Second Circuit opinion may have a sizeable impact on the US legal landscape, writes David Oberly

US court opinion may impact data breach landscape

ANALYSIS In McMorris v. Carlos Lopez & Associates, LLC, the US Second Circuit Court of Appeals weighed in on one of the most impactful issues in data breach class action litigation – the threshold for establishing ‘Article III standing’ in the context of allegations of an increased risk of future harm.

In doing so, the federal appellate court articulated a non-exhaustive set of factors for consideration when determining whether standing exists for data breach plaintiffs where no actual harm or injury is alleged, which may have significant implications as it relates to the ability of consumers to establish standing in future data breach lawsuits.

Overview of Article III standing

As previously reported, ‘standing’ refers to the right to bring a lawsuit in a US federal court.

To establish standing under Article III of the US Constitution, a plaintiff must demonstrate: (1) an injury-in-fact; (2) causation; and (3) a likelihood that the injury will be redressed by a favorable decision.

RELATED Tsao vs. Captiva – How a data breach case could have major impact on the legal definition of ‘harm’

Most data breach standing disputes center on the first element, which requires a showing that the injury-in-fact is “concrete, particularized, and actual or imminent.”

Where a plaintiff alleges only an increased risk of future harm, standing will exist only if the threatened injury is certainly impending or there is a substantial risk that the harm will occur.

McMorris v. Carlos Lopez & Assocs., LLC

The McMorris case (WL 1603808; 2d Circuit, Apr. 26, 2021) arose out of an errant email sent by an employee of Carlos Lopez & Associates, LLC (CLA) to all company personnel containing the sensitive personal information of then-current and former CLA employees.

Following the inadvertent email, three individuals filed suit in connection with the data disclosure event.

The plaintiffs did not assert that they had been the victims of fraud or identity theft as a result of the errant email. Rather, they claimed that – because their personal information had been disclosed – they were at imminent risk of suffering identity theft and becoming the victims of impending crimes.

They also claimed they were required to spend time (among other things) cancelling credit cards and purchasing credit monitoring services.

The Second Circuit’s opinion

On appeal, the Second Circuit held that plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.

With that said, the Second Circuit further noted that the fact that plaintiffs may establish standing based on an “increased risk” theory does not mean that they automatically do so in all instances.

Rather, an increased risk of identity theft or fraud could be sufficient to establish standing depending on the individual circumstances of the case.

In addition, the court rejected the commonly-held belief that a circuit split exists on this issue, finding instead that “no court of appeals has explicitly foreclosed plaintiffs from establishing standing based on a risk of future identity theft – even those courts that have declined to find standing on the facts of a particular case”.

Rather, the Second Circuit continued, the courts that have confronted standing in this context have considered certain factors that weigh in favor of finding an injury-in-fact, all of which all bear on whether the risk of identity theft or fraud is “concrete, particularized, and… imminent”.

Factors of three

The court then proceeded to articulate – based on an analysis of decisions issued by its sister courts on the issue – a non-exhaustive set of three factors that should be considered in determining whether plaintiffs have adequately alleged an Article III injury-in-fact based on allegations of an increased risk of identity theft or fraud:

  • Whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data;
  • Whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and
  • Whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.

While highlighting the fact that these factors are not the only ones relevant to the standing analysis, the Second Circuit noted that they “provide helpful guidance in assessing whether plaintiffs have adequately alleged an injury in fact”.

In addition, the Second Circuit also addressed the issue of whether plaintiffs can establish standing through allegations regarding the cost of taking protective measures to protect themselves following an unauthorized data disclosure.

The court answered this question in the negative, holding that where plaintiffs have not alleged a substantial risk of future identity theft or fraud, the time they spend protecting themselves against this speculative threat cannot create an injury.

Falling short

With these principles in mind, the court held that the plaintiffs’ claims presented a “relatively straightforward situation” where the allegations at issue fell short of establishing a substantial risk of future identity theft or fraud sufficient to confer standing.

With respect to the first two factors of the Second Circuit test, the court noted the absence of any allegations that the data at issue was intentionally targeted or obtained by a third party, as well as the lack of any allegations that their data was misused as a result of the data disclosure event.

READ MORE Colonial Pipeline’s $5m ransomware payment risks perpetuating cybercrime ‘feedback loop’

Finally, with respect to the third factor, while the plaintiffs set forth allegations that the personal information disclosed was the type of data that could put the plaintiffs at a substantial risk of identity theft or fraud, without any other facts suggesting that the data was intentionally taken by an unauthorized third party or otherwise misused, these allegations alone were not enough to satisfy the threshold showing needed to establish an injury-in-fact.

Taken together, because the plaintiffs did not allege that their data was subject to a targeted data breach or that the data was misused, the Second Circuit held that the plaintiffs failed to establish an Article III injury-in-fact.

Implications for data breach class action litigation

The McMorris opinion possesses the potential to have a sizeable impact on the legal landscape of data breach class action litigation.

In particular, the articulation of a concrete set of factors for analyzing the issue of standing in the context of “increased risk” injuries may influence how other federal courts analyze the issue of Article III standing in future data breach disputes.

Importantly, the three-factor test offers data breach defendants a blueprint for structuring dispositive motions to maximize the likelihood of successfully defeating this ever-increasing type of class action litigation.

Conversely, the opinion gives consumers significant ammunition to argue that the increased risk of future identity theft and fraud can be sufficient, by itself, to establish standing – and that there is no circuit split on this issue.

YOU MIGHT ALSO LIKE Threema, the European rival to Signal, wins pivotal privacy battle in Swiss Court