Articulating Injury in Data Breach Cases

The first Article III standing requirement — injury in fact — tends to be the most contested standing issue in data breach cases. In the aftermath of a data breach, the extent of harm done is often unknown. Plaintiffs in data breach cases are thus more likely to allege a future injury, such as an increased risk of identity theft or fraud, rather than a tangible, present injury. This situation has forced federal courts to grapple with the question of when allegations of future injury are no longer “too speculative” to constitute an injury in fact.⁴

A Likely Scenario: An Errant Email Results in an Unauthorized Disclosure of Employees’ Personal Data

The McMorris case arose out of an accidental disclosure of personally identifiable information (“PII”) at Carlos Lopez & Associates (“CLA”), which provides mental and behavioral health services to veterans, service members, and their families. In June 2018, a CLA employee accidentally sent an email to all of the approximately 65 employees at the company, attaching a spreadsheet containing current and former employees’ PII, including Social Security numbers, home addresses, dates of birth, telephone numbers, educational degrees, and dates of hire. There was no allegation that the information was shared outside of CLA.

Following the unauthorized disclosure, three CLA employees filed a class action complaint against CLA and its principal for negligence, negligence per se, and statutory consumer protection violations on behalf of classes in California, Florida, Texas, Maine, New Jersey, and New York. The plaintiffs alleged that CLA breached its duty to protect their personal information and to take reasonable steps to contain the damage caused where such information was compromised. While none of the plaintiffs had been victims of fraud or identity theft as a result of the data breach, they claimed injury based on an alleged imminent risk of identity theft and the fact that they had been forced to cancel credit cards, purchase identity theft protection services, and spend time assessing whether they should apply for new Social Security numbers.

After the defendants moved to dismiss, the parties reached a proposed settlement and sought approval from the district court. The court, however, declined to approve the settlement and dismissed the case for lack of standing, finding that the plaintiffs had failed to allege an actual or imminent injury.⁵ In doing so, the court observed that it was a “misnomer to even call this case a ‘data breach’ case,” since “[a]t best, the data was ‘misplaced’” by a CLA employee.⁶

The Second Circuit Opens the Door to Plaintiffs Who Can Show a Risk of Future Identity Theft or Fraud

On appeal, the Second Circuit held that plaintiffs in data breach cases may establish Article III standing based on an “increased-risk” theory.⁷ According to the court, “requiring plaintiffs to allege that they have already suffered identity theft or fraud as the result of a data breach would seem to run afoul of the Supreme Court’s recognition that ‘[a]n allegation of future injury may suffice to establish Article III standing.’”⁸

Next, the court endorsed a non-dispositive, non-exhaustive list of factors that bear on whether the risk of identity theft or fraud is sufficiently “concrete, particularized, and … imminent.”⁹ Those factors are as follows:

1. Whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data. While none of the factors is dispositive, the court emphasized that this factor is the most important.¹⁰ When a data breach is the result of a targeted attack, the likelihood of future identity theft or fraud is generally sufficient to confer standing because “[p]resumably, the purpose of the hack is … to make fraudulent charges or assume those consumers’ identities.”¹¹
2. Whether any portion of the compromised dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud. This factor includes evidence that other individuals whose data was compromised in the same data breach experienced fraudulent activity, as well as “evidence that plaintiffs’ data is already being misused, even if that misuse has not yet resulted in an actual or attempted identity theft.”¹²
3. Whether the type of data that has been exposed is sensitive, such that there is a high risk of identity theft or fraud. A data breach involving high-risk information such as Social Security numbers and dates of birth makes it more likely that the victims will be subject to future identity theft or fraud. Less sensitive data (i.e., “publicly available information, or data that can be rendered useless to cybercriminals”¹³) does not pose the same risk of future identity theft or fraud.

Applying these factors, the Second Circuit held that plaintiffs failed to show they were at a substantial risk of future identity theft or fraud. The first factor weighed against plaintiffs because their data was never obtained deliberately or otherwise by anyone outside CLA. As such, any risk of future identity theft was too attenuated, especially in light of the fact that CLA’s employees regularly dealt with highly sensitive personal information. The second factor also weighed against plaintiffs because none of the data was misused as a result of the inadvertent disclosure. While the third factor cut in plaintiffs’ favor, the sensitive nature of the data alone did not, by itself, establish that plaintiffs were at a substantial risk of future identity theft or fraud. Absent a showing of a substantial risk of future injury, the court was unwilling to find that the time and money plaintiffs spent protecting themselves against a “speculative threat” qualified as a cognizable injury¹⁴ and the court affirmed the dismissal of the complaint for lack of Article III standing.

Takeaways and What this Means for You

1. McMorris will be cited by both plaintiffs and defendants

Given the lack of guidance from the Supreme Court on standing in data breach cases, McMorris will likely be cited by courts both within and outside the Second Circuit. The Second Circuit’s attempt to synthesize prior federal data breach cases also makes McMorris a good starting point for both plaintiffs and defendants in these cases. McMorris is pro-plaintiff insofar as it opens the door to plaintiffs who can show they are at a substantial risk of some future misuse of their data. However, McMorris can also be cited by defendants, particularly those who have experienced a data breach as the result of an all too common accidental disclosure because, without more to establish the likelihood of identity theft or fraud, such a fact pattern would fail to establish standing based on these factors. Defendants generally will also be able to rely on the Second Circuit’s rejection of mitigation costs (i.e., time spent cancelling credit cards) as independent grounds for establishing a cognizable injury.

2. While McMorris opens the door to plaintiffs who can allege a substantial risk of future injury, defendants likely cannot be held liable for such injuries

Following the Second Circuit’s decision in McMorris, the question of damages in cases where plaintiffs have not suffered actual injury is likely going to be on the minds of many companies’ in-house counsel. While this issue has not been addressed by the Second Circuit, companies may look to the D.C. Circuit and the U.S. District Court for the District of Columbia for guidance. In Attias v. CareFirst, Inc., the D.C. Circuit held that insureds whose personal information was stolen during a data breach plausibly alleged a substantial risk of future injury and thus had standing to sue CareFirst, a health insurance provider, for breach of contract, negligence, and violations of various state consumer-protection statutes.¹⁵ On remand, the district court addressed whether plaintiffs’ causes of action should be dismissed for failure to plead actual damages. Siding with CareFirst, the court concluded that “the mere threat of misuse of personal information would not be sufficient to state a claim for actual damages.”¹⁶ According to the court, only the plaintiffs that “alleged actual misuse” were able to recover damages.

3. McMorris highlights the potentially important role of encryption in a company’s information security program

Encryption can play a key role in limiting companies’ exposure in the event of an accidental loss or disclosure of data. Ensuring that personal information, especially “high-risk” personal information such as Social Security numbers and dates of birth, is encrypted at rest and in transit can protect against human error. Accidental emails and the loss or theft of company phones, laptops, and other devices are common. Strong encryption, with a separately stored key, can provide a backstop to compliance programs because it further decreases any risk that the lost or disclosed personal information can be misused by unintended third-party recipients.

4. McMorris leaves at least two key questions unanswered

In McMorris, the Second Circuit noted that it was “express[ing] no view on the separate but related question of whether plaintiffs may allege a present injury in fact stemming from the violation of a statute designed to protect individuals’ privacy, which primarily involves the application of the Supreme Court’s decision in Spokeo, Inc. v. Robins ….”¹⁷ In Spokeo, the Supreme Court held that even an “intangible harm” will be sufficient to establish a present injury if it either “has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts,” or is one that Congress has otherwise “elevat[ed] to the status of legally cognizable injuries.”¹⁸ While some federal courts have interpreted Spokeo to mean that the violation of a privacy statute is sufficient to establish an Article III injury,¹⁹ this privacy-based theory of standing remains uncertain in the Second Circuit.

Standing issues in data breach cases may also be impacted by the Supreme Court’s forthcoming decision in TransUnion LLC v. Ramirez.²⁰ In Ramirez, the Court is considering whether Article III or Federal Rule of Civil Procedure 23 permits a damages class action when the vast majority of the class suffered no actual injury. The Court heard oral argument on March 30, 2021 and is expected to issue a decision in June 2021. Vinson & Elkins will continue to monitor and provide updates on these issues.

*Lara McMahon is a law clerk in our Washington DC office.

¹ Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 387–89 (6th Cir. 2016); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692, 694–95 (7th Cir. 2015); Krottner v. Starbucks Corp., 628 F.3d 1139, 1142–43 (9th Cir. 2010); Attias v. Carefirst, Inc., 865 F.3d 620, 629 (D.C. Cir. 2017).

² See Reilly v. Ceridian Corp., 664 F.3d 38, 44 (3d Cir. 2011) (distinguishing analogous cases from the Ninth and Seventh Circuits on their facts instead of rejecting the “increased-risk” theory altogether); Beck v. McDonald, 848 F.3d 262, 275 (4th Cir. 2017) (“[W]e may … find standing based on a ‘substantial risk’ that the harm will occur ….”); In re SuperValu, Inc., 870 F.3d 763, 773 (8th Cir. 2017) (declining to hold that “evidence of misuse following a data breach is necessary for a plaintiff to establish standing”); Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332, 1343 (11th Cir. 2021) (“[A]s our sister Circuits have recognized, evidence of actual misuse is not necessary for a plaintiff to establish standing following a data breach.”).

³ McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, 2021 WL 1603808, at *3 (2d Cir. Apr. 26, 2021), available at https://www.ca2.uscourts.gov/decisions/isysquery/443c2085-6c11-4fce-b3b4-12a3f2a7a0f9/1/doc/19-4310_opn.pdf#xml=https://www.ca2.uscourts.gov/decisions/isysquery/443c2085-6c11-4fce-b3b4-12a3f2a7a0f9/1/hilite/.

⁴ Clapper v. Amnesty Int’l USA, 568 U.S. 398, 410 (2013).

⁵ Steven v. Carlos Lopez & Assocs., LLC, 422 F. Supp. 3d 801, 804 (S.D.N.Y. 2019).

⁶ Id. at 806 n.3.

⁷ See McMorris, 2021 WL 1603808, at *3 (“We therefore join all of our sister circuits that have addressed the issue in holding that plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.”).

⁸ Id. (quoting Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014)).

⁹ Id. at *4 (quoting Thole v. U.S. Bank, N.A., 140 S. Ct. 1615, 1618 (2020)).

¹⁰ See id. (“First, and most importantly, our sister circuits have consistently considered whether the data at issue has been compromised as the result of a targeted attack intended to obtain the plaintiffs’ data.”).

¹¹ Id. (quoting Remijas, 794 F.3d at 693).

¹² Id.

¹³ Id. at *5.

¹⁴ See id. (“[W]here plaintiffs ‘have not alleged a substantial risk of future identity theft, the time they spent protecting themselves against this speculative threat cannot create an injury.’”) (quoting In re SuperValu, Inc., 870 F.3d at 771).

¹⁵ Attias, 865 F.3d at 629.

¹⁶ Attias v. CareFirst, Inc., 365 F. Supp. 3d 1, 12 (D.D.C. 2019), appeal dismissed, 969 F.3d 412 (D.C. Cir. 2020), and on reconsideration in part, No. 15-CV-00882, 2021 WL 311000 (D.D.C. Jan. 29, 2021).

¹⁷ Id. at *3 n.3.

¹⁸ Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1549 (2016).

¹⁹ See, e.g., In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 634–35 (3d Cir. 2017) (violation of customers’ statutory rights under the Fair Credit Reporting Act in connection with two laptops containing unencrypted personal information that were allegedly stolen from health insurer’s headquarters was a de facto injury that satisfied the Article III standing requirement).

²⁰ TransUnion LLC v. Ramirez (No. 20-273), Oyez, https://www.oyez.org/cases/2020/20-297.