In McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310 (2d Cir. Apr. 27, 2021), the Second Circuit holds that state-law claims for an intraoffice data leak may constitute an “actual injury” for Article III standing purposes, though in this case plaintiffs factually failed to allege an injury for taking “proactive measures.”
Defendant CLA “provides mental and behavioral health services to veterans, service members, and their families and communities. In June 2018, a CLA employee accidentally sent an email to all of the approximately 65 employees at the company. Attached to the email was a spreadsheet containing sensitive personally identifiable information (‘PII’) – including Social Security numbers, home addresses, dates of birth, telephone numbers, educational degrees, and dates of hire – of approximately 130 then current and former CLA employees.”
Three plaintiffs filed a class action on behalf of current and former employees alleging state-law tort and consumer-protection claims alleging that CLA “breached its duty to protect and safeguard [their] personal information and to take reasonable steps to contain the damage caused where such information was compromised.” There were no allegations of misuse of the revealed data, though plaintiffs alleged that they had to take precautions to protect themselves from possible future fraud.
The class action settled. At the Fed. R. Civ. P. 23(e) fairness hearing, the district court raised the issue of whether the plaintiffs had standing. Ultimately, the court held that “unlike the cases in which other circuits have held that data breach victims have established standing based on a risk of future identity theft, Plaintiffs here did not allege that their data had been misused in any way or compromised as the result of an intentionally targeted data theft.”
The Second Circuit affirms. “This Court has not yet addressed whether a plaintiff may establish standing based on a risk of future identity theft or fraud stemming from the unauthorized disclosure of that plaintiff’s data.” Reviewing the case law of the other circuits, the panel notes that “no court of appeals has explicitly foreclosed plaintiffs from establishing standing based on a risk of future identity theft – even those courts that have declined to find standing on the facts of a particular case . . . . [We] join all of our sister circuits that have specifically addressed the issue in holding that plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.”
Nevertheless, the panel concludes that the factors other courts hold “weigh in favor of finding an Article III injury in fact” were not present here. “First, and most importantly, our sister circuits have consistently considered whether the data at issue has been compromised as the result of a targeted attack intended to obtain the plaintiffs’ data . . . . Second, while not a necessary component of establishing standing, courts have been more likely to conclude that plaintiffs have established a substantial risk of future injury where they can show that at least some part of the compromised dataset has been misused – even if plaintiffs’ particular data subject to the same disclosure incident has not yet been affected . . . . Finally, courts have looked to the type of data at issue, and whether that type of data is more or less likely to subject plaintiffs to a perpetual risk of identity theft or fraud once it has been exposed.”
In this complaint, the only injury alleged was that “plaintiffs [took] steps to protect themselves following an unauthorized data disclosure.” So “can the cost of those proactive measures alone constitute an injury in fact? We agree with the district court that the answer is ‘no.’ . . . . [W]here plaintiffs ‘have not alleged a substantial risk of future identity theft, the time they spent protecting themselves against this speculative threat cannot create an injury.’”