In a thoughtful opinion that diverges from how other circuit courts have addressed the issue, the Second Circuit recently issued a ruling clarifying the circumstances when data breach plaintiffs can rely on fear of identity theft to establish Article III standing.
The case is McMorris v. Carlos Lopez & Associates, LLP (CLA). CLA offers mental and behavioral health services to veterans, service members and their families. An employee at CLA accidentally emailed a spreadsheet containing social security numbers and other sensitive personal information of 130 CLA employees and former employees to CLA staff. Plaintiffs later initiated a class action in the Southern District of New York on behalf of all employees and former employees whose personal information was erroneously emailed, asserting negligence and consumer protection claims. The complaint did not allege that any plaintiffs were the victim of identity theft or that anyone outside of CLA had obtained the spreadsheet. Rather, plaintiffs asserted that they cancelled their credit cards and purchased credit monitoring to guard against “imminent” identify theft. The Southern District dismissed the complaint on grounds that plaintiff has not asserted an injury sufficient to establish Article III standing.
On appeal, the Second Circuit ruled that fear of identity theft can be sufficient for Article III standing, but held that the plaintiffs hadn’t established a substantial risk of identity theft in this particular case. Perhaps the most notable aspect of the opinion is the Second Circuit’s contention that the often claimed “circuit court” split on the issue of whether fear of identity theft is sufficient for Article III standing is illusory. Synthesizing the case law, the Second Circuit found that, in fact, no circuit court had ever held that a plaintiff lacks standing where the plaintiff had adequately plead a substantial risk of identity theft. In the Second Circuit’s view, the cases instead differ on what constitutes a “substantial risk of identity theft.”
To that end, the Second Circuit identified three factors for courts to analyze in assessing whether there is a substantial risk of identity theft: (1) whether the plaintiff’s data was exposed; (2) whether other consumers’ data that was also exposed has been misused; and (3) whether the data is sensitive and of a type likely to be misused.
Additionally, the Second Circuit addressed another often debated issue in data breach litigation: does spending money to guard against potential harm alone constitute an injury in fact? The Second Circuit ruled that even de minimis time and money spent to protect against identity theft can establish Article III standing where there is a substantial risk of identity theft.
McMorris may prove to be a landmark opinion. The Second Circuit’s opinion is the first to set forth a list of factors for courts to assess when determining whether there is a substantial risk of identity theft and it is likely that litigants, and potentially other courts, will cite the McMorris factors in future cases. Beyond the substantial risk test, plaintiffs and defendants will likely cite different aspects of the Second Circuit’s opinion to advance their arguments. Data breach plaintiffs will cite McMorris for the proposition that fear of future identity theft can establish standing, and to argue that there is not a circuit court split on this issue. Defendants on the other hand will cite the Second Circuit’s ruling that out of pocket expenses to guard against identify theft does not automatically create standing.