On April 26, 2021, the Second Circuit considered—for the first time in a published decision—the question of Article III standing in the context of a data security case. In McMorris v. Carlos Lopez & Associates LLC, the court joined a chorus of others in finding that plaintiffs’ allegations of an increased risk of future identity theft, without more, were insufficient to support Article III standing.
- McMorris stems from a June 2018 email a Carlos Lopez & Associates employee accidentally sent to all of the approximately 65 other employees of the company. The email attached a spreadsheet that contained the Social Security numbers, home addresses, dates of birth, telephone numbers, educational degrees, dates of hire, and other personally identifiable information of approximately 130 then-current and former employees. Three of the individuals whose information was contained in the spreadsheet brought a putative class action in the Southern District of New York, asserting claims for negligence, negligence per se, and violations of various state consumer protection statutes. In support of their alleged damages, they claimed they cancelled credit cards, purchased credit monitoring and identity theft protection services, and took time considering other prophylactic measures to protect themselves.
- Carlos Lopez & Associates moved to dismiss, arguing, among other things, that the plaintiffs had not sufficiently alleged an injury-in-fact sufficient to confer standing. Before briefing on that motion was complete, the parties reached a settlement and the plaintiffs moved for approval of that settlement. The district court sua sponte ordered further briefing on the issue of standing and later dismissed the case for lack of subject-matter jurisdiction, concluding that it was “powerless to approve the parties’ proposed class settlement” due to the standing infirmity. The plaintiffs appealed, and the Second Circuit affirmed.
- The Second Circuit began its analysis by stating that it was “join[ing] all [its] sister circuits that have specifically addressed the issue in holding that plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.” While the Second Circuit concluded that the circuit courts uniformly hold that an increased risk of identity theft is adequate on its own to support standing—even when the plaintiffs have not yet themselves been the victims of identity theft or fraud—it recognized that other courts have “suggested” a circuit split on the issue. The Second Circuit, however, found no split because “no court of appeals has explicitly foreclosed” plaintiffs from establishing standing based on a risk of future identity theft—and that such a wholesale rejection would run afoul of the Supreme Court’s recognition that allegations of future injury can confer Article III standing “if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.” Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014).
- The court then articulated three “non-exhaustive factors” relevant to whether an increased risk of harm flowing from a data breach is sufficient to establish standing: “(1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.”
- Applying these factors to the data disclosure in the case before it, the court found that the first factor was not present because the email at the center of the case was sent inadvertently. The second factor was not present because the plaintiffs did not allege any facts that even suggested that any of the data attached to the email at issue was misused, let alone plaintiffs’ data. And though the court found that the third factor was present because it viewed the data disclosed (e.g., Social Security numbers) as of a sensitive nature, it also found that this factor alone was not enough to support standing. In so finding, the court observed that it was “simply not[ing] that plaintiffs do not necessarily suffer an injury in fact any and every time there has been a disclosure involving more sensitive data.”
- In a similar vein, the court observed that plaintiffs who have not otherwise adequately shown standing cannot establish it based on the money or time they expended to protect themselves in response to a data breach alone, following the Supreme Court’s guidance in Clapper v. Amnesty Int’l USA, 568 U.S. 398, 401 (2013), that plaintiffs “cannot manufacture standing by choosing to make expenditures based on hypothetical future harm that is not certainly impending.”
- McMorris highlights the fact-specific nature of the standing inquiry in data security litigation. But it is just the latest of a litany of cases to find that an unauthorized disclosure of data and the increased risk of identity theft that plaintiffs assert may flow from such a disclosure, without more, are insufficient to confer Article III standing. And McMorris’s three factors provide defendants with a roadmap of factual arguments they can make to defeat standing in such cases in the Second Circuit and beyond.
- Read the Second Circuit’s opinion here.