On January 19, 2022, District Judge Jesse M. Furman of the Southern District of New York dismissed a putative class action filed against men’s clothing store Bonobos, Inc., following an August 2020 data breach. Judge Furman determined that a Bonobos customer whose personal information was stolen in the breach failed to demonstrate a sufficiently substantial risk of harm to establish standing to sue.
The decision in Cooper v. Bonobos reflects the increased uncertainty regarding the viability of suits for damages based solely on future risk of identity theft or fraud, in light of the Supreme Court’s recent decision in TransUnion LLC v. Ramirez.
Background
The Breach
In August 2020, hackers stole the personal information of millions of Bonobos customers from the company’s cloud backup database and posted the information on a hacker website forum. The stolen information included customers’ addresses, telephone numbers, email addresses, order history, Internet Protocol (“IP”) addresses, encrypted passwords, and partial credit card numbers.
After receiving notice that his information was stolen in the breach, a Bonobos’ customer brought a class action suit against the company in the Southern District of New York. The suit—Cooper v. Bonobos—sought damages for negligence, unjust enrichment, and violations of Section 349 of the New York General Business Law (which prohibits “[d]eceptive acts or practices in the conduct of any business”).
Legal Framework
To establish standing to sue in federal court, a “plaintiff must have suffered an ‘injury in fact’—an invasion of a legally protected interest which is (a) concrete and particularized; and (b) actual or imminent, not conjectural or hypothetical.”[i] An allegation of a threatened future injury is only sufficient “if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.”[ii]
The Second Circuit recently addressed the standing inquiry in the data-breach context in McMorris v. Carlos Lopez & Associates, LLC. The McMorris court held that, in some cases, “plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.”[iii] In determining whether the increased risk is “sufficiently concrete, particularized, and imminent,” the Second Circuit identified three “non-exhaustive factors”:
(1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.[iv]
After McMorris was decided, however, the Supreme Court issued a decision that, as Judge Furman observed, may call into question the continued vitality of the Second Circuit’s approach to standing. While the case arose outside the data-breach context, a 5-4 majority of the Supreme Court in TransUnion LLC v. Ramirez expressed serious doubts that the risk of future harm, standing alone, could be sufficient to demonstrate standing in any suit for damages.
In TransUnion, a class of 8,185 individuals whose credit reports erroneously categorized them as being on a U.S. government list of terrorists, drug traffickers, and other serious criminals sued the credit reporting agency responsible for the error. Among other claims, the plaintiff class alleged that the credit reporting agency failed to use reasonable procedures to ensure the accuracy of internal credit files in violation of the Fair Credit Reporting Act.
The Supreme Court first held that the 1,853 class members whose misleading credit reports were provided by the credit reporting agency to third-party businesses had standing to bring the reasonable-procedures claim because those class members had suffered “concrete reputational harm.”[v] The credit reports of the remaining 6,332 class members, however, were not provided to third-party businesses. As a result, the Court held that these class members could not establish concrete harm and thus lacked Article III standing to sue.
In reaching this decision, the Court described as “persuasive” the argument that “in a suit for damages, the mere risk of future harm, standing alone, cannot qualify as a concrete harm—at least unless the exposure to the risk of future harm itself causes a separate concrete harm.”[vi] The Court went on to observe that, beyond the “fundamental problem” with the future-harm argument, the 6,332 class members at issue did not “factually establish” that the credit reporting agency would release their information to third parties or even that the class members knew their internal credit files contained the erroneous designation in the first place.[vii]
The Bonobos Decision
Increased Risk of Identity Theft or Fraud
Judge Furman recognized that the Supreme Court’s decision in TransUnion may “call[] into question” the Second Circuit’s approach to standing in McMorris.[viii] However, even assuming that McMorris remains good law, Judge Furman concluded that the plaintiff customer “has not, and cannot, establish standing based on an increased risk of identity theft or fraud.”[ix]
Judge Furman acknowledged that the plaintiff’s contact information, IP address, encrypted Bonobos account password, and partial credit card number were stolen by a known group of threat actors. However, the plaintiff failed to allege that this information, or the information of other Bonobos customers, was actually misused in a manner that caused or was likely to cause actual injury.
In McMorris, the Second Circuit noted that the posting of stolen personal information on websites frequented by cybercriminals can “provide[] strong support” for a showing of increased risk of identity theft or fraud.[x] Similarly, Judge Furman credited the plaintiff’s allegation that his stolen information was misused when it was posted on a hacker website forum. However, the plaintiff’s showing ultimately fell short because the specific stolen information at issue was “less sensitive data, such as basic publicly available information, or data that can be rendered useless to cybercriminals.”[xi]
Actualized Injury
After rejecting the plaintiff’s arguments based on threatened future injury, Judge Furman similarly found the standing arguments based on actualized, present injury to be insufficient.
The plaintiff customer alleged that he “spent time and money responding to the data breach” by, for example, “self-monitoring his accounts for evidence of fraud or identity theft,” “freezing his accounts with Experian,” and purchasing “a credit repair and protection service as well as a subscription to a robocall blocking app.”[xii] In its standing jurisprudence, however, the Supreme Court has stressed that plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”[xiii] Judge Furman’s earlier determination that the plaintiff in Bonobos did not face a substantial risk of future harm meant that the plaintiff could not rely on his expenses in preparation for an ultimately hypothetical risk to bootstrap his standing argument.
Judge Furman was likewise unconvinced by the plaintiff’s allegation that he “spent time dealing with the increased and unwanted spam texts, telephone calls, and emails that he continues to receive after the data breach.”[xiv] As Judge Furman recognized, “[c]ourts have generally rejected the theory that unsolicited calls or emails constitute an injury in fact,” and, in any event, the plaintiff did not sufficiently allege that the unwanted spam was traceable to the theft of his Bonobos account information.[xv]
* * *
Because the plaintiff failed to establish a legally cognizable injury sufficient to establish his standing to sue, Judge Furman dismissed the suit without having to address the merits of the underlying claims.
Takeaways
Like other recent cases, Judge Furman’s Bonobos decision recognizes that the Second Circuit’s approach to standing based on increased risk of identity theft or fraud is potentially in flux.[xvi] It remains to be seen when and how the Second Circuit addresses the impact of the Supreme Court’s TransUnion decision in the data-breach context.
In the meantime, district courts in the Second Circuit will likely continue to assess whether victims of data breaches have legally cognizable claims based in part on an increased risk of identity theft or fraud. In making this assessment at the motion to dismiss stage, courts must engage in a fact-intensive inquiry based on the allegations in the complaint to determine whether the specific breach at issue presents a sufficiently concrete, particularized, and imminent threat of such harm. As in Bonobos, that inquiry will often turn on the allegations of the nature of the information compromised in the breach and the actions of the bad actors that effectuated it.
[i] Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992) (citations omitted).
[ii] Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014) (citations omitted).
[iii] McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 301 (2d Cir. 2021). See also Cleary Cybersecurity and Privacy Watch, Second Circuit Articulates Injury Standard in Data Breach Suits (May 3, 2021).
[iv] McMorris, 995 F.3d at 301, 303 (citations omitted).
[v] TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2200 (2021).
[vi] Id. at 2210–11.
[vii] Id. at 2211–12.
[viii] Cooper v. Bonobos, Case No. 1:21-cv-00854-JMF, 2022 WL 170622, at *3 n.1 (S.D.N.Y. Jan. 19, 2022).
[ix] Id. at *3.
[x] McMorris, 995 F.3d at 302.
[xi] Bonobos, 2022 WL 170622, at *4 (quoting McMorris, 995 F.3d at 302).
[xii] Id. at *5.
[xiii] Clapper v. Amnesty Int’l USA, 568 U.S. 398, 416 (2013) (quoted in Bonobos, 2022 WL 170622, at *5).
[xiv] Bonobos, 2022 WL 170622, at *5 (cleaned up).
[xv] Id.
[xvi] See, e.g., Bohnak v. Marsh & McLennan Cos., Inc., 1:21-cv-06096-AKH, 2022 WL 158537, at *4 (S.D.N.Y. Jan. 17, 2022) (“The TransUnion Court’s rejection of the mere risk of future harm calls into question the continuing validity of McMorris.”); Legg v. Leaders Life Ins. Co., No. CIV-21-655-D, 2021 WL 5772496, at *6 (W.D. Okla. Dec. 6, 2021) (“Given the holding in TransUnion, it is far from clear that any case finding a concrete injury based merely on an abstract risk of future identity theft following a data breach is still good law, at least with respect to a claim for damages.”). Cf. Maddox v. Bank of New York Mellon Tr. Co., 19 F.4th 58, 64 (2d Cir. 2021) (“In sum, TransUnion established that in suits for damages plaintiffs cannot establish Article III standing by relying entirely on a statutory violation or risk of future harm: ‘No concrete harm; no standing.’”) (quoting TransUnion, 141 S. Ct. at 2214).