firmer footing for data breaches, thanks to the second circuit | Locke Lord LLP


Instead of identifying traditionally ‘tangible’ injuries, data breach complainants typically point out that they may be a victim of identity theft at some point in the future. Before the end of April 2021, federal courts appeared to disagree on whether this mere risk of future harm after a data breach was sufficient to confer Article III status. Some circuits (such as the Sixth, Seventh, Ninth, and District of Columbia Circuits) have found that such a risk can support standing.1 Meanwhile, other circuits (such as the third, fourth and eighth circuits) came to a different conclusion. A recent Eleventh Circuit decision fell in the middle, encompassing an “increased risk plus” analysis. But above all, the second circuit of McMorris v. Carlos Lopez & Associates, LLC2 may have resolved any real or perceived circuit division.

The main problem in McMorris was whether the plaintiffs articulated harm enough to establish their status when their Personally Identifiable Information (“PII”) (including Social Security numbers, home addresses and dates of birth) was inadvertently shared with other people in their workplace. In particular, the complainants did not allege that they were indeed victims of fraud or identity theft. Instead, they claimed they were at “imminent risk” of becoming victims of identity theft or other unknown crimes as a result of the data breach.3

The Second Circuit ultimately agreed with the lower court that the mere release of personal information – without evidence or allegation that the personal information had been maliciously targeted or misused – was too speculative to constitute harm in fact. But the Court has formulated a valuable test that will likely help courts and litigants in the conceivable future.4

Analysis of the second circuit

To establish standing, a claimant must show that “he or she has suffered prejudice in fact which is concrete, particular and real or imminent”.5 The Second Circuit recognized the Supreme Court precedent that “allegations of possible future harm” or even an “objectively reasonable probability” of future harm “6 is insufficient to meet the burden on the applicant.

The court also reinforced the position that “”[a]An allegation of future harm may suffice ”. . . if the threat of injury is certainly imminent, or there is a substantial risk that injury will occur. ‘ “7 Although the court recognized that there is a perception of a divided circuit regarding a risk of identity theft or future fraud resulting from a data breach, it noted that “no appellate court has explicitly prohibited plaintiffs from establishing standing on the basis of risk of future identity. theft – even courts that have refused to rule on the facts of a particular case. “8 The Second Circuit then approved the factors that other courts took into account when they found that the applicant had established standing.

First, it is important to determine whether the third party intentionally obtained the data from the complainants. Some circuit courts have found that a plaintiff’s failure to present evidence or allege that the unauthorized third party voluntarily the data obtained from the complainants is too speculative to justify standing under Article III.9 On the other hand, courts have found standing when the claimant has demonstrated that a malicious third party intended to steal data that included the claimant’s information as part of the data breach.ten

Second, a court is more likely to exercise standing when it is proven that part of the compromised dataset has already been misused. This does not mean that the applicant must actually be the victim of fraudulent activity. Rather, claims that other customers whose data has been compromised in the same data breach have been abused are sufficient to satisfy the requester’s original burden. In addition, claims that applicant’s data is misused may also support a substantial risk of harm sufficient to justify recourse, even where the misuse has not yet resulted in actual identity theft or attempted.11

The third, the courts analyze whether the data in question is of a type that could subject a complainant to a perpetual risk of identity theft or fraud after exposure. For example, particularly sensitive and high-risk forms of data, such as social security numbers and dates of birth, increase the likelihood that these victims will be the subject of future identity theft or fraud. .12 Less sensitive data, such as publicly available information or data that may be rendered useless to cybercriminals, does not present the same risks of future harm and is insufficient to confer de facto harm on Article III.13

Although the Second Circuit approved these factors in determining whether a threat of injury was imminent, it also recognized that these factors are “by no means the only ones relevant in determining whether the complainants have demonstrated injury in fact on the basis of ‘increased risk of future identity theft or fraud. “14

The application of these factors to the accidental disclosure of data at issue in McMorris, the Second Circuit agreed with the district court, finding that the plaintiffs had not raised a significant risk of identity theft or future fraud sufficient to establish standing under Article III.15 First, the data breach in question was not part of a sophisticated or malicious cyber attack, and the complainants.17 Second, the complainants never alleged that their data was misused due to the accidental email.18 Third, while the subject’s data included high-risk information, such as Social Security numbers, that alone was insufficient to find an injury in fact, especially in the absence of any other factors.19

Conclusion: Use of the test in future cases

It is now established in the Second Circuit that plaintiffs can establish factual harm under an increased risk theory – provided that plaintiffs can sufficiently allege facts which meet the three-factor test:

(1) whether the complainants’ data was exposed as a result of a targeted attempt to obtain that data;
(2) if part of the [compromised] the dataset has been misused in the past, even though the complainants themselves have not yet experienced identity theft or fraud; and
(3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.

The effects of this decision will almost certainly extend well beyond the jurisdictional limits of the Second Circuit. Indeed, the Court of Appeal’s analysis is perhaps the most comprehensive overview to date of the question of standing when the plaintiff has simply alleged the risk of future harm to establish factual harm. . While it remains to be seen whether courts in other circuits will adopt this test, it can still provide valuable information as a framework to assess the likelihood of data breach claims.

1 See Standing on thin ice? New guidelines on standing for data breach claims (March 5, 2021).
2 McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295 (2d Cir. 2021).
3 Username.
4 See, for example, PEIRAN ZHENG, v. LIVE AUCTIONEERS LLC., No. 20-CV-9744 (JGK), 2021 WL 2043562, at * 3 (SDNY May 21, 2021) (using the test defined in McMorris to conclude that the requester presented prima facie evidence of the quality of Article III because he alleged that the relevant data had been recovered by a malicious third party and sold to others).
5 McMorris, 995 F.3d at 299-300. In addition, a plaintiff must show that the harm was caused by the defendant and that the harm would likely be made good by the relief sought. See Thole v. US Bank NA., – United States -, 140 S.Ct. 1615, 1618, 207 L.Ed.3d 85 (2020).
6 McMorris, 995 F.3d to 300 (citing Clapper Amnesty International USA, 568 US 398, 409-10 (2013)).
7 Username. (citing Susan B. Anthony List v. Driehaus, 573 US 149, 158 (2014)).
8 Username.
9 Username. to 301 (citing Beck vs. McDonald, 848 F.3d 262, 274-75 (4th Cir. 2017); Katz v. Pershing, LLC, 672 F.3d 64, 80 (1st Cir. 2012)).
ten Username. (citing Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015)).
11 Username. to 301 (citing Regarding, Inc., 888 F.3d 1020, 1027 n. 7 (9th Cir. 2018), Fero v. Excellus Health Plan, Inc., 304 F. Supp. 3d 333, 341, 344–45 (WDNY 2018), and In re US Off. from Pers. Management. Dry. Litigation for violation., 928 F.3d 42, 57-58 (DC Cir. 2019)).
12 Username. to * 5 (citing Attias v. CareFirst, Inc., 865 F.3d 620, 628 (DC Cir. 2017)).
13 Username. (citing Whalen v Michaels Stores, Inc., 689 F. Approx. 89, 90 (2nd Cir. 2017); Tsao vs. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332, 1344 (11th Cir. 2021).
14 Identifier.
15 Identifier.
16 Identifier.
17 Identifier.
18 Identifier.
19 Identifier.

Source link

Leave A Reply

Your email address will not be published.