On April 26, 2021, the Second Circuit Court of Appeals decided the case of McMorris v. Carlos Lopez & Assocs., No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021) and addressed one of the most critical issues in private data breach class actions – whether victims of a data breach can establish Article III standing by alleging they are at an increased risk of identity theft or fraud, even if their personal data has not yet been misused.
Although the district court’s ruling that plaintiffs did not establish standing was upheld, the Second Circuit found that victims of a data breach can establish standing based on a risk of future identity theft or fraud. The court also put forward a three-factor test to determine if standing exists when misuse of plaintiffs’ data has not yet occurred.
The facts of McMorris are relatively straightforward. Defendant Carlos Lopez & Associates LLP (CLA) provided mental and behavioral health services to veterans, service members and their families. In June 2018, a CLA employee accidently emailed all 65 of his coworkers a spreadsheet containing the personal identifiable information (PII) of approximately 130 current and former employees of CLA. The PII included Social Security numbers, home addresses, dates of birth, telephone numbers, educational degrees and dates of hire.
Three employees that had their PII disclosed filed a class action lawsuit on behalf of class members in California, Florida, Texas, Maine, New Jersey and New York, alleging causes of action for negligence, negligence per se and statutory consumer protection violations. Plaintiffs did not allege that their PII had been misused, and instead claimed that they were “at imminent risk of suffering identity theft.”
During the motion to dismiss stage, the parties agreed to a class settlement, which required court approval. After holding a hearing on the issue of whether plaintiffs possessed Article III standing to bring the suit, the district court denied the motion for approval of the class settlement and dismissed plaintiffs’ claims for lack of subject matter jurisdiction. Plaintiffs appealed.
The Second Circuit’s Decision
As we wrote this past February, some circuit courts, including, just recently, the 11th Circuit, have found that there is a circuit split as to whether plaintiffs can establish an injury-in-fact at the pleading stage based on the increased risk of identity theft. The Second Circuit disagreed, noting that “no court of appeals has explicitly foreclosed plaintiffs from establishing standing based on a risk of future identity theft – even those courts declined to find standing on the facts of a particular case.” The court stated that it would “therefore join all of our sister circuits” and held that plaintiffs may establish standing based on an increased risk of identity theft or fraud as a result of a data breach.
The court went on to endorse a three-factor test to determine whether the risk of identity theft or fraud is sufficiently “concrete, particularized, and imminent” to confer Article III standing. In its discussion, the court made clear that while all of the factors are relevant to a court’s standing analysis, no single factor is dispositive, and other factors may be considered as well:
- Whether the data at issue has been compromised as a result of a targeted attack intended to obtain plaintiffs’ data: In its opinion, the court explicitly stated that this is the most important factor. The reasoning is clear: If a third party purposely stole plaintiffs’ data, it can be presumed that it was with the intent to use that data for fraudulent purposes. However, if plaintiffs’ data was exposed unintentionally, the risk of future identify theft or fraud is often too speculative to support Article III standing.
- Whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud: Relying on the Ninth Circuit’s logic in In re Zappos.com, Inc., 888 F.3d 1020, 1029 (9th Cir. 2018), the court explained that “although the specific plaintiffs in that case had not experienced any fraudulent activity, allegations that other customers whose data was compromised in the same data breach had reported fraudulent charges on their credit cards helped establish that the plaintiffs were at a substantial risk of future fraud.”
- Whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud: The court explained that the exposure of high-risk information, such as Social Security numbers and dates of birth, are more likely to subject plaintiffs to future harm. Less sensitive and publicly available data, on the other hand, does not carry the same risk.
In discussing these criteria, the court made clear that the above factors are not an exhaustive list, and each determination of standing requires a fact-specific inquiry with careful examination of the allegations in the complaint. The court also found that when plaintiffs do not allege a substantive risk of future identity theft or fraud, the costs of protective measures to prevent future misuse of their data cannot constitute an injury in fact on its own.
Ultimately, the court found that plaintiffs failed to show they were at substantial risk of future identity theft or fraud sufficient to establish Article III standing. Plaintiffs’ data was not obtained through a targeted cyberattack, and it was not alleged that anyone outside of CLA ever obtained the PII. Furthermore, plaintiffs did not allege that the data of any current or former CLA employee was ever misused. The fact that the exposed PII contained “high risk information” was not enough on its own to demonstrate an injury in fact.
For defense counsel, McMorris can serve as a roadmap for a potential dispositive motion in data breach actions in which plaintiffs seek to satisfy Article III standing without alleging actual misuse of their data.
Attorneys should also look out for the Supreme Court’s upcoming decision in TransUnion LLC v. Ramirez, which was argued last March. In TransUnion, SCOTUS will decide whether Article III or Federal Rule of Civil Procedure 23 permits a damages class action when the majority of the class did not suffer an injury comparable to that of the class representative. Regardless of the outcome, SCOTUS’s decision will influence how data breach class actions are handled by courts nationwide.