“Standing” is a legal requirement that refers to a plaintiff’s ability to bring a particular claim for relief in court. It is a threshold requirement to establish jurisdiction or the court’s ability to hear a case. In federal court, standing is governed by Article III of the Constitution and requires, generally, that a plaintiff demonstrate that he or she suffered a concrete, injury in fact that is actual or imminent to the plaintiff. For some time Federal Courts have struggled with the concept of “injury in fact” when it comes to a data breach that compromises or exposes personal or confidential information of large numbers of individuals. The immediate harm from a data breach may be unknown or may take years to come to light. At what point is an individual harmed by a data breach compromising his or her personal data? What is the harm? And when is such harm cognizable as an “injury in fact” that may be redressed in Federal Court?
In McMorris v. Carlos Lopez & Associates, LLC, 2021 WL 1603808 (2d Cir. Apr. 26, 2021), the Second Circuit Court of Appeals tackled the standing question and provided some measure of clarity and consistency for the federal courts across circuits. McMorris involved the intersection of two phenomena that have become increasingly common in our digitized world: data breaches and inadvertent mass emails. Employees brought a putative class action against their employer asserting claims for negligence and violations of consumer protection laws arising from an email another employee had accidentally sent to all employees of the company containing sensitive personally identifiable information of then-current and former employees. After the employer filed motion to dismiss, the parties reached a settlement, but the United States District Court for the Southern District of New York denied the plaintiffs’ motion to approve the settlement, and instead dismissed the case for lack of subject-matter jurisdiction. The legal question turned on whether the plaintiff-employees suffered a concrete “injury in fact” from the inadvertent disclosure of confidential information sufficient to establish Article III standing.
The information disclosed in the inadvertent mass email included social security numbers, home addresses, dates of birth, telephone numbers, educational degrees, and dates of hire. Plaintiffs alleged that while none of them suffered from identity theft due to the data breach, they were “at imminent risk of suffering identity theft” and becoming the victims of “unknown but certainly impending future crimes.”
The United States Supreme Court previously made clear that “allegations of possible future injury” or even an “objectively reasonable likelihood” of future injury are insufficient to confer standing. Clapper v. Amnesty Int'l USA, 568 U.S. 398 (2013). Rather, a future injury constitutes an Article III injury in fact only if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur. The Second Circuit recognized a perceived split between Federal Circuits regarding whether standing based on a risk of future identity theft or fraud stemming from unauthorized disclosure of a plaintiff’s data meets this standard. The McMorris Court recognized, however, that “in actuality, no court of appeals has explicitly foreclosed plaintiffs from establishing standing based on a risk of future identity theft – even those courts that have declined to find standing on the facts of a particular case.” McMorris, 2021 WL 1603808 at *3. Accordingly, the Second Circuit “join[ed] all of our sister circuits” holding that plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.” Id. (emphasis mine). Indeed, the Second Circuit reasoned that requiring a plaintiff to allege that they have already suffered identity theft or fraud due to a data breach would conflict with the Supreme Court’s recognition that “[a]n allegation of future injury may suffice” to establish Article III standing “if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.” Id.
Of course, the fact that plaintiffs may establish standing based on an “increased-risk” theory did not necessarily mean that the Plaintiffs meet that standard automatically. Courts that have confronted standing in the context of the unauthorized disclosure of data have considered certain factors that weigh in favor of finding an Article III injury in fact. In McMorris, the Second Circuit ultimately found that Plaintiffs did not establish standing based on an increased risk of identity theft or fraud. The Court reasoned that the identity breach was an internal error and not a targeted attack by a third party, which tended to show that the risk of identity fraud was merely speculative. Additionally, Plaintiffs could not show that any of the compromised personal information had already been misused. Finally, the Court considered the type of compromised data at issue. While the Court acknowledged that the personal information in question constituted sensitive, non-public information such as social security numbers and home addresses, this factor alone was not enough to establish injury in fact. Taking all factors together, the Court found that the potential for injury was not concrete and particularized enough to establish Article III standing.
McMorris is important in its purported “clarification” of the perceived split between the federal circuits on Article III standing after a data breach or disclosure of protected information. According to McMorris, there is no split. Plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data, so long as the harm is imminent or substantially likely. These determinations will still be subject to a case-by-case analysis, but McMorris does offer a bit of clarity on the applicable standards and factors that Federal Courts across jurisdictions should consider.