In McMorris v. Carlos Lopez & Associates, the U.S. Court of Appeals for the Second Circuit became the latest to weigh in on whether the increased risk of identity theft resulting from a data breach can support Article III standing.
Nine federal appellate courts have addressed the issue so far to various ends, leaving some, including Judge Adalberto Jordan of the Eleventh Circuit, to suggest that the U.S. Supreme Court should take a data breach case to clarify the application of standing analysis in cases involving a heightened risk of identity theft. (See Tsao v. Captiva MVP Rest. Partners LLC.)
Same Factors, Different Results
McMorris involved the alleged disclosure of sensitive personally identifiable information (PII) of the defendant’s current and former employees. The breach arose from an errant email containing a spreadsheet with PII sent by one of defendant’s employees to 65 individuals at the company. Plaintiffs filed suit shortly thereafter. Although none of the plaintiffs reported fraud or identity theft following the breach, they alleged that the sharing of their PII with defendant’s employees placed them at “imminent risk” of identity theft and other crimes.
Looking to decisions from other circuits, the McMorris court identified three common factors courts consider when evaluating Article III standing in data breach cases: (1) whether the data had been compromised as a result of a “targeted attack,” (2) whether “some part of the compromised data set had been misused,” and (3) the nature of the data at issue.
Applying these factors to the present case, the Second Circuit found that the plaintiffs lacked standing because there was no evidence of a “sophisticated” or “malicious attack” or that anyone outside defendant’s employees had seen the data, let alone misused it.
While the court acknowledged that the PII at issue could be used to commit identity theft or fraud, the court decided that this factor—by itself—did not demonstrate a substantial risk sufficient to confer Article III standing.
The Second Circuit’s consideration of these three factors brings it in line with most of the other circuits in terms of the general framework used to evaluate whether allegations that plaintiffs face a risk of future harm arising from a data breach is sufficient for standing at the pleading stage.
However, as the chart below shows, while most circuits agree on the three factors to consider, they differ considerably in their application. For example, while there appears to be agreement among the circuits that allegations regarding the misuse of stolen information can support Article III standing, there does not appear to be a consensus on whether such allegations are necessary (as in the Third and Fourth Circuits), rather than sufficient (as in most other jurisdictions).
Similarly, some circuits (like the Eighth and Eleventh) place more emphasis on the type of information stolen than others, requiring Social Security numbers or other data that can be used to open new accounts, while others (like the Seventh Circuit) have found the presence of payment card information sufficient.
Forum Matters in All But the Easiest Cases
The Second Circuit correctly pointed out that McMorris presented a “relatively straightforward” application of these principles, but most cases are a much closer call.
As it currently stands, the D.C. Circuit’s framework in Attias appears to be the most generous. While plaintiffs had alleged that Social Security numbers were compromised in the breach and that two of the plaintiffs were victims of identity theft, the court found it did not need to consider these allegations to find plaintiffs had Article III standing. Rather, it was enough—by itself—that hackers had unauthorized access to names, birth dates, email addresses, and subscriber identification numbers. Under Attias, the cases dismissed by the Third, Fourth, Eighth, and Eleventh Circuits would likely have gone forward.
Absent clarification on how exactly these factors should be applied, it remains possible—and indeed likely—that the forum will remain dispositive for many data breach claims, with similar cases reaching different outcomes on the issue of standing.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Christian Levis is a partner at Lowey Dannenberg P.C. in White Plains, N.Y., and head of the firm’s data breach and privacy practice group.
Amanda Fiorilla is an associate at Lowey Dannenberg who focuses primarily on litigating data breach and privacy cases.
Luke Goveas is an associate at Lowey Dannenberg.