I’m Still Standing: Plaintiffs Defeat Jurisdictional Challenge in New York Federal Court
A New York federal district court has stepped in to fill the gap that the Second Circuit has left open and held that a “substantial risk of identity theft” constitutes a sufficiently concrete injury to support Article III standing. Given the current state of Second Circuit data breach standing law, this case may influence Second Circuit jurisprudence for a while to come.
In McFarlane v. Altice USA, Inc., No. 20-CV-1297 (JMF), cyber criminals targeted defendant Altice USA, Inc. (“Altice”), one of the largest television and communications providers in the United States, with a phishing attack that allegedly enabled the criminals to access and download Altice employees’ mailbox contents. A forensic investigation revealed that one of the downloaded email inboxes contained a password-protected, but unencrypted, document with the names, employment information, dates of birth, social security numbers, and, in some instances, driver’s license numbers of 52,846 current and former Altice employees.
Altice notified the affected employees, and nine former employees brought suit. Three of these nine suffered identity theft in the months following the breach, including the use of their personal identifying information (“PII”) to open credit cards in their names. In one case, an identity thief interfered with a plaintiff’s refinancing process, which allegedly may have prevented him from taking advantage of "historically low interest rates.
Altice moved to compel arbitration for several of the plaintiffs and moved to dismiss the remaining claims for lack of standing. With respect to standing, Altice argued that the non-arbitrable harms alleged only “hypothetical” injuries, which did not suffice to invoke Article III jurisdiction.
Deferring on the issue of arbitrability pending further submissions, the court “easily resolved” Altice’s motion to dismiss. The court noted that a Second Circuit summary order — Whalen v. Michaels Stores, Inc., 689 F. App’x 89 (2d Cir. 2017) — noted with apparent approval cases data breach decisions from the Seventh Circuit, which considers a reasonable fear of identity theft a sufficient Article III injury. Based on this citation, the Court suggested that the Second Circuit might follow case law from the Seventh, Sixth, and District of Columbia Circuits in this regard, which distinguishing cases from the more stringent Third and Eighth Circuits.
From this suggestion, the court had “little difficulty” concluding that all nine Plaintiffs plausibly alleged injury in fact. In so holding, the court noted that three plaintiffs had actually suffered identity theft, which heightened the risk to all of the plaintiffs. The court also noted that all of the plaintiffs had alleged the theft of their Social Security numbers, which the court considered “arguably the most dangerous type of personal information in the hands of identity thieves” in light of their immutability and usefulness in identity theft. “In sum,” the court concluded, “based on the great weight of authority, all nine Plaintiffs easily establish that they have suffered an injury in fact within the meaning of Article III.”
McFarlane ably navigates the split between circuits with respect to data breach standing. The Sixth, Seventh, and District of Columbia Circuits consider a heightened risk of identity theft an injury sufficient to support Article III standing, whereas the Third, Fourth, and Eighth Circuits — recently joined by the Eleventh Circuit — hold that more substantial harm is needed. (Indeed, the Eleventh Circuit relied heavily on Whalen to deny standing.) By focusing on the actual identity thefts and the compromised Social Security numbers, the court identified harms more concrete than the fear of identity theft or the effort expended to mitigate a data breach. Thus, McFarlane charts a resolution of this circuit split that the Supreme Court may eventually adopt.
McFarlane suggests that data breach complaints that allege actual identity theft or the theft of personally identifiable information will withstand a jurisdiction motion to dismiss better than cases that cannot. Data breach defendants should examine the complaint for such allegations in considering whether to challenge standing. Even if those allegations are absent, they should investigate whether the plaintiffs could credibly amend their complaint to include such charges in response to a motion to dismiss.