Second Circuit Lays Down Three Data Breach Standing Factors
Surveying data breach standing law, the Second Circuit recently laid down three non-exclusive criteria for deciding whether an increased risk of identity fraud is sufficient injury to establish standing in a data breach case. The ruling reinforces the difficulty in demonstrating standing absent actual identity fraud.
In McMorris v. Carlos Lopez & Associates, LLC, the defendant company’s employee inadvertently emailed a spreadsheet containing sensitive personally identifiable information (“PII”) to all of the company’s employees. The spreadsheet included Social Security numbers, home addresses, dates of birth, telephone numbers, educational degrees, and dates of hire of approximately 130 then current and former employees.
Three plaintiff filed a class-action complaint alleging that the defendant “breached its duty to protect and safeguard [their] personal information and to take reasonable steps to contain the damage caused where such information was compromised.” Plaintiffs did not allege that they had been the victims of fraud or identity theft as a result of the email, nor did they allege that anyone outside of the defendant company had accessed the email. Nonetheless, they claimed that, because their PII had been disclosed, they were “at imminent risk of suffering identity theft” and becoming the victims of “unknown but certainly impending future crimes.” They also alleged that they took proactive measures after learning of the data event, such as cancelling credit cards, purchasing credit monitoring and identity theft protection services, and assessing whether they should apply for new Social Security numbers.
The defendant moved to dismiss for lack of Article III standing, but the parties reached a class settlement before the plaintiffs had to respond. In preparation for the class settlement fairness hearing, the district court sua sponte asked for briefing as to whether the plaintiffs possessed Article III standing. The district court concluded that they did not and dismissed the case. The plaintiffs appealed.
The Second Circuit affirmed. In so doing, the Second Circuit surveyed the law, including the Eleventh Circuit’s recent data breach opinion in I Tan Tsao v. Captiva MVP Restaurant Partners, LLC, and ruled that a risk of future identity theft or fraud stemming from the unauthorized disclosure of a plaintiff’s data could support Article III standing. The court then set forth a non-exhaustive list of criteria for courts to consider when facing a data breach complaint where the alleged injury in fact is an increased risk of identity theft or fraud:
Whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data;
Whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and
Whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.
Under the foregoing criteria, the Second Circuit held that the plaintiffs could not establish standing. The data breach was an accident, not a targeted attack upon the plaintiffs. Moreover, the data had not been misused or even disclosed outside of the defendant company. Third, although the court considered the disclosed information sensitive, it held that the information’s sensitivity alone did not constitute an injury in fact. The court also ruled that the plaintiffs’ proactive protection measures after a data breach did not establish standing. The Second Circuit therefore affirmed the district court’s dismissal.
Last month, I wrote about a New York federal district court’s decision in McFarlane v. Altice USA, Inc., in which the court denied a motion to dismiss a data breach suit for lack of standing. The court ruled that an increased risk of identity theft could support Article III standing under the right conditions and held that the plaintiff’s allegations of actual identity theft, combined with the theft of their Social Security numbers, constituted an injury-in-fact. Discussing McFarlane, I wrote:
By focusing on the actual identity thefts and the compromised Social Security numbers, the court identified harms more concrete than the fear of identity theft or the effort expended to mitigate a data breach. . . . McFarlane suggests that data breach complaints that allege actual identity theft or the theft of personally identifiable information will withstand a jurisdiction motion to dismiss better than cases that cannot.
The path McFarlane mapped — a focus on actual identity theft and the sensitivity of the information stolen — has found favor in the Second Circuit. It remains to be seen whether the Supreme Court will follow this trail.