Is there standing to bring a lawsuit when an employee’s personal information is mistakenly circulated to all employees at the company? A recent decision addressed exactly this question. In McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021), the Second Circuit affirmed the district court in finding that the harm plaintiffs alleged (an increased risk of identity theft) was too speculative and remote to satisfy the injury-in-fact requirement of Article III standing. However, the court did not completely shut the door on this theory of harm, holding that an “increased risk” of identity theft could, under certain circumstances, qualify as an injury-in-fact for purposes of Article III standing. In doing so, the Second Circuit aligned with a number of its sister circuits which had previously recognized the potential validity of this approach.
McMorris involved an incident in which an employee of Carlos Lopez & Associates (“CLA”) accidentally sent an email to all company employees that attached a spreadsheet containing personally identifiable information (“PII”) – including, inter alia, Social Security numbers, home addresses, dates of birth, – of approximately 130 then current and former CLA employees. Two weeks later, CLA emailed its then current employees to address the accidental email, but it did not contact any former employees regarding the disclosure or take any other corrective action.
Three individuals whose information had been shared then brought a proposed class action alleging a variety of state law claims, including negligence and violation of various consumer protection statutes. While they did not allege that the PII in the spreadsheet was ever shared with anyone outside of CLA or misused by any third parties, the plaintiffs claimed that they had been forced to take steps – including canceling credit cards, purchasing credit monitoring and identity theft protection services – to protect themselves from possible harm from the disclosure. They claimed that they were “at imminent risk of suffering identity theft” and becoming the victims of “unknown but certainly impending future crimes.”
The parties reached a proposed class settlement not long after the start of litigation, but the District Court sua sponte ordered briefing on whether the plaintiffs had satisfied the requirements of Article III standing. The court ultimately declined to approve the settlement, ruling that the plaintiffs lacked standing. In doing so, the court stated that “the gravamen of the claim in this case is that defendants essentially acted with insufficient care by sharing [PII] of class members with employees within the company.” The court held that the plaintiffs had failed to allege facts indicating that they faced “certainly impending” identity theft or fraud, or even a “substantial risk” of such harm. Unlike the cases in which other circuits have held that data breach victims have established standing based on a risk of future identity theft, the plaintiffs in McMorris did not allege that their data had been misused in any way or compromised as the result of an intentionally targeted data theft.
The Second Circuit affirmed the dismissal. But in doing so, the court held that “plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.” The court then laid out three non-exclusive factors that courts have most frequently considered in determining when victims of a data breach have adequately alleged injury-in-fact in this context:
- Whether the plaintiff’s data was exposed as the result of a targeted attempt to obtain that data;
- Whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet been the victims of identity theft or fraud; and
- Whether the type of data that has been exposed is sensitive, such that there is a high risk of identity theft or fraud.
The court was clear that these factors were neither necessary nor sufficient, only that they bear on whether the risk of identity theft or fraud is sufficiently “concrete, particularized, and . . . imminent.” The Second Circuit then concluded that the plaintiffs failed to establish an injury-in-fact because only one of the three factors cut in their favor. As to the first factor, the breach in McMorris was accidental, and was caused by the carelessness of an internal employee, rather than the malicious actions of an external bad actor. As to the second factor, there was no evidence that any information in the dataset had been misused. And finally, while the data at issue was sensitive, this factor alone could not establish standing. Relying on the Supreme Court’s guidance in Clapper v. Amnesty International, 568 U.S. 398 (2013), the court further noted that the plaintiffs could not “manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” 568 U.S. at 416.
The Second Circuit’s opinion is just the latest development in the federal courts’ ongoing efforts to grapple with standing in data breach cases in the wake of Spokeo. The court in McMorris was careful to sidestep any Spokeo issues by characterizing that decision as involving the “separate but related question of whether plaintiffs may allege a present injury in fact stemming from the violation of a statute designed to protect individuals’ privacy.” But the interplay of consumer protection statutes, present injuries, and the risk of future injuries will continue to generate thorny issues. In this uncertain legal landscape, companies should be aware that they could face liability for data breaches even if no harm from exposed data has yet come to pass, making data privacy and compliance policies that much more crucial.