Last week, the Second Circuit in McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, weighed in on whether data-breach plaintiffs can establish Article III standing based on the theory that the theft or disclosure of their data subjects the plaintiffs to an increased risk of future identity theft or fraud.  Although holding the “increased-risk” theory of standing is theoretically viable, the court ruled there are limits to such a theory where, as in McMorris, the circumstances do not suggest a substantial risk of future harm.  As a result, this opinion can give some comfort to companies that are the victims of a data breach and then subjected to class actions by persons who did not suffer any actual harm as a result.

McMorris arose after an employee of Carlos Lopez & Associates, LLP, a health services company, accidently sent an e-mail to all 65 of the company’s employees, attaching a spreadsheet containing the personal information – including Social Security numbers, home addresses, dates of birth, and telephone numbers – of 130 then-current and former employees.  Following this inadvertent transmission, three individuals whose personal information was exposed filed a class-action complaint asserting various state-law claims and alleging they were “at imminent risk of suffering identity theft” and becoming the victims of “unknown but certainly impending future crimes.”

The plaintiffs made these allegations despite that fact that there was no suggestion that the spreadsheet’s personal information was shared outside the company or otherwise compromised.  As to past harm allegedly suffered, the plaintiffs contended only that “they cancelled credit cards, purchased credit monitoring and identity theft protection services, and spent time assessing whether they should apply for new Social Security numbers after the email incident.”

Although the parties reached an agreement to resolve the matter, the district court, as part of the settlement-approval process, questioned whether the plaintiffs had standing and concluded that the plaintiffs could not establish Article III injury in fact, prompting an appeal.

On Monday last week, the Second Circuit held that “plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data,” but stressed that “the fact that plaintiffs may establish standing based on an ‘increased-risk’ theory does not mean that the Plaintiffs have done so here.”  To guide courts’ analysis on this question, the Second Circuit set forth three non-exhaustive factors to consider:

  • The first is “whether the data at issue has been compromised as the result of a targeted attack intended to obtain the plaintiffs’ data.”  In the absence of such an attack, “[w]here plaintiffs fail to present evidence or make any allegations that an unauthorized third party purposefully obtained the plaintiffs’ data, courts have regularly held that the risk of future identity theft is too speculative to support Article III standing.”
  • Second, the Second Circuit stated that “courts have been more likely to conclude that plaintiffs have established a substantial risk of future injury where they can show that at least some part of the compromised dataset has been misused—even if plaintiffs’ particular data subject to the same disclosure incident has not yet been affected.”  The court offered the example of a breach of an online retailer’s customer database and noted that even if the specific plaintiffs had not experienced fraudulent activity, “allegations that other customers whose data was compromised in the same data breach [would help establish] plaintiffs were at a substantial risk of future fraud.”
  • Third, the court noted that it is important to consider whether the type of exposed data “is more or less likely to subject plaintiffs to a perpetual risk of identity theft or fraud once it has been exposed.”  Some information, such as “Social Security numbers and dates of birth—especially when accompanied by victims’ names” could make it more “likely that those victims will be subject to future identity theft or fraud.”  But, where the data is less sensitive, such as “where a plaintiff’s credit card number was stolen as part of a data breach, but she promptly cancelled her credit card ‘and no other [PII] – such as her birth date or Social Security number – [was] alleged to have been stolen,’” the court has “found that the plaintiff failed to allege ‘how she [could] plausibly face a threat of future fraud.’”  (quoting Whalen v. Michaels Stores, Inc., 689 F. App’x 89, 90 (2d Cir. 2017)).
  • The court rejected the plaintiffs’ related theory that an injury in fact occurs when plaintiffs take steps to protect themselves following a breach. “[W]here plaintiffs take steps to protect themselves following an unauthorized data disclosure, can the cost of those proactive measures alone constitute an injury in fact? We agree with the district court that the answer is ‘no.’ … where plaintiffs have not alleged a substantial risk of future identity theft, the time they spent protecting themselves against this speculative threat cannot create an injury.”  And, plaintiffs “cannot manufacture standing merely by inflicting harm” on themselves.
  • Similarly, any alleged “injury by means of the time and money spent monitoring or changing their financial information and accounts … would fail for the simple reason that the plaintiff has failed to show that she is at a substantial risk of future identity theft, so the time she spent protecting herself against this speculative threat cannot create an injury.”

Applying the facts to this framework, the court held that “this case presents a relatively straightforward situation in which Plaintiffs have failed to show that they are at a substantial risk of future identity theft or fraud sufficient to establish Article III standing.”

This case thus provides a framework for rejecting standing based upon alleged actions that plaintiffs take in an effort to manufacture standing.

Stay tuned as the courts continue to grapple with new questions related to the unintentional dissemination of personal information.  Find out more about the implications of this decision by contacting any of the authors or your usual DLA Piper relationship attorney.