Seyfarth Synopsis: On June 25, 2021, the U.S. Supreme Court issued its pivotal ruling in TransUnion LLC v. Ramirez (“TransUnion”). As reported here (https://www.workplaceclassaction.com/2021/06/u-s-supreme-court-holds-that-class-members-who-suffer-no-concrete-harm-from-statutory-violations-do-not-have-article-iii-standing-and-cannot-recover/), in TransUnion, the Supreme Court reinforced prior precedent that Article III standing requires a “concrete harm” and that plaintiffs must demonstrate standing with respect to each claim asserted. “No concrete harm, no standing” famously sums up the Supreme Court’s ruling. As expected, the impact of TransUnion has been significant, and it is important for companies to be aware of the reverberating implications of this ruling for purposes of defending complex litigation.
Accordingly, to mark the upcoming two-year anniversary of TransUnion, the Workplace Class Action blog will be providing an assessment of the most recent and relevant applications of TransUnion by the federal Circuit Courts. For starters, however, here is a look at a pair of recent district court rulings applying TransUnion in putative class actions arising from alleged employee data breaches at the motion to dismiss stage: Hall v. Centerspace, LP and McCombs v. Delta Group Electronics, Inc. Both cases exemplify the importance for companies facing class-action litigation to assess the plaintiffs’ standing as to each claim to help secure victories early on in the litigation.
Hall v. Centerspace, LP
In Hall, the plaintiff worked for a subsidiary of Centerspace, which owns and operates apartment complexes in several states. Hall and other employees were required to give Centerspace their personally-identifying information (“PII”) as a condition of employment, including names, bank account information, and Social Security numbers. Following a data breach of computer files potentially containing PII, Hall brought a putative class action in the U.S. District Court for the District of Minnesota, seeking to represent a class of all individuals in the United States whose PII was compromised in the breach. In addition to damages, Hall sought a declaration that Centerspace was in breach of its duty to employ reasonable data security to secure the PII with which it was entrusted, as well as injunctive relief requiring Centerspace to employ “adequate security protocols consistent with industry standards” to protect the plaintiff’s and putative class members’ data. Centerspace filed a motion to dismiss, challenging Hall’s standing to pursue future injunctive relief under Article III.
The Court’s Decision
The court ruled in favor of Centerspace. The court noted that courts in data-breach cases consider whether plaintiffs have standing to seek injunctive and declaratory relief in light of TransUnion’s holding that a plaintiff must demonstrate standing separately for each form of relief sought. The court also noted another decision in Minnesota federal court that applied TransUnion to find that the plaintiffs lacked standing to pursue relief similar to that which Hall requested because they failed to allege a sufficiently imminent and substantial risk of harm that would be avoided if the relief was granted. Turning to the case at bar, the court found that Hall did not show that he faced such a risk of future harm that a declaration and injunction would address. The court clarified that it was not suggesting that “forward-looking” injunctive relief is never appropriate in a data-breach case. However, there were no facts in the complaint indicating that a second data breach was certainly impending, or even that there was a substantial risk that one would occur. The court noted that there was no suggestion, for example, that Centerspace currently was being targeted by hackers, or that something about its operations made it uniquely vulnerable to incursions. The court concluded that nothing in Hall’s pleading transformed the possibility that Centerspace might suffer another data breach into an imminent or substantial risk. Accordingly, the court ruled that Hall’s forward-looking claims for a declaratory judgment and injunctive relief must be dismissed for want of standing.
McCombs v. Delta Group Electronics, Inc.
The Hall ruling was issued on Friday, May 12, 2023. Almost a month later, on Friday, June 9, 2023, the U.S. District Court for the District of New Mexico also weighed in on standing in the data-breach context in McCombs.
In McCombs, the plaintiff brought a putative class action against her former employer. Like Hall, McCombs had provided Delta with PII and financial information. McCombs alleged that her and other employees’ names, Social Security numbers, driver’s license numbers, and financial account numbers were accessed when an “unknown cybercriminal” hacked Delta’s computer systems in 2022. According to McCombs, the data compromise will be an “omnipresent threat” for her and the proposed class “for the rest of their lives.” While McCombs conceded that the alleged fraudulent activity “may not come to light for years,” she maintained that she was subject to a general threat of future harm, such as “targeted marketing” or having her PII end up for sale on the “dark web.” While admittedly “left to speculate” about the possible future impacts of the breach, McCombs nonetheless sought monetary damages and injunctive relief on behalf of herself and the proposed class. Delta moved to dismiss on multiple grounds, including for lack of standing.
The Court’s Decision
The court ruled in Delta’s favor, finding that McCombs had not sufficiently alleged injuries that were fairly traceable to the breach and, thus, lacked standing to pursue her claims. The court addressed multiple aspects of McCombs’ allegations and provided a breakdown of the different ways in which the federal Circuit Courts have addressed standing in data breach litigation over the past decade. The court honed in on TransUnion, however, when considering McCombs’ allegations of unrealized, potential risks of harm associated with identity theft. As the court recounted, the argument that won the day in TransUnion was that the mere risk of future harm, standing alone, cannot qualify as a concrete harm, unless the exposure to the risk of future harm itself causes a separate concrete harm. The court recognized that following TransUnion, the mere possibility of a potential unrealized injury, without more, does not confer standing.
Against this backdrop, the court found McCombs’ allegation that her PII potentially would be used by an unknown cybercriminal to commit fraud or identity theft fell “well short” of what is required for standing, as McCombs had not demonstrated that the risk of future harm had manifested by way of an injury from the theft of her PII. For instance, the court pointed out that McCombs failed to allege that any compromised PII—whether hers or that of the proposed class—had been misused yet, even though more than a year had passed since the data breach. Since McCombs’ alleged injuries lived “almost entirely in the future” and were “premised on potential illegal activity yet to be committed (and which may never be committed) by an unknown third party,” they were too speculative to invoke the court’s jurisdiction. Accordingly, the court granted Delta’s motion to dismiss.
Implications For Employers
Although TransUnion may not be a silver bullet for employers, these cases demonstrate its lasting significance. Hall in particular underscores the importance of the U.S. Supreme Court’s teaching that “standing is not dispensed in gross; rather, plaintiffs must demonstrate standing for each claim that they press and for each form of relief that they seek (for example, injunctive relief and damages).” The cases also serve as examples of courts rejecting claims based on risks of future harm, following TransUnion. In crafting their defense strategy, employers and other corporate defendants of class actions should analyze plaintiffs’ theories of injury accordingly, including as to each claim and request for relief asserted.