointly settled with Enzo Biochem for $4.5M over a ransomware breach — a reminder that state AGs enforce 'reasonable security.'August 30, 2024 · 6 min read