Tuesday, April 27, 2021
Second Circuit Recognizes Standing for Increased Risk of Identity Theft for Unauthorized Data Disclosure
The Second Circuit recognized that plaintiffs in an unauthorized-disclosure-of-data case may have standing based on an increased risk of identity theft. In so ruling, the Second Circuit joins several other circuits in recognizing standing based on an imminent risk of identity theft in data breach cases. (At least three circuits have suggested that there's a split on the issue, but the Second Circuit denied that, saying that "in actuality, no court of appeals has explicitly foreclosed plaintiffs from establishing standing based on a risk of future identity theft--even those courts that have declined to find standing on the facts of particular cases.")
At the same time, the court held that the particular plaintiffs in the case failed sufficiently to establish such an injury.
The case, McMorris v. Carlos Lopez & Associates, LLC, arose when an employee at CLA accidentally sent out an e-mail to all employees that included Social Security Numbers, dates of birth, and other personal information of current and former employees. Three individuals filed a class-action against CLA. As the parties moved toward settlement, the district court ruled that the plaintiffs lacked standing.
The Second Circuit recognized that plaintiffs in a case like this could have standing. The court looked to three non-exhaustive factors in sorting this out: "(1) whether the plaintiffs' data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud."
The court ruled that the plaintiffs in this case, however, failed to establish imminent harm of identity theft.
The court also rejected the plaintiffs' theory that the data breach caused them to take action to protect themselves against identity theft. The court said that the plaintiffs had to allege a substantial risk of future identity theft in order to use their protective actions as a basis for standing. If it were otherwise, the court said, plaintiffs could harm themselves into standing based only on fears of hypothetical future injuries.