McMorris v. Carlos Lopez & Assocs., LLC

Court of Appeals for the Second Circuit
19-4310 (2021)

ELI5:

Rule of Law:

Plaintiffs may establish Article III standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data, but only if they demonstrate a 'certainly impending' or 'substantial risk' of such harm, considering factors like a targeted attack, actual misuse of data, and the sensitivity of the disclosed information.

Facts:

Carlos Lopez & Associates, LLC (CLA) provides mental and behavioral health services to veterans, service members, and their families.
In June 2018, a CLA employee accidentally sent an email to all of the approximately 65 current employees at the company.
Attached to the email was a spreadsheet containing sensitive personally identifiable information (PII), including Social Security numbers, home addresses, dates of birth, and telephone numbers, of approximately 130 then-current and former CLA employees.
Two weeks later, CLA emailed its then-current employees to address the accidental email, but it did not contact any former employees regarding the disclosure or take any other corrective action.
Devonne McMorris was one of the individuals whose PII was shared in the spreadsheet.
McMorris and other plaintiffs claimed they canceled credit cards, purchased credit monitoring and identity theft protection services, and spent time assessing whether to apply for new Social Security numbers after the email incident.
The plaintiffs did not allege that their PII was ever shared with anyone outside of CLA, nor that it was taken or misused by any third parties.
The plaintiffs did not allege that they had been the victims of fraud or identity theft as a result of the errant email.

Procedural Posture:

Devonne McMorris, Robin Steven, and Sean Mungin filed a class-action complaint asserting state-law claims against Carlos Lopez & Associates, LLC (CLA) and Carlos Lopez in the United States District Court for the Southern District of New York.
CLA moved to dismiss the plaintiffs' claims, including for lack of Article III standing.
Before the deadline for the plaintiffs' response to the motion to dismiss, the parties reached a class settlement, which they asked the district court to approve.
In advance of the scheduled class settlement fairness hearing, the district court sua sponte ordered further briefing on whether the plaintiffs possessed Article III standing.
At the fairness hearing, the district court informed the parties of its preliminary conclusion that the plaintiffs lacked Article III standing.
On November 22, 2019, the district court issued a written opinion formally denying the outstanding motion for approval of the class settlement and dismissing the case for lack of subject-matter jurisdiction.
McMorris, without the other named plaintiffs, appealed the district court's dismissal to the United States Court of Appeals for the Second Circuit.

Premium Content

Subscribe to Lexplug to view the complete brief

You're viewing a preview with Rule of Law, Facts, and Procedural Posture

Issue:

Does a plaintiff establish Article III standing based solely on an increased risk of identity theft or fraud following an inadvertent internal disclosure of sensitive personally identifiable information (PII), even without allegations of actual misuse or a targeted external attack?

Opinions:

Majority - Richard J. Sullivan

No, a plaintiff does not establish Article III standing based solely on an increased risk of identity theft or fraud following an inadvertent internal disclosure of sensitive personally identifiable information without allegations of actual misuse or a targeted external attack. The Court affirmed the district court's dismissal for lack of Article III standing, acknowledging that plaintiffs may establish standing based on an increased risk of identity theft or fraud following unauthorized data disclosure. However, this risk must be 'certainly impending' or a 'substantial risk.' The Court adopted a non-exhaustive list of factors from sister circuits to assess this risk: (1) whether the data was exposed due to a targeted attempt to obtain it; (2) whether any part of the dataset has already been misused; and (3) whether the type of data is sensitive. In McMorris's case, the disclosure was an inadvertent internal email, not a targeted external attack, and there were no allegations that the PII was ever shared outside CLA or actually misused. While the data was sensitive, this factor alone was insufficient to demonstrate a 'substantial risk,' as it would require an 'attenuated chain of possibilities' that internal employees would misuse the data or leak it to a malicious third party. The Court also held that self-inflicted harm, such as costs for credit monitoring or identity theft protection, does not constitute an injury in fact if the plaintiff fails to establish a substantial risk of future harm.

Analysis:

This case clarifies the Second Circuit's stance on Article III standing in data breach cases, aligning with other circuits by recognizing that a substantial risk of future identity theft can constitute an injury in fact. However, it sets a high bar for establishing such a risk, particularly distinguishing between targeted malicious breaches and inadvertent internal disclosures. The decision emphasizes the need for concrete allegations of threat beyond mere exposure of sensitive data, limiting the scope of federal litigation for data incidents lacking clear evidence of malicious intent or actual misuse.

🤖 Gunnerbot:

Query McMorris v. Carlos Lopez & Assocs., LLC (2021) directly. You can ask questions about any aspect of the case. If it's in the case, Gunnerbot will know.

Subscribe to Lexplug to chat with the Gunnerbot about this case.

Premium Feature