CPW has been tracking data breach litigations for some time, including how the Courts of Appeals have addressed the question of Article III standing. Yesterday the Second Circuit issued a monumental decision that attempts to weave together rulings from other courts to formulate a multi-factor standing analysis. McMorris v. Carlos Lopez & Assocs., 2021 U.S. App. LEXIS 12328 (2d Cir. Apr. 27, 2021). Read on to learn more about this critical data privacy case.
Let’s first turn to the (alleged) facts. The case involved a data breach at a veterans health services provider. In June 2018, an employee of defendant accidentally sent an email to 65 others at the company. Attached to the email was a spreadsheet containing sensitive personally identifiable information (“PII”) – including Social Security numbers, home addresses, dates of birth, telephone numbers, educational degrees, and dates of hire — of approximately 130 current and former employees. Three plaintiffs whose information had been disclosed filed suit with a putative class action complaint. They asserted claims for negligence, negligence per se and consumer protection on behalf of California, Florida, Texas, Maine, New Jersey, and New York classes.
In terms of the harm alleged, “[a]lthough [P]laintiffs did not allege that they had been the victims of fraud or identity theft as a result of the errant email, they claimed that, because their PII had been disclosed to all of CLA’s then-current employees, they were ‘at imminent risk of suffering identity theft’ and becoming the victims of ‘unknown but certainly impending future crimes.’” Plaintiffs did not allege their information was actually misused by any third parties. However, they alleged that they had taken remedial measures following the disclosure of their information (incurring out of pocket expenses).
The Defendant moved to dismiss for lack of standing but the parties reached a settlement before a ruling on the motion to dismiss. In advance of the class fairness hearing, the court considered standing sua sponte. The district court ruled that “Plaintiffs lacked Article III standing because they failed to allege ‘an injury that is concrete and particularized and certainly impending.’” The district court dismissed the case for lack of subject matter jurisdiction. An appeal to the Second Circuit followed.
In assessing the case on appeal, the Second Circuit noted that it has been “suggested” that there is a circuit split in the data breach context concerning whether a plaintiff may establish standing based on a risk of future identity theft or fraud stemming from the unauthorized disclosure of that plaintiff’s data. However, the Court found that “requiring plaintiffs to allege that they have already suffered identity theft or fraud as the result of a data breach would seem to run afoul of the Supreme Court’s recognition that ‘[a]n allegation of future injury may suffice’ to establish Article III standing ‘if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.’” The Second Circuit then went on to hold that in the abstract “plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.” (emphasis supplied).
To determine if Plaintiffs in the current case had standing based on an “imminent” risk of harm the court considered a multi-factor analysis with criteria drawn from other data breach litigations (including outside the Second Circuit). This included the following:
First, “whether the data at issue has been compromised as the result of a targeted attack intended to obtain the plaintiffs’ data.” The Second Circuit described this as the most important consideration. This is because, the Court explained, “[w]here plaintiffs fail to present evidence or make any allegations that an unauthorized third party purposefully obtained the plaintiffs’ data, courts have regularly held that the risk of future identity theft is too speculative to support Article III standing.”
Second, whether plaintiffs “can show that at least some part of the compromised dataset has been misused — even if plaintiffs’ particular data subject to the same disclosure incident has not yet been affected.” This could include “evidence that plaintiffs’ data is already being misused, even if that misuse has not yet resulted in an actual or attempted identity theft.”
And third, “courts have looked to the type of data at issue, and whether that type of data is more or less likely to subject plaintiffs to a perpetual risk of identity theft or fraud once it has been exposed.” The Second Circuit found that “the dissemination of high-risk information such as Social Security numbers and dates of birth — especially when accompanied by victims’ names — makes it more likely that those victims will be subject to future identity theft or fraud.”
The Second Circuit cautioned, however, that standing is a “fact specific inquiry” and the three criteria were not meant to be “exhaustive.” Turning then to the other injuries alleged by Plaintiffs in the case, the Second Circuit held that (in reliance on the Supreme Court’s holding in Clapper) where plaintiffs “have not alleged a substantial risk of future identity theft, the time they spent protecting themselves against this speculative threat cannot create an injury.”
Applying these principles, the Second Circuit ultimately concluded that “this case presents a relatively straightforward situation in which Plaintiffs have failed to show that they are at a substantial risk of future identity theft or fraud sufficient to establish Article III standing.” The Court affirmed dismissal of the litigation for lack of subject matter jurisdiction.