Second Circuit: Plaintiffs Have Standing to Sue for Increased Risk of Identity Theft

Background

The case, McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021), involved the inadvertent disclosure of personal data by an employee of Defendant, Carlos Lopez & Associates LLP. The employee accidentally emailed all 65 of Defendant’s employees a spreadsheet containing the personal data of approximately 130 current and former employees of Defendant, including Social Security numbers, dates of birth, home addresses, telephone numbers, educational degrees, and dates of hire. This action constituted a data breach under New York, California, Florida, New Jersey, Texas, and Maine laws which generally define a data breach to include the disclosure of personally identifiable information, such as an individual’s Social Security number.

Three of the 130 employees subsequently filed a putative class action lawsuit against Defendant, alleging negligence and violations of state consumer protection statutes. Notably, the Plaintiffs did not base their claims on the misuse of their data but rather on the “imminent risk of suffering identity theft.” While the Plaintiffs’ claims were ultimately dismissed for lack of subject matter jurisdiction, the Court nonetheless decided, as a matter of first impression, that plaintiffs may establish Article III standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their personal data. To be more specific, Article III standing is the minimum showing a plaintiff must demonstrate to invoke the authority of the federal courts.

The Three-Factor Test

In its decision, the Court put forth the following, non-exhaustive three-factor test for determining whether the risk of identity theft or fraud is sufficient to confer Article III standing:

1. Whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data.
2. Whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud.
3. Whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.

While the Court stated that no one factor is dispositive, it did assert that the first factor – whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data – is the most important factor. The Court reasoned that if a third party purposefully breached personal data, it can be presumed that the underlying intent is to use this data for fraudulent purposes.

Conversely, where such intent is absent, the risk of future identity theft is potentially too speculative to establish a substantial risk of harm.

Here, the Plaintiffs failed to satisfy the above-articulated three-factor test because the personal data was not obtained through a targeted cyberattack, and the plaintiffs did not allege that breached data was ever misused. While the plaintiffs may have satisfied factor three, the fact that the exposed data was sensitive and contained “high risk” information was insufficient on its own to demonstrate an injury. Thus, the Court held that in this case, the plaintiffs failed to demonstrate they were at increased risk of identity theft or fraud sufficient to confer Article III standing.

Notably, the Court appeared to distinguish this decision from the seminal case, Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 194 L.Ed.2d 635 (2016), stating that it did not address the separate issue raised by Spokeo, namely whether plaintiffs may allege a present injury stemming from the violation of a statute designed to protect individuals’ privacy.

Takeaways

While courts are still wrestling with the treatment of Article III standing in personal data breach cases, this decision may serve as an indication that courts are becoming sympathetic to future, unrealized harms from data breaches. Conferring standing for such future harms may significantly spur more class actions for data breaches. Companies should take this opportunity to ensure they have appropriate mechanisms in place to prevent the unauthorized and inadvertent disclosure of personal data, an incident response plan in the event of a breach, and ongoing training on security and privacy practices.