In major ruling, 2nd Circuit says no circuit split on data breaches and standing | Reuters

In major ruling, 2nd Circuit says no circuit split on data breaches and standing
By Alison Frankel

7 MIN READ


(Reuters) - For years, I’ve been writing about a split among the federal circuits on whether data breach victims can establish a right to sue in federal court merely by showing that they are at increased risk of identity theft. Just a couple of months ago, when the 11th U.S. Circuit Court of Appeals held in Tsao v. Captiva MVP Restaurant Partners that the mere risk of identity theft does not satisfy Article III standing requirements, I pointed out the courts’ acknowledgment that the circuit courts are divided on the question.

But in an important synthesis of appellate precedent on constitutional standing for data breach victims, the 2nd Circuit ruled on Monday in Stevens v. Carlos Lopez that there is actually no split among the circuits, despite reports to the contrary by other circuits.

“In actuality, no court of appeals has explicitly foreclosed plaintiffs from establishing standing based on a risk of future identity theft – even those courts that have declined to find standing on the facts of a particular case,” wrote Judge Richard Sullivan for a panel that included Judges Guido Calabresi and Robert Katzmann.

It’s true, the 2nd Circuit said, that the 3rd Circuit and other appellate courts have ruled against data breach plaintiffs claiming that the risk of identity theft was a concrete injury. But even those decisions, the 2nd Circuit said, did not categorically hold that such risk cannot establish Article III standing.

The appeals court, which had previously addressed this question only in a 2017 summary order, concluded unequivocally that increased risk of identity fraud can give right to a right to sue in federal court – but also put significant qualifiers on that premise. That’s why the ruling is so significant. The 2nd Circuit considered the pronouncements of all of the other circuits that have opined on the issue and discerned broad principles that, at least in the view of the 2nd Circuit panel, transcend the seemingly divergent permutations of the various rulings.

The three key questions for courts analyzing the Article III standing of data breach victims, according to the 2nd Circuit, are: Was the plaintiffs’ data exposed by accident or in a targeted hack? Has any data obtained from the breach been misused, even if the plaintiffs’ own data has not been? And did the breach expose the kind of data – like Social Security numbers – that could leave victims vulnerable to identity theft?

Those factors aren’t exhaustive, Sullivan wrote, since Article III standing is always based on the unique facts of a case. Nevertheless, the 2nd Circuit said, “these are the considerations that our sister circuits have most consistently addressed in the context of data breaches and other data exposure incidents, and we agree that they provide helpful guidance in assessing whether plaintiffs have adequately alleged an injury in fact.”

Alas for the plaintiff whose case inspired the 2nd Circuit to provide these overarching guidelines, her own allegations were not up to snuff.

Devonne McMorris was an employee at Carlos Lopez & Associates, which provides mental health services to service members and veterans. In 2018, a CLA employee accidentally sent an email to 65 other employees that included a spreadsheet with sensitive personal information, including Social Security numbers and birth dates, of 130 current and former CLA employees.

McMorris and two other plaintiffs filed a class action. CLA agreed to a settlement, but U.S. District Judge Jesse Furman of Manhattan rejected the settlement in 2019, concluding that he did not have jurisdiction because the plaintiffs did not meet constitutional standing requirements. Furman dismissed the class action.

ADVERTISEMENT


The 2nd Circuit agreed with Furman's analysis. Sensitive data was exposed, the appeals court said, but the disclose was accidental, rather than a targeted hack perpetrated with criminal intent. McMorris, the only plaintiff to appeal the dismissal of the case, offered no evidence that the exposed information was misused or even shared with anyone outside of CLA. And although she and other named plaintiffs alleged that they canceled credit cards and purchased identity theft protection in response to the disclosure of their information, the 2nd Circuit said that under the U.S. Supreme Court’s 2013 ruling in Clapper v. Amnesty International, plaintiffs cannot manufacture standing by spending money to respond to an incident that, by itself, is not a concrete injury.

McMorris counsel Abraham Melamed of the Derek Smith Law Group said by email that while he’s disappointed in the outcome for his client, the 2nd Circuit’s ruling is “a significant victory for data breach victims,” adding, “We are happy that the court held that an increased risk of future injury in a data breach case may constitute a sufficient injury for Article III standing, and that the court articulated a framework for judges to evaluate in assessing that standing.”

CLA counsel Joseph Palmore of Morrison & Foerster did not respond to a request for comment.

I was surprised in 2018, when the Supreme Court declined to take up the issue of Article III standing for data breach victims in Zappos.com v. Stevens. I’ve assumed since then, as additional circuits have put their own gloss on concrete injury and the risk of identity theft, that the justices would eventually have to offer guidance to lower courts. But the 2nd Circuit’s synthesis may have done the job.

Opinions expressed here are those of the author. Reuters News, under the Trust Principles, is committed to integrity, independence and freedom from bias.