On April 26, 2021, the Second Circuit Court of Appeals decided the case of McMorris v. Carlos Lopez & Assocs., No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021) and addressed one of the most critical issues in private data breach class actions – whether victims of a data breach can establish Article III standing by alleging they are at an increased risk of identity theft or fraud, even if their personal data has not yet been misused.
Although the district court’s ruling that plaintiffs did not establish standing was upheld, the Second Circuit found that victims of a data breach can establish standing based on a risk of future identity theft or fraud. The court also put forward a three-factor test to determine if standing exists when misuse of plaintiffs’ data has not yet occurred.
The facts of McMorris are relatively straightforward. Defendant Carlos Lopez & Associates LLP (CLA) provided mental and behavioral health services to veterans, service members and their families. In June 2018, a CLA employee accidently emailed all 65 of his coworkers a spreadsheet containing the personal identifiable information (PII) of approximately 130 current and former employees of CLA. The PII included Social Security numbers, home addresses, dates of birth, telephone numbers, educational degrees and dates of hire.
Three employees that had their PII disclosed filed a class action lawsuit on behalf of class members in California, Florida, Texas, Maine, New Jersey and New York, alleging causes of action for negligence, negligence per se and statutory consumer protection violations. Plaintiffs did not allege that their PII had been misused, and instead claimed that they were “at imminent risk of suffering identity theft.”
During the motion to dismiss stage, the parties agreed to a class settlement, which required court approval. After holding a hearing on the issue of whether plaintiffs possessed Article III standing to bring the suit, the district court denied the motion for approval of the class settlement and dismissed plaintiffs’ claims for lack of subject matter jurisdiction. Plaintiffs appealed.
As we wrote this past February, some circuit courts, including, just recently, the 11th Circuit, have found that there is a circuit split as to whether plaintiffs can establish an injury-in-fact at the pleading stage based on the increased risk of identity theft. The Second Circuit disagreed, noting that “no court of appeals has explicitly foreclosed plaintiffs from establishing standing based on a risk of future identity theft – even those courts declined to find standing on the facts of a particular case.” The court stated that it would “therefore join all of our sister circuits” and held that plaintiffs may establish standing based on an increased risk of identity theft or fraud as a result of a data breach.
The court went on to endorse a three-factor test to determine whether the risk of identity theft or fraud is sufficiently “concrete, particularized, and imminent” to confer Article III standing. In its discussion, the court made clear that while all of the factors are relevant to a court’s standing analysis, no single factor is dispositive, and other factors may be considered as well:
In discussing these criteria, the court made clear that the above factors are not an exhaustive list, and each determination of standing requires a fact-specific inquiry with careful examination of the allegations in the complaint. The court also found that when plaintiffs do not allege a substantive risk of future identity theft or fraud, the costs of protective measures to prevent future misuse of their data cannot constitute an injury in fact on its own.
Ultimately, the court found that plaintiffs failed to show they were at substantial risk of future identity theft or fraud sufficient to establish Article III standing. Plaintiffs’ data was not obtained through a targeted cyberattack, and it was not alleged that anyone outside of CLA ever obtained the PII. Furthermore, plaintiffs did not allege that the data of any current or former CLA employee was ever misused. The fact that the exposed PII contained “high risk information” was not enough on its own to demonstrate an injury in fact.
For defense counsel, McMorris can serve as a roadmap for a potential dispositive motion in data breach actions in which plaintiffs seek to satisfy Article III standing without alleging actual misuse of their data.
Attorneys should also look out for the Supreme Court’s upcoming decision in TransUnion LLC v. Ramirez, which was argued last March. In TransUnion, SCOTUS will decide whether Article III or Federal Rule of Civil Procedure 23 permits a damages class action when the majority of the class did not suffer an injury comparable to that of the class representative. Regardless of the outcome, SCOTUS’s decision will influence how data breach class actions are handled by courts nationwide.