The Second Circuit just affirmed the dismissal of a data breach class action predicated on an alleged increased risk of identity theft on Article III standing grounds. McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021). Notably, the district court that dismissed the action raised the issue of standing sua sponte in advance of a scheduled class settlement fairness hearing.

McMorris involved the alleged disclosure of employee information—including Social Security numbers, home addresses, dates of birth, telephone numbers, educational degrees, and dates of hire—after one of the defendant’s employees accidentally emailed such information to all of the employees within the company (approximately 65).

Notably, the plaintiffs did not claim they suffered fraud or identity theft because of the inadvertent disclosure. Similarly, the plaintiffs did not claim their information was shared with anyone outside of the company or that third parties otherwise had taken or misused it.

Nonetheless, the plaintiffs claimed they were “at imminent risk of suffering identity theft” and that they cancelled credit cards, purchased credit monitoring and identity theft protection services, and spent time assessing whether they should apply for new Social Security numbers after the email incident.

On those facts, the court found the plaintiffs lacked Article III standing. The court characterized the decision as one that “join[s] all [] sister circuits that have specifically addressed the issue in holding that plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.” The court nonetheless found that the plaintiffs “failed to show that they are at a substantial risk of future identity theft or fraud sufficient to establish Article III standing” on the facts alleged.

The court articulated a “non-exhaustive” list of three factors to consider when courts are “confronted with allegations that plaintiffs are at an increased risk of identity theft or fraud based on an unauthorized data disclosure”:

  1. Whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data;
  2. Whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and
  3. Whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.

Applying those factors, the court found that, despite the sensitivity of information involved, the plaintiffs did not claim their information was subject to a targeted data breach or allege any facts showing their information (or that of any others) was misused. Accordingly, the court affirmed the dismissal on Article III standing grounds.