Cybersecurity Class Actions Drawing a Split Among Circuit Courts | Pietragallo Gordon Alfano Bosick & Raspanti, LLP

Takeaway: In the wake of a data breach, a class of Plaintiffs whose personal and/or financial information is disseminated to third parties all share the same concern – the risk of future harm. But in order for these Plaintiffs to have standing to sue over the wrongful dissemination of their information resulting from the breach, the mere threat of future harm may not be enough. As more courts across the country have had the opportunity to address this issue, the emerging trend seems to be that the mere threat of future harm, by itself, is insufficient to confer standing; the threat of future harm must pose a substantial likelihood of materializing into actual harm for Plaintiffs to recover damages resulting from a data breach.

Pursuant to Article III of the United States Constitution, a plaintiff must meet the “irreducible constitutional minimum” requirements to show that he or she has standing to bring a cybersecurity class action lawsuit.[1] A plaintiff must adequately establish:

• (1) an injury in fact (i.e., a “concrete and particularized” invasion of a “legally protected interest”);
• (2) causation (i.e., a “ ‘fairly … trace[able]’ ” connection between the alleged injury in fact and the alleged conduct of the defendant); and
• (3) redressability (i.e., it is “ ‘likely’ ” and not “merely ‘speculative’ ” that the plaintiff’s injury will be remedied by the relief plaintiff seeks in bringing suit).[2]

The question of whether a plaintiff, or group thereof, has sufficient standing to bring class action lawsuits in the cybersecurity realm has unsurprisingly drawn a split amongst the Circuit Courts. In the wake of a data breach, one particular concern remains the same amongst all plaintiffs who wish to bring these suits – the risk of future harm. But is the mere risk of future harm, without anything else, enough to satisfy the “irreducible constitutional minimum” requirements to confer standing? The [3]D.C., Sixth, Seventh, and Ninth Circuits have held that data-breach plaintiffs alleging future harm have standing; while alternatively, the [4]First, Second, Third, Fourth and Eighth Circuits have reached the opposite conclusion.

The Ninth Circuit recently had an opportunity to address this inquiry. In Pruchnicki v. Envision Healthcare Corporation, 439 F.Supp.3d 1226 (D.Nev. 2020), the Plaintiff brought claims for negligence, breach of implied contract, negligent misrepresentation, and violation of Nevada Revised Statute § 41.600 on behalf of herself and “[a]ll persons whose [p]ersonal [d]ata was procured by a third party as a result of the [d]ata [b]reach due to the Envision Defendants’ failure to secure its internal systems of record.”[5] Plaintiff alleged that she provided her personal and financial information to defendants, and subsequent thereto, the defendants’ internal systems were breached by a third party who was able to obtain, inter alia, the Plaintiff’s name, social security number, driver’s license number, and unidentified financial information.[6] The individuals who may have had their information compromised were not notified of the breach for months after it occurred. Despite not suffering identity theft or fraud, Plaintiff alleged that criminal activity is “imminent and certainly impending.”[7]

The Defendants filed a motion to dismiss Plaintiff’s claims on the grounds that Plaintiff, and the other class members whose information was compromised as a result of the data breach, have asserted its claims based primarily on the threat of future harm. The District Court agreed with the Defendants, explaining that Plaintiff has not set forth expert opinion to support the existence of a market for her information.[8] Additionally, the Court found that Plaintiff has failed to plead diminution of the value of her personal information as a cognizable injury to support her claims.[9] On appeal, the Ninth Circuit upheld the District Court’s ruling and found that “the mere misappropriation of personal information does not establish compensable damages”, and Plaintiff’s claims were dismissed. [10]

Thus, the emerging trend seems to be that a Plaintiff must adequately plead how the threat of future harm will materialize into actual harm to be properly compensated for their damages. This logic is further evidenced in the Supreme Court’s recent decision in TransUnion LLC v. Ramirez, 141 S.Ct. 2190 (2021), wherein the class of Plaintiffs alleged that TransUnion failed to use reasonable procedures to ensure the accuracy of their credit files, as maintained internally by TransUnion.[11] Of the 8,185 class members, only 1,853 had misleading credit reports provided to third-party businesses by TransUnion, while the other 6,332 class members did not.[12] The Court found that the 6,332 class members whose misleading or incorrect information was not distributed to third parties have not demonstrated concrete harm and thus lack Article III standing to sue on its reasonable-procedures claims.[13] The Court further noted that “the mere risk of future harm, standing alone, cannot qualify as a concrete harm – at least unless the exposure to the risk of future harm itself causes a separate concrete harm.”[14]

In a similar decision, the Second Circuit elected to expand upon this emerging trend by setting forth a non-exhaustive list of factors to determine whether Plaintiffs have adequately alleged an Article III injury in fact. In McMorris v. Carlos Lopez & Associates, LLC, 995 F.3d 295 (2d Cir. 2021), Plaintiff-employees brought putative class action against Carlos Lopez asserting claims for negligence and violations of consumer protection laws arising from an email another employee had accidentally sent to all of the approximately 65 million employees of the company, which contained sensitive personally identifiable information of 130 then-current and former employees, including Social Security numbers, home addresses, telephone numbers, and educational degrees.[15]

Although Plaintiffs did not allege that they had been the victims of fraud or identity theft as a result of the errant email, they claimed that, because their sensitive information had been disclosed to all of the Defendant’s then-current employees, they were “at imminent risk of suffering identity theft” and becoming the victims of “unknown but certainly impending future crimes.”[16] After the Defendant filed a motion to dismiss, the parties reached a settlement; however, the District Court denied the Plaintiff’s motion to approve the settlement and instead dismissed Plaintiff’s claims for failure to establish the injury in fact element necessary to confer Article III standing.[17]

On appeal, the Second Circuit affirmed the District Court’s ruling, and held that the following non-exhaustive factors should be considered in determining if an alleged Article III injury in fact exists in the wake of a data breach:

• (1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data;
• (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and
• (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.[18]

Moreover, the Court addressed a related question of standing in light of the Plaintiffs claiming that they cancelled credit cards, purchased credit monitoring and identity theft protection services, and spent time assessing whether they should apply for new Social Security numbers after the email incident.[19] The Court held that despite those voluntarily incurred costs and measures, the Plaintiffs “have not alleged a substantial risk of future identity theft, the time they spent protecting themselves against this speculative threat cannot create an injury.”[20] This notion is derived by the Supreme Court’s interpretation of Article III standing in a related case, wherein the Court noted that Plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”[21]

[1] Sprint Communications Co., L.P. v. APCC Services, Inc., 554 U.S. 269, 273-74 (2008).
[2] Id.
[3] See, e.g., In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018) (holding that data-breach plaintiffs alleging future harm have standing); Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826 (7th Cir. 2018) (same); Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017) (same); Galaria v. Nationwide Mutual Ins. Co., 663 Fed.Appx.384 (6th Cir. 2016) (same).
[4] See, e.g., In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017) (affirming dismissal for lack of standing); In re Horizon Healthcare Services Inc. Data Breach Litigation, 846 F.3d 625 (3d Cir. 2017) (same); Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (same); Whalen v. Michaels Stores, Inc., 689 Fed.Appx. 89 (2d Cir. 2017) (same).
[5] Pruchnicki, 439 F.Supp.3d at 1229.
[6] Id.
[7] Id.
[8] Id. at 1235.
[9] Id. at 1236.
[10] Pruchnicki v. Envision Healthcare Corporation, 845 Fed.Appx. 613, 615 (mem) (9th Cir. 2021).
[11] TransUnion, 141 S.Ct. at 2200.
[12] Id.
[13] Id.
[14] Id. at 2210-11 (emphasis in original).
[15] McMorris, 995 F.3d at 298.
[16] Id.
[17] Id. at 298-99.
[18] Id. at 303.
[19] Id. at 298, 303.
[20] Id. at 303; quoting SuperValu, 870 F.3d at 771.
[21] Id. at 303; quoting Clapper v. Amnesty Intern. USA, 568 U.S. 398, 416 (2013).

Comments are closed.