2nd Cir. Sets Art. III Standards for Data Breach Cases

In Bohnak v. Marsh & McLennan Companies, Inc., No. 22-319, 2023 WL 5437558, at *1 (2d Cir. Aug. 24, 2023), the Court of Appeals for the Second Circuit addressed Article III standing requirements and a framework in data breach cases where an individual whose personally identifying information (“PII”) is exposed to unauthorized actors, but has not (yet) been used for injurious purposes such as identity theft.  The Court of Appeals found Art. III was satisfied.

We conclude that TransUnion is the touchstone for determining whether Bohnak has alleged a concrete injury, and that under TransUnion, Bohnak’s alleged injuries arising from the risk of future harm are concrete. We further conclude that McMorris is the touchstone for determining whether Bohnak has alleged an “actual or imminent” injury, and that under McMorris, Bohnak’s alleged injuries are “actual or imminent.” McMorris, 995 F.3d at 300. Given these conclusions, and because the other elements of Article III standing are undisputedly met, we conclude that Bohnak has Article III standing, and we have jurisdiction to review this appeal. . . Bohnak’s allegations establish a concrete injury for purposes of her damages claim for a separate reason: she has suffered “separate concrete harm[s]” as a result of the risk of future harm occasioned by the exposure of her PII. Id. at 2211 (emphasis omitted). In particular, she has alleged among other things that she incurred “out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft” and “lost time” and other “opportunity costs” associated with attempting to mitigate the consequences of the data breach. App’x 11, ¶ 15. These separate and concrete harms foreseeably arising from the exposure of Bohnak’s PII to a malign outside actor, giving rise to a material risk of future harm, independently support standing.  Our conclusion on this point is consistent with our analysis in McMorris, in which we explained with reference to the injury-in-fact question more broadly that “where plaintiffs have shown a substantial risk of future identity theft or fraud, any expenses they have reasonably incurred to mitigate that risk likewise qualify as injury in fact.” 995 F.3d at 303 (internal quotation marks omitted). . . .In McMorris, the plaintiffs brought a putative class action against their employer asserting claims for negligence and violations of consumer protection laws resulting from inadvertent dissemination of a company-wide email containing their sensitive PII. 995 F.3d at 298. The plaintiffs alleged that because their PII had been disclosed to all of the defendant’s then current employees, plaintiffs were “at imminent risk of suffering identity theft and becoming the victims of unknown but certainly impending future crimes.” Id. (internal quotation marks omitted). As in this case, the issue in McMorris was whether the plaintiffs had suffered an injury in fact. 995 F.3d at 300. But, in McMorris we considered the question holistically, without breaking the injury-in-fact analysis into its components. See id. (“This case concerns … the first element of Article III standing: the existence of an injury in fact.”). Because many of our insights in McMorris relate most closely to the issue of whether the future harm is sufficiently “actual or imminent,” TransUnion, which did not purport to address matters beyond “concreteness,” does not fully supplant our analysis in McMorris. In McMorris, we explained that “a future injury constitutes an Article III injury in fact only ‘if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.’ ” 995 F.3d at 300 (quoting Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158, 134 S.Ct. 2334, 189 L.Ed.2d 246 (2014)). We then identified and endorsed three non-exhaustive factors that courts have considered in determining whether plaintiffs whose PII has been compromised but not yet misused face a substantial risk of harm. First, we said that the most important factor in determining whether a plaintiff whose PII has been exposed has alleged an injury in fact is whether the data was compromised as the result of a targeted attack intended to get PII. McMorris, 995 F.3d at 301. Where a malicious third party has intentionally targeted a defendant’s system and has stolen a plaintiff’s data stored on that system, courts are more willing to find a likelihood of future identity theft or fraud sufficient to confer standing. Id. We embraced the Seventh Circuit’s reasoning in one such case: “Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” Id. (quoting Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015)). Second, we observed that, “while not a necessary component of establishing standing,” courts have been more likely to conclude that a plaintiff has established a “substantial risk of future injury” where some part of the compromised dataset has been misused—even if a plaintiff’s own data has not. Id. at 301. For example, fraudulent charges to the credit cards of other customers impacted by the same data breach, or evidence that a plaintiff’s PII is available for sale on the Dark Web, can support a finding that a plaintiff is at a substantial risk of identity theft or fraud. Id. at 301–02. Third, we explained that courts may consider whether the exposed PII is of the type “more or less likely to subject plaintiffs to a perpetual risk of identity theft or fraud once it has been exposed.” Id. at 302. On one hand, we noted that “the dissemination of high-risk information such as [SSNs] … especially when accompanied by victims’ names—makes it more likely that those victims will be subject to future identity theft or fraud.” Id. On the other hand, we reasoned that the exposure of data that is publicly available, or that can be rendered useless (like a credit card number unaccompanied by other PII), is less likely to subject plaintiffs to a perpetual risk of identity theft. Id. Insofar as these factors shed light on whether the future harm of identity theft or fraud resulting from a data breach is sufficiently actual and imminent (as opposed to concrete), we see nothing in TransUnion that overrides our analysis, and McMorris remains a touchstone.

In applying the standards to the Appellant’s claims, the Court of Appeals held:

Considering these three factors, we conclude that Bohnak has sufficiently alleged that she faces an imminent risk of injury—that is, a “substantial risk that the harm will occur.” Id. at 300 (internal quotation marks omitted). First and foremost, Bohnak has alleged that her PII was exposed as a result of a targeted attempt by a third party to access the data set. App’x 14, ¶ 30; see McMorris, 995 F.3d at 301 (considering “whether the data at issue has been compromised as the result of a targeted attack intended to obtain the plaintiffs’ data.”). In particular, she alleges, based on Defendants’ own report to her, that an “unauthorized actor [i.e., a hacker] … leveraged a vulnerability in a third party’s software” and gained access to her PII. App’x 14, ¶ 30. This was not an inadvertent, intra-company disclosure; it was a targeted hack. *10 Second, Bohnak alleges that the PII taken by the hackers includes her name and SSN. Id. This is exactly the kind of information that gives rise to a high risk of identity theft. McMorris, 995 F.3d at 302. As Bohnak has alleged, SSNs “are among the worst kind of personal information to have stolen because they may be put to a variety of fraudulent uses and are difficult for an individual to change.” App’x 18, ¶ 45. And one cannot get a new SSN without “evidence of actual misuse,” making it difficult to take preventive action to guard against the misuse of the compromised number. Id. ¶ 46. We recognize that Bohnak has not pulled off a hat trick with respect to the factors identified in McMorris; she has not alleged any known misuse of information in the dataset accessed in the hack. But we emphasized in McMorris that such an allegation is not necessary to establish that an injury is sufficiently imminent to constitute an injury in fact. 995 F.3d at 301. We conclude that the allegations of a targeted hack that exposed Bohnak’s name and SSN to an unauthorized actor are sufficient to suggest a substantial likelihood of future harm, satisfying the “actual or imminent harm” component of an injury in fact. Because Bohnak has alleged a concrete and imminent injury, and because her injury is undisputedly particular, she has pled an injury in fact.7 And because Bohnak has pled that Defendants caused her injury, and her injuries would be redressed through money damages, we conclude that Bohnak has Article III standing to pursue her damages claim.