Claimants’ entitlement to bring data breach class actions is currently a hot topic in the US. In a March 2015 US District Court decision, the Judge held that the plaintiffs did not have standing to sue because they weren’t able to demonstrate “actual misuse of the hacked data or specifically allege how such misuse is certainly impending”. In other words, the privacy breach is not in and of itself sufficient to prove standing. Similarly, in New Zealand, the Privacy Act expressly states its privacy principles generally “do not confer any legal right enforceable in a court of law”.
Source: Storm v Paytime Harrisburg, Inc.