In McMorris v. Carlos Lopez & Associates, LLC, 995 F.3d 295 (2nd Cir. 2021), employees of Carlos Lopez & Associates, LLP (“CLA”), an organization which provides mental and behavioral health services to veterans, brought a putative class action against CLA for the inadvertent disclosure of certain sensitive personally identifiable information (“PII”). According to the complaint, an employee of CLA had inadvertently disclosed the PII of approximately 130 current and former CLA employees by circulating a companywide email that included an attached spreadsheet divulging the social security number, home addresses, dates of birth, telephone numbers, educational degrees, and dates of hires of the affected employees. Devonne McMorris and two other affected employees filed a class action asserting state-law claims for negligence, negligence per se, and statutory consumer protection violations on behalf of classes in California, Florida, Texas, Maine, New Jersey, and New York.
The Plaintiffs alleged that CLA had breached its duty to protect and safeguard their PII and to take reasonable steps to contain the damage. Plaintiffs did not allege that they had been the victims of fraud or identity theft as a result of the errant email and instead alleged that they were “at imminent risk of suffering identity theft” and becoming the victims of “unknown but certainly impending future crimes”. Moreover, while Plaintiffs did not allege that the PII in the spreadsheet had been shared with anyone outside of CLA or had been misused by any third parties, Plaintiffs alleged that they had cancelled their credit cards and purchased credit monitoring and identity theft protection services and had considered obtaining new social security numbers as a result of the incident.
CLA moved to dismiss the complaint for, among other things, lack of Article III standing but the parties reached a class settlement prior to the Plaintiffs’ deadline to file a response. The district court was asked to approve the settlement but refused to do so until the Article III standing issue had been resolved. Following a fairness hearing to consider the settlement, the district court issued an opinion in which it concluded that “Plaintiffs lacked Article III standing because they failed to allege ‘an injury that is concrete and particularized and certainly impending’”. The district court emphasized that “the parties concede that there is no evidence that any class members’ identity was actually stolen…let alone misused” and that, because the disclosure was inadvertent, there was no reason to apply the inference of likely future misuse that is reserved for intentional data breach cases. The district court thereafter rejected the settlement and dismissed the complaint.
The Second Circuit affirmed upon the conclusion that the district court had correctly refused to find Article III standing on the basis of a speculative future harm and/or the Plaintiffs’ self-inflicted injuries of paying for credit monitoring and identity theft protections services to address imaginary risks that had not been shown to pose an imminent threat of harm. Relying on the Supreme Court’s holding in Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409-10 (2013), and its progeny, the Second Circuit reiterated that “allegations of possible future injury” are insufficient to confer standing and that “a future injury constitutes an Article III injury in fact only if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.”
The Second Circuit conceded that it had not yet addressed “whether a plaintiff may establish standing based on a risk of future identity theft or fraud stemming from the unauthorized disclosure of that plaintiff’s data” and noted that “[s]ome courts have suggested that there is a circuit split on the issue.” Rejecting that notion, however, the Second Circuit observed that “in actuality, no court of appeals has explicitly foreclosed plaintiffs from establishing standing based on a risk of future identity theft – even those courts that have declined to find standing on the facts of a particular case.”
In an effort to harmonize the supposedly conflicting rulings of the Sixth, Seventh, Ninth, and D.C. Circuit Courts (which have all recognized that a plaintiff can establish an injury-in-fact based on the increased risk of identity theft) with the rulings of the Third, Fourth, and Eighth Circuit Courts (which ostensibly have held to the contrary), the Second Circuit pointed out that all of the Circuits are utilizing the same factors to conduct this analysis. Those factors, while non-exhaustive, include “(1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.”
In the view of the Second Circuit, the perceived Circuit split is likely due to an underappreciation of the inherently fact-specific inquiry required for any standing analysis. In the case of the affected CLA employees, the Second Circuit explained that “the fact that plaintiffs may establish standing based on an ‘increased-risk’ theory does not mean that the Plaintiffs have done so here” and affirmed the lower court’s dismissal. The Second Circuit makes clear however that its denial of these specific claims is not a rejection of the increased-risk theory itself and that neither its holding, nor the holdings of the Circuit Courts that have affirmed the dismissal of similar claims, on the basis of the particular facts in those cases, should be viewed in that manner. Hence, according to the Second Circuit, contrary to popular belief, there is no Circuit split on this issue.