2nd Circuit Clarifies Article III Standing Based on “Increased Risk” of Identity Theft (NY)
Earlier this week, the Second Circuit issued a significant ruling with respect to the unauthorized disclosure of sensitive personal identifiable information (“PII”). Federal circuits have been split with respect to whether an increased risk of identity theft following a data breach, without proof of actual harm, is sufficient to confer Article III standing. The decision in McMorris v. Lopez & Assoc., officially clarifies the issue for the Second Circuit.
Plaintiff-appellant Devonne McMorris commenced a class action lawsuit against defendant-appellees Carlos Lopez & Associates, LLC (“CLA”) in response to an email that a CLA employee inadvertently sent to all of CLA’s employees. This email contained the sensitive PII – i.e., Social Security numbers, home addresses, dates of birth, phone numbers, dates of hire and educational degrees – of about 130 former and current CLA workers, including McMorris. After discovering the breach, CLA emailed its current employees, but did not contact any former employees regarding the inadvertent disclosure or take any other corrective action.
Plaintiffs asserted state law claims of negligence, negligence per se, as well as statutory consumer protection violations on behalf of classes in California, Florida, Texas, Maine, New Jersey and New York. The plaintiffs also claimed CLA “breached its duty to protect and safeguard [their] personal information and to take reasonable steps to contain the damage caused where such information was compromised.” Due to the PII disclosure, plaintiffs asserted they faced an imminent risk of identify theft and becoming victims of “unknown but certainly impending future crimes.” In response to the complaint, CLA moved to dismiss for, inter alia, lack of Article III standing. The United States District Court for the Southern District of New York agreed with CLA and dismissed McMorris’ claims for lack of subject-matter jurisdiction as McMorris failed to allege an injury-in-fact sufficient to confer Article III standing.
McMorris appealed to the 2nd Circuit, asserting that the increased risk of identity theft confers Article III standing. The Second Circuit focused on whether the plaintiffs sufficiently alleged concrete, particularized, and actual or imminent injury. The Court considered three non-exhaustive factors: (1) whether the data at issue was comprised as a result of a targeted attack intended to obtain the plaintiffs’ data; (2) whether the plaintiffs could show some misuse of their compromised data, even if the plaintiffs have not yet experienced theft or fraud; and (3) whether the type of disclosed data subjects plaintiffs to a perpetual risk of identity theft or fraud.
While the Second Circuit recognized the information CLA divulged renders plaintiffs more exposed to future identity theft or fraud, plaintiffs failed to establish “imminent injury.” In addition, the Second Circuit determined the plaintiffs had no standing because they failed to show their PII was subject to a targeted data breach, or that any entity misused their PII.
This decision is significant. Although the Court agreed with the district court’s holding that McMorris failed to establish an injury in fact, the Court held that Article III injury in fact standing only requires proof of a substantial risk of future identity theft or fraud. A substantial risk may be sufficient to establish Article III standing, even if the plaintiff has not been a victim of identity theft or fraud. The 2nd Circuit’s thorough decision gives insight to future litigants regarding the required legal standard in this jurisdiction.
Thanks to Lauren Berenbaum for her contribution to this post. Please email Brian Gibbons with any questions about the ruling, or WCM’s data privacy and cyber-liability practice.