Last week, the Second Circuit affirmed the dismissal for lack of Article III standing a proposed class action against a health services provider that mistakenly disclosed personally identifiable information (“PII”).  In its opinion, the Second Circuit held that plaintiffs may establish Article III standing based on an increased risk of identity theft or fraud following an unauthorized disclosure of their data, but that the standard was not met based on the facts presented.  The decision, which is the first time the Second Circuit has explicitly adopted this standard, has potentially important implications going forward for data breach cases.

Background

In McMorris v. Carlos Lopez & Associates, LLC, employees of a veteran mental health services provider sued their employer for negligence and violation of state consumer protection laws for mistakenly sending a companywide email containing employees’ PII.[1]  The email included a spreadsheet that listed roughly 130 current and former employees’ Social Security numbers, home addresses, dates of birth, and telephone numbers.  In a proposed class action complaint, the plaintiffs described measures that they took to prevent identity theft following the disclosure, such as applying for new Social Security numbers and buying credit monitoring and identity theft protection services, but conceded that their identities had not been stolen as a result of the breach.

Plaintiffs argued that—although their PII had not been misused or stolen—time lost and expenses incurred in taking measures to guard themselves from an increased risk of identity theft constituted an Article III injury sufficient to establish standing.  As we have previously discussed, this argument has often been raised as a threshold defense—with mixed success—by defendants in data breach cases.  The district court dismissed the complaint for lack of standing because there was no allegation that any employee’s identity was actually misused or stolen and because the breach was not the result of an intentional act by a third party.

The Second Circuit’s Decision

The Second Circuit affirmed dismissal of the complaint.

The court initially observed that the Second Circuit “ha[d] not yet addressed whether a plaintiff may establish standing based on a risk of future identity theft or fraud stemming from the unauthorized disclosure of that plaintiff’s data.”[2]  The court went on to hold that a risk of such injury was sufficient under Article III, including because “requiring plaintiffs to allege that they have already suffered identity theft or fraud as the result of a data breach would seem to run afoul of the Supreme Court’s recognition that an allegation of future injury may suffice to establish Article III standing if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.”[3]  The court therefore stated it would “join all of our sister circuits that have specifically addressed the issue in holding that plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.”[4]  This is in contrast to a more stringent standard that would require plaintiffs to allege actual identity theft or fraud at the pleading stage.

Turning to the facts of the case, the court stated that the most important question was whether the data had been compromised as the result of a targeted attack by a third party.  In this case, there was no such allegation, given it was undisputed that the data was unintentionally disclosed by the company.  In light of the absence of an intentional hack of the information, the court held that the risk of future identity theft was too speculative to support Article III standing.  Another factor considered by the court was whether any of the compromised data that had been compromised had been misused, even if the plaintiffs’ data had not yet been affected.  There was no such allegation either.  Without any allegation that the threat of future identity theft was more than speculative, plaintiffs could not establish an injury-in-fact to satisfy standing.

The court also considered plaintiffs’ argument that they were injured by the time and expense of proactive measures they took to prevent identity theft following the breach.  Drawing on the Supreme Court’s reasoning in Clapper v. Amnesty Int’l USA,[5] the court held that plaintiffs cannot manufacture standing by protecting themselves from a purely hypothetical harm.

In sum, the court concluded that plaintiffs did not sufficiently allege an increased risk of identity theft and that they could not rely on measures that they took to prevent identity theft to create an injury in fact.  However, the Second Circuit left open the possibility that in future cases plaintiffs may satisfy standing requirements by alleging a sufficient risk of future identity fraud or theft following a data breach, even where such injury has not yet come to fruition.

Implications

The Second Circuit’s ruling potentially opens the door for plaintiffs to bring data breach cases by permitting actions to proceed even where there is only a risk of identity theft, whether or not that risk has materialized.  At the same time, the ruling reaffirms the fact-intensive nature of standing inquiries into whether the risk of identity theft is real or hypothetical.  In this instance, the court stated that the critical factor was that the breach was not the result of a targeted attack, but the court made clear that other factors could be relevant in deciding whether plaintiffs have alleged a sufficient risk of harm to establish standing.

Separately, the Second Circuit made a point of noting in its decision that it was “express[ing] no view on the separate but related question of whether plaintiffs may allege a present injury in fact stemming from the violation of a statute designed to protect individuals’ privacy.”[6]  It remains to be seen whether this type of claim will be more, equally, or less successful for plaintiffs in the Second Circuit.

In the interim, the ruling emphasizes the need for hacked companies to promptly investigate whether or not a breach has resulted in a risk of identity theft or fraud.  Under the new Second Circuit precedent, establishing the absence of such risk will form the basis of a strong defense in any ensuing litigation by alleged individual victims.

[1] No. 19-4310 (2d Cir. April 26, 2021).

[2] Id. at 9.

[3] Id. at 10 (internal quotation omitted).

[4] Id. at 11.  While noting that some courts have stated that there is a circuit split, the Second Circuit stated “in actuality, no court of appeals has explicitly foreclosed plaintiffs from establishing standing based on a risk of future identity theft—even those courts that have declined to find standing on the facts of a particular case.”  Id. at 10.

[5] 568 U.S. 398, 416 (2013).

[6] McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, at 11 n.3 (2d Cir. April 26, 2021).