In McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, 2021 U.S. App. LEXIS 12328, at *2-7 (2d Cir. Apr. 26, 2021), the Court of Appeals for the Second Circuit approved of the District Court’s dismissal on Art. III grounds of an ID Theft class action that the parties had settled and were seeking court approval of. The underlying proceedings were as follows:
This case involves the intersection of two phenomena that have become increasingly common in our digitized world: data breaches and inadvertent mass emails. Carlos Lopez & Associates, LLP (“CLA”) provides mental and behavioral health services to veterans, service members, and their families and communities. In June 2018, a CLA employee accidentally sent an email to all of the approximately 65 employees at the company. Attached to the email was a spreadsheet containing sensitive personally identifiable information (“PII”) – including Social Security numbers, home addresses, dates of birth, telephone numbers, educational degrees, and dates of hire — of approximately 130 then-current and former CLA employees. Two weeks later, CLA emailed its then-current employees to address the accidental email, but it did not contact any former employees regarding the disclosure or take any other corrective action. After the PII spreadsheet was circulated, three individuals whose information had been shared — Robin Steven, Sean Mungin, and Devonne McMorris (“Plaintiffs”) – filed a class-action complaint against CLA and its principal, Carlos Lopez. In their operative complaint, Plaintiffs asserted state-law claims for negligence, negligence per se, and statutory consumer protection violations on behalf of classes in California, Florida, Texas, Maine, New Jersey, and New York. They alleged that CLA “breached its duty to protect and safeguard [their] personal information and to take reasonable steps to contain the damage caused where such information was compromised.” App’x 2. Although Plaintiffs did not allege that they had been the victims of fraud or identity theft as a result of the errant email, they claimed that, because their PII had been disclosed to all of CLA’s then-current employees, they were “at imminent risk of suffering identity theft” and becoming the victims of “unknown but certainly impending future crimes.” Id. at 6, 9. Moreover, while they did not allege that the PII in the spreadsheet was ever shared with anyone outside of CLA or taken or misused by any third parties, Plaintiffs claimed that they cancelled credit cards, purchased credit monitoring and identity theft protection services, and spent time assessing whether they should apply for new Social Security numbers after the email incident. CLA moved to dismiss Plaintiffs’ claims for, among other things, lack of Article III standing. But before the deadline for Plaintiffs’ response to the motion to dismiss, the parties reached a class settlement, which they asked the district court to approve. In advance of the scheduled class settlement fairness hearing, the district court sua sponte ordered further briefing on whether Plaintiffs possessed Article III standing. At the fairness hearing held on November 14, 2019, the court informed the parties of its preliminary conclusion that Plaintiffs lacked Article III standing because they failed to allege “an injury that is concrete and particularized and certainly impending.” App’x 67. The district court emphasized that “the parties concede that there is no evidence that any class members’ identity was actually stolen . . . , let alone misused,” and that the sharing of Plaintiffs’ PII “was not the result of any intentional act by third parties,” such as “hacking or some sort of criminal conduct from which it could be inferred that those [who] retained data intended to and were likely to misuse it.” Id. at 69. Rather, “the gravamen of the claim in this case is that defendants essentially acted with insufficient care by sharing [PII] of class members with employees within the company.” Id. On November 22, 2019, the district court issued a written opinion formally denying the outstanding motion for approval of the class settlement and dismissing the case for lack of subject-matter jurisdiction. See Steven v. Carlos Lopez & Assocs., LLC, 422 F. Supp. 3d 801, 807 (S.D.N.Y. 2019). In that opinion, the district court noted that, unlike several other circuits, the Second Circuit has not yet addressed whether plaintiffs alleging the theft or inadvertent disclosure of their data may establish standing to bring claims against the entity that held their data based on an increased risk of future identity theft or fraud. See id. at 804. The district court explained, however, that even if the Second Circuit were to recognize such a theory, “it would be of no help to Plaintiffs in this case” because they failed to allege facts indicating that they faced “certainly impending” identity theft or fraud, or even a “substantial risk” of such harm. Id. (internal quotation marks omitted). The district court recognized that, unlike the cases in which other circuits have held that data breach victims have established standing based on a risk of future identity theft, Plaintiffs here did not allege that their data had been misused in any way or compromised as the result of an intentionally targeted data theft. See id. at 804-05. Indeed, the district court observed that “it is arguably a misnomer to even call this case a ‘data breach‘ case,” since, “[a]t best, the data was ‘misplaced'” by an internal CLA employee rather than taken by a third party. Id. at 806 n.3 (internal citations omitted). The district court also held that Plaintiffs could not establish an Article III injury in fact based on “the time and money spent monitoring or changing their financial information and accounts.” Id. at 807. The court explained that, since Plaintiffs failed to allege a substantial risk of identity theft or that such harm was certainly impending, they could not establish standing by, in essence, inflicting harm on themselves based on a speculative fear of future identity theft. See id. After concluding that Plaintiffs lacked Article III standing, the district court held that it was “powerless to approve the parties’ proposed class settlement” and dismissed the case for lack of subject-matter jurisdiction. Id. (internal quotation marks omitted). Following the district court’s decision, McMorris (without the other named Plaintiffs) appealed.
The Court of Appeals affirmed the dismissal.
First, and most importantly, our sister circuits have consistently considered whether the data at issue has been compromised as the result of a targeted attack intended to obtain the plaintiffs’ data. See, e.g., In re United States OPM Data Sec. Breach Litig., 928 F.3d 42, 57-58, 442 U.S. App. D.C. 42 (D.C. Cir. 2019) (“OPM“); In re Zappos.com, Inc., 888 F.3d 1020, 1029 n.13 (9th Cir. 2018) (“Zappos“); Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 388-90 (6th Cir. 2016). HN6 Where plaintiffs fail to present evidence or make any allegations that an unauthorized third party purposefully obtained the plaintiffs’ data, courts have regularly held that the risk of future identity theft is too speculative to support Article III standing. See, e.g., Beck, 848 F.3d at 274-75; Katz, 672 F.3d at 80; Reilly v. Ceridian Corp., 664 F.3d 38, 44 (3d Cir. 2011). By contrast, where plaintiffs demonstrate that a malicious third party intentionally targeted a defendant’s system and stole plaintiffs’ data stored on that system, courts have been more willing to find that those plaintiffs have established a likelihood of future identity theft or fraud sufficient to confer standing. As the Seventh Circuit explained in the context of a targeted cyberattack of a department store’s customer database: “Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015). Second, while not a necessary component of establishing standing, courts have been more likely to conclude that plaintiffs have established a substantial risk of future injury where they can show that at least some part of the compromised dataset has been misused — even if plaintiffs’ particular data subject to the same disclosure incident has not yet been affected. For example, in the context of a data breach into an online retailer’s customer database, the Ninth Circuit explained that although the specific plaintiffs in that case had not experienced any fraudulent activity, allegations that other customers whose data was compromised in the same data breach had reported fraudulent charges on their credit cards helped establish that the plaintiffs were at a substantial risk of future fraud. See Zappos, 888 F.3d at 1027, 1027 n.7; see also OPM, 928 F.3d at 58 (“[A] hacker’s ‘intent’ to use breach victims’ personal data for identity theft becomes markedly less important where, as here, several victims allege that they have already suffered identity theft and fraud as a result of the breaches.”). Similarly, evidence that plaintiffs’ data is already being misused, even if that misuse has not yet resulted in an actual or attempted identity theft, can also support a finding that those plaintiffs are at a substantial risk of identity theft or fraud. As one court in this Circuit recently recognized, allegations that the plaintiffs’ PII was available for sale on the Dark Web following a data breach — and could therefore be purchased by cybercriminals at any moment to commit identity theft or fraud — provided strong support for the conclusion that those plaintiffs had established an Article III injury in fact. See Fero v. Excellus Health Plan, Inc., 304 F. Supp. 3d 333, 341, 344-45 (W.D.N.Y. 2018). Finally, courts have looked to the type of data at issue, and whether that type of data is more or less likely to subject plaintiffs to a perpetual risk of identity theft or fraud once it has been exposed. Naturally, the dissemination of high-risk information such as Social Security numbers and dates of birth — especially when accompanied by victims’ names — makes it more likely that those victims will be subject to future identity theft or fraud. See, e.g., Attias v. CareFirst, Inc., 865 F.3d 620, 628, 431 U.S. App. D.C. 273 (D.C. Cir. 2017). By contrast, less sensitive data, such as basic publicly available information, or data that can be rendered useless to cybercriminals does not pose the same risk of future identity theft or fraud to plaintiffs if exposed. So, for example, where a plaintiff’s credit card number was stolen as part of a data breach, but she promptly cancelled her credit card “and no other [PII] – such as her birth date or Social Security number – [was] alleged to have been stolen,” we have found that the plaintiff failed to allege “how she [could] plausibly face a threat of future fraud.” Whalen v. Michaels Stores, Inc., 689 F. App’x 89, 90 (2d Cir. 2017) (summary order); see also Tsao, 986 F.3d at 1344 (explaining that the plaintiff had “immediately cancelled his credit cards following disclosure of the [data] breach, effectively eliminating the risk of credit card fraud in the future”).
The Court of Appeals held:
We therefore hold that courts confronted with allegations that plaintiffs are at an increased risk of identity theft or fraud based on an unauthorized data disclosure should consider the following non-exhaustive factors in determining whether those plaintiffs have adequately alleged an Article III injury in fact: (1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud. . . .With these principles in mind, this case presents a relatively straightforward situation in which Plaintiffs have failed to show that they are at a substantial risk of future identity theft or fraud sufficient to establish Article III standing. First, Plaintiffs never alleged that their data was intentionally targeted or obtained by a third party outside of CLA. While it is true that McMorris and the other Plaintiffs claimed that their PII was disclosed in an unauthorized manner to then-current CLA employees, they did not allege that anyone outside of CLA ever obtained their PII. Far from being a “sophisticated” or “malicious” cyberattack “carried out to obtain sensitive information for improper use,” OPM, 928 F.3d at 52 (internal quotation marks omitted), this case merely involves the inadvertent disclosure of PII due to an errant email sent to approximately 65 employees.