The Second Circuit attempted to create a standard that unified the diverse holdings of the federal courts in McMorris v Carlos Lopez & Associates, LLC, 995 F.3d 295 (2d Cir. 2021). The McMorris court created a three-factor test for analyzing whether an alleged risk of identity theft or fraud is sufficiently concrete, particularized, and imminent for standing purposes: (1) whether the data at issue has been compromised as the result of a targeted attack intended to obtain the plaintiff’s data; (2) whether the plaintiff can show that at least some part of the compromised dataset has been misused, even if the plaintiff’s particular data has not yet been affected; and (3) whether the type of data is more or less likely to subject the plaintiff to a perpetual risk of identity theft or fraud, such as social security numbers and dates of birth, particularly when accompanied by individuals’ names. McMorris also ruled that expenses reasonably incurred by a plaintiff to mitigate a risk of future identity theft or fraud may also qualify as injury-in-fact but only where a substantial risk exists in the first instance, not when a plaintiff incurs expenses protecting himself or herself against a “speculative threat.”
TransUnion Supersedes McMorris Test
TransUnion appears to supersede the Second Circuit’s McMorris test and narrows the scope of future injuries that are sufficient to establish standing. The Supreme Court explained “that in a suit for damages [as opposed to injunctive relief], the mere risk of future harm, standing alone, cannot qualify as a concrete harm.” The case involved a group of individuals who had been erroneously listed on the U.S. Treasury Department’s Office of Foreign Assets Control’s list of terrorists, drug traffickers and other serious criminals by a credit reporting agency. At trial, the jury found that the plaintiffs had established a violation of the Fair Credit Reporting Act (FCRA) for all members of the class. The FCRA violation for the majority of the class was labeled by the Court to be a mere “procedural” violation—they had been misidentified in TransUnion’s internal system as “potential terrorists” but that information had not been disclosed to any third party. On appeal, the Supreme Court stated the most obvious harms that readily qualify as concrete injuries under Article III are traditional tangible harms such as physical or monetary harms, but the court also stated that certain intangible harms are sufficiently concrete. The Court concluded that the risk of future harm for the group of plaintiffs who had been impacted by the “procedural” violation did not amount to a concrete injury that gave them standing. By contrast, the Court held that a smaller subgroup of plaintiffs had suffered concrete injuries because their erroneous terrorist status was released to third parties.
Although TransUnion did not involve a data breach lawsuit, the decision appears to answer the question whether plaintiffs may allege present injury-in-fact stemming from a violation of a statute protecting individuals’ privacy and thus have standing. Specifically, because the Court concluded that a bare procedural violation is not enough to establish Article III standing, it is likely that plaintiffs in a data breach suit for damages will not establish Article III standing simply by alleging a mere procedural violation of a privacy law, even if that violation has exposed the plaintiffs to a risk of future harm.
Although TransUnion was decided less than a year ago, lower courts have begun to interpret and apply its holding in data breach lawsuits. In a recent decision in a data breach lawsuit, for instance, the United States District for the Southern District of New York held that “under the Supreme Court’s latest pronouncement in TransUnion, Plaintiffs cannot allege a concrete injury relying solely upon a future risk of harm; however, Plaintiffs may, and do plausibly allege that exposure to the risk of identity theft causes concrete injury, and thus have Article III standing.” Bohnak v. Marsh & McLennan Cos., 21 Civ. 6096 (AKH) (S.D.N.Y. Jan. 17, 2022). In Bohnak, the plaintiffs asserted a theory of standing based on allegations of potential future harm in which their data is misused but did not allege any actual misuse of their data. This theory, according to the court, asserted a hypothetical risk of future harm that was too speculative to support Article III standing. The court relied on TransUnion, noting that it called into question the continuing validity of the Second Circuit’s McMorris test. But the plaintiffs also asserted a second theory of standing: that the exposure to identity theft itself caused a concrete harm. The court found that this second theory of standing was sufficient, holding that the exposure of plaintiffs’ personal information was analogous to the reputational harm and privacy-related harms that form the basis for the common-law tort of public disclosure of private information (PDPF). The Bohnak court cited TransUnion’s explicit reference to PDPF as an example of a traditionally judicially cognizable intangible harm: “[v]arious intangible harms can also be concrete . . . . Those include, for example . . . disclosure of private information.” Even though the court held that the plaintiffs had alleged a concrete injury sufficient to give them standing, however, the court went on to dismiss the lawsuit for failure to state a claim because the plaintiffs had failed to adequately allege that they suffered a legally cognizable injury. Specifically, the court stated plaintiffs could only speculate as to whether they will suffer harm at some unknown future date. Thus, an alleged increased risk of identity theft might be enough to meet the requirement that a plaintiff allege an injury-in-fact, but not enough to meet the requirement that a plaintiff plausibly allege that the defendant’s conduct caused them harm.
Two days after the Southern District’s decision in Bohnak, another judge on the same court took a different path when deciding whether data breach victims had standing to bring their claims. Bradley Cooper v. Bonobos, Inc., 21 CIVIL 854 (JMF) (S.D.N.Y. Jan. 19, 2022) involved a data leak exposing partial credit card numbers, encrypted passwords, names, telephone numbers, and email addresses of customers. Unlike the court in Bohnak, the court here applied the McMorris test and found the plaintiffs failed to meet the third prong (increased risk) because the type of data that was exposed is not susceptible to misuse and is not “sensitive.” In a footnote, the court recognized that TransUnion called McMorris into question but stated that it is the task of the Second Circuit, not the SDNY, to determine if McMorris has been overturned.
Although the Supreme Court has provided some answers, the current legal landscape for data breach litigation is still unsettled. TransUnion clarified that a bare procedural violation alone is insufficient for Article III standing; instead, a plaintiff must allege a concrete harm that is analogous to a harm traditionally recognized by the courts. Since TransUnion, some lower courts are continuing to apply a test based on the type of personal identifying information and the harm incurred. Other courts have found alleged increased risk of identity theft involving highly valuable personal information is sufficient to meet Article III’s requirements for injury-in-fact but is not enough to meet the requirement that a plaintiff allege that defendant’s conduct caused them damages. Until the Supreme Court directly addresses this issue specifically in the data breach context, the lower courts may continue to use differing analyses to determine when a plaintiff has standing in data breach litigation.