After TransUnion, Lower Courts Grapple With Article III Standing in Data Breach Lawsuits
Free Article Limit This Month
- Although the U.S. Supreme Court’s recent decision in TransUnion v. Ramirez appears to supersede the Second Circuit’s McMorris test, some lower courts are continuing to apply the test with some varying results.
- Other courts have found alleged increased risk of identity theft of highly valuable personal information is sufficient to meet Article III’s requirements for injury-in-fact, but is not enough to meet the requirement that a plaintiff alleges that defendant’s conduct caused them harm.
In a data breach lawsuit, a plaintiff will sue a company that suffered a data breach in which the plaintiff's personal information was stolen by cyberattackers. The plaintiff will claim that the breach has exposed the plaintiff to an increased risk that criminals will steal their identity at some point in the future. A recurring issue in these lawsuits is whether such an allegation is a sufficiently "concrete" injury such that the plaintiff has standing to bring their claims. Lately, courts have begun to consider the Supreme Court's recent decision in TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021). In TransUnion, the Supreme Court ruled that while a bare procedural violation of a federal statute is insufficient for a plaintiff to establish concrete injury, certain intangible harms are sufficiently concrete. Although TransUnion did not directly address the question of whether a plaintiff has suffered a concrete injury when a data breach exposes the plaintiff to an alleged increased risk of identity theft, lower courts have begun applying TransUnion in data breach lawsuits, with varying results. This alert dives into the different ways that courts have been approaching the standing issue in data breach litigation following TransUnion.
- Although the U.S. Supreme Court's recent decision in TransUnion v. Ramirez appears to supersede the Second Circuit's McMorris test, some lower courts are continuing to apply the test with some varying results.
- Other courts have found alleged increased risk of identity theft of highly valuable personal information is sufficient to meet Article III's requirements for injury-in-fact, but is not enough to meet the requirement that a plaintiff alleges that defendant's conduct caused them harm.
- Until the Supreme Court directly addresses this issue specifically in the data breach context, lower courts may continue to use differing analyses to determine when a plaintiff has standing in data breach litigation.
Article III Standing Prior to TransUnion
Article III of the Constitution restricts the power of the federal courts to hear only "cases" and "controversies." The "case" or "controversy" limitation on the federal judicial power is expressed via the standing doctrine, which requires a plaintiff to have a personal stake in a case. The standing doctrine requires every plaintiff to show that: i) the plaintiff suffered an injury in fact that is concrete, particularized, and actual or imminent; ii) the plaintiff's injury was likely caused by the defendant; and iii) the injury would likely be redressed by judicial relief. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-531 (1992).
Prior to TransUnion, the federal courts took various approaches to decide whether an alleged increased risk of future harm stemming from a data breach is sufficient to demonstrate injury-in-fact and thus fulfill the first prong of the standing doctrine. Individuals suing companies over data breaches had mixed success. Courts often considered the type of personal information exposed in the data breach as well as whether actual harm was inflicted on the plaintiff, rather than hypothetical future harm.
For instance, a few months before TransUnion was decided, the Eleventh Circuit held that allegations of an elevated risk of identity theft were insufficient to establish standing. Tsao v. Captiva MVP Restaurant Partners, LLC, 986 F.3d 1332 (11th Cir. 2021) involved a data breach compromising individuals' names, debit or credit card numbers, card expiration dates, card verification value codes ("CVV"), and PIN data for debit cards. Importantly, the court noted that no plaintiff could point to any actual identity theft as a direct result of the breach. The Tsao court also looked to a 2007 GAO report in denying concreteness by stating "[c]ompromised credit or debit card information, without additional personal identifying information, generally cannot be used alone to open unauthorized new accounts . . . most breaches have not resulted in detected incidents of identity theft." GAO-07-737, Personal Information: Data Breaches are Frequent, but Evidence of Resulting Identity Theft is Limited; however, the Full Extent is Unknown (2007). The Tsao court noted that the hackers were not alleged to have stolen social security numbers, birth dates, or driver license numbers, and "thus, according to the GAO report, the risk of identity theft was ‘little to no[ne].'"
By contrast, the Second Circuit held that an alleged increased risk of identity theft caused by a data breach could cause concrete or certainly impending injury-in-fact in McMorris v Carlos Lopez & Associates, LLC, 995 F.3d 295 (2d Cir. 2021). The McMorris court created a three-factor test for analyzing whether an alleged risk of identity theft or fraud is sufficiently concrete, particularized, and imminent for standing purposes: 1) whether the data at issue has been compromised as the result of a targeted attack intended to obtain the plaintiff's data; 2) whether the plaintiff can show that at least some part of the compromised dataset has been misused, even if the plaintiff's particular data has not yet been affected; and 3) whether the type of data is more or less likely to subject the plaintiff to a perpetual risk of identity theft or fraud, such as social security numbers and dates of birth, particularly when accompanied by individuals' names. McMorris also ruled that expenses reasonably incurred by a plaintiff to mitigate a risk of future identity theft or fraud may also qualify as injury-in-fact, but only where a substantial risk exists in the first instance, not when a plaintiff incurs expenses protecting himself or herself against a "speculative threat."
TransUnion Supersedes McMorris Test
TransUnion appears to supersede the Second Circuit's McMorris test and narrows the scope of future injuries that are sufficient to establish standing. The Supreme Court explained "that in a suit for damages [as opposed to injunctive relief], the mere risk of future harm, standing alone, cannot qualify as a concrete harm." The case involved a group of individuals who had been erroneously listed on the U.S. Treasury Department's Office of Foreign Assets Control's list of terrorists, drug traffickers and other serious criminals by a credit reporting agency. At trial, the jury found that the plaintiffs had established a violation of the Fair Credit Reporting Act ("FCRA") for all members of the class. The FCRA violation for the majority of the class was labeled by the Court to be a mere "procedural" violation - they had been misidentified in TransUnion's internal system as "potential terrorists," but that information had not been disclosed to any third party. On appeal, the Supreme Court concluded that their risk of future harm did not amount to a concrete injury that gave them standing. By contrast, the Court held that a smaller sub-group of plaintiffs had suffered concrete injuries because their erroneous terrorist status was released to third parties.
Although TransUnion did not involve a data breach lawsuit, the decision appears to answer the question whether plaintiffs may allege present injury-in-fact stemming from a violation of a statute protecting individuals' privacy and thus have standing. Specifically, because the Court concluded that a bare procedural violation is not enough to establish Article III standing, it is likely that plaintiffs in a data breach suit for damages will not establish Article III standing simply by alleging a mere procedural violation of a privacy law, even if that violation has exposed the plaintiffs to a risk of future harm.
Although TransUnion was decided less than a year ago, lower courts have begun to apply its holding when considering whether an increased risk of identity theft caused by a data breach constitutes concrete or certainly impending injury-in-fact sufficient for standing. In a recent case, for instance, the United States District for the Southern District of New York held that "under the Supreme Court's latest pronouncement in TransUnion, Plaintiffs cannot allege a concrete injury relying solely upon a future risk of harm; however, Plaintiffs may, and do plausibly allege that exposure to the risk of identity theft causes concrete injury, and thus have Article III standing." Bohnak v. Marsh & McLennan Cos., 21 Civ. 6096 (AKH) (S.D.N.Y. Jan. 17, 2022). Bohnak involved a data breach of highly sensitive personal information, including social security numbers. The plaintiffs asserted a theory of standing based on allegations of potential future harm in which their data is misused, but did not allege any actual misuse of their data. This theory, according to the court, asserted a hypothetical risk of future harm that was too speculative to support Article III standing. The court relied on TransUnion, which the court stated, called into question the continuing validity of the Second Circuit's McMorris test. But the plaintiffs also asserted a second theory of standing: that the exposure to identity theft itself caused a concrete harm. In finding that the plaintiffs' second theory of standing was sufficient, the court found that the exposure of plaintiffs' personal information was analogous to the reputational harm and privacy-related harms that form the basis for the common-law tort of public disclosure of private information (‘PDPF'). The TransUnion opinion stated the most obvious harms that readily qualify as concrete injuries under Article III are traditional tangible harms such as physical or monetary harms, but the court also stated that certain intangible harms are sufficiently concrete. The Bohnak court cited TransUnion's explicit reference to PDPF as an example of a traditionally judicially cognizable intangible harm: "[v]arious intangible harms can also be concrete . . . . Those include, for example . . . disclosure of private information." Notably, however, the court went on to dismiss the lawsuit because the plaintiffs had failed to adequately allege that they suffered a legally cognizable injury to support their substantive claims. Specifically, the court stated plaintiffs could only speculate as to whether they will suffer harm at some unknown future date. Thus, an alleged increased risk of identity theft might be enough to meet the requirement that a plaintiff allege an injury-in-fact, but not enough to meet the requirement that a plaintiff allege that the defendant's conduct caused them harm.
Two days after the Southern District's decision in Bohnak, however, another judge on the same court took a different path when deciding whether data breach victims had standing to bring their claims. Bradley Cooper v. Bonobos, Inc., 21 CIVIL 854 (JMF) (S.D.N.Y. Jan. 19, 2022) involved a data leak exposing partial credit card numbers, encrypted passwords, names, telephone numbers, and email addresses of customers. Unlike the court in Bohnak, the court here applied the McMorris test and found the plaintiffs failed to meet the 3rd prong (increased risk) since the type of data that was exposed is not susceptible to misuse and is not "sensitive." The court further found that the plaintiffs' allegation that time and money spent responding to data breach equated to actual present-day injury was unfounded since plaintiffs cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not impending. In a footnote, the court recognized that TransUnion called McMorris into question, but stated that is the task of the Second Circuit, not the SDNY, to determine if McMorris has been overturned.
Although the Supreme Court has provided some answers, the current legal landscape for data breach litigation is still unsettled. TransUnion clarified that a bare procedural violation alone is insufficient for Article III standing; instead, a plaintiff must allege a concrete harm that is analogous to a harm traditionally recognized by the courts. Since TransUnion, some lower courts are continuing to apply a test based on the type of personal identifying information and the harm incurred. Other courts have found alleged increased risk of identity theft involving highly valuable personal information is sufficient to meet Article III's requirements for injury-in-fact, but is not enough to meet the requirement that a plaintiff allege that defendant's conduct caused them damages. Until the Supreme Court directly addresses this issue specifically in the data breach context, the lower courts may continue to use differing analyses to determine when a plaintiff has standing in data breach litigation. The attorneys in Saul Ewing Arnstein & Lehr's Cybersecurity and Privacy Group will continue to monitor developments in this evolving area of the law.
ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.