Privacy Plus+

Privacy, Technology and Perspective

Data Breaches, Employment Relationships and Inadvertent Mass Emails. Recently, the United States Court of Appeals for the Second Circuit issued a unanimous opinion in McMorris v. Carlos Lopez & Associates, addressing one of the hot issues data breach class actions – whether victims of a data breach can establish Article III standing by alleging they are at an increased risk of identity theft or fraud, even if their personal data has not yet been misused.  The answer is: It depends.  The case raises at least four other important issues, so let’s look at the case, and address some related insights that we have.

McMorris v. Carlos Lopez & Associates, LLC, No. 19-4310 (2d Cir. Apr. 26, 2021)

Carlos Lopez & Associates (CLA) provides mental and behavioral health services to veterans, service members, and their families and communities. 

Accidental internal email discloses employee data: In June 2018, one of its employees inadvertently sent an email to 65 of CLA’s employees, which contained a spreadsheet with the personally-identifiable information (PII) of 130 then-current and former employees – home addresses, phone numbers, Social Security numbers, dates of birth and hire, and educational degrees. Two weeks later, CLA emailed its then-current employees to address the accidental email, but it did not contact its former employees regarding the disclosure or take any other corrective action.

Class action filed against employer: Three employees then filed a class-action lawsuit for negligence and violations of statutory consumer-protection statutes soon followed, alleging that CLA “breached its duty to protect and safeguard [their] personal information and to take reasonable steps to contain the damage caused where such information was compromised.” The plaintiffs did not allege that fraud or identity theft had occurred, or even that the spreadsheet had been shared outside CLA. But the plaintiffs urged that they were “at imminent risk of suffering identity theft” and “unknown but certainly impending future crimes,” to guard against which they had cancelled credit cards, bought credit monitoring and identity theft services, and investigated whether they should apply for new Social Security numbers. Very quickly, the parties reached a class settlement, which they asked the court to approve for fairness under Fed. R. Civ. P. 23.

District Court dismisses based on lack of standing: Acting sua sponte, the district court asked whether the Plaintiffs had suffered an injury that is “concrete and particularized and actual or imminent,” sufficient to confer Article III standing to bring their claims.  It explained that the Second Circuit not yet addressed whether “an increased risk” of future identity theft or fraud can suffice for standing. And even if it would, here the “breach” was simply that the PII had been “misplaced,” not taken by a third party, so that in the district court’s view, by cancelling their credit cards and so on the plaintiffs were just “inflicting harm on themselves.” The court dismissed.

Second Circuit Affirms – Alleging increased risk of future identity theft or fraud isn’t enough to confer standing: The Second Circuit affirmed, holding that while an increased risk of identity theft or fraud following an unauthorized disclosure may establish standing, the plaintiffs hadn’t done so here.

In a tell-tale footnote, the Second Circuit specifically “expressed no view” on the “separate but related question of whether plaintiffs may allege a present injury in fact stemming from the violation of a statute designed to protect individuals’ privacy,” under the Supreme Court’s decision in Spokeo, Inc. v. Robins.  “Here,” it said, “Plaintiffs brought claims asserting only a risk of future identify theft or fraud, so we have no reason to address this privacy-based theory of standing” (apparently not regarding).   

Further, as held by other circuits, the court held that the “increased-risk” theory is a fact-based inquiry, considering factors specific to the PII such as whether the PII (i) has been compromised because of a targeted attack, (ii) has been actually misused (even if not with respect to the particular plaintiffs), or (iii) is particularly sensitive or can’t readily be rendered useless to a criminal. The court pointed to the familiar holding that where these factors point to a harm that is merely hypothetical and “not certainly impending,” the plaintiffs’ efforts to mitigate will not suffice for standing.

A link to the Second Circuit’s opinion follows:

Several Insights:

McMorris v. Carlos Lopez & Associates is important just for joining the Second Circuit to the increasing group of circuits requiring wider or deeper showings of harm, but we are intrigued by three other aspects.

First, McMorris strikes a direct blow at the burgeoning cottage industry of trolling for “data breaches” in the hopes of scoring a quick settlement.  

Second, the Second Circuit did not appear to regard the allegations under the California, Texas, and other state-based consumer protection statutes as sufficient to show a “present” breach of a “privacy-related” statute, under Spokeo.  We wonder if that is too narrow a view of those statutes, which protect privacy (and much else) whether they include it in their titles or not. And in any event, may the new state statutes specifically addressing “privacy” – even having it in their titles – make a difference in this respect?

Third, the court took pains to explain that in its view there is no split among the circuits on these issues, or even an impending split. 

Finally, this case should be a wake-up call for companies who haven’t fully come-to-terms with employee-privacy issues.  Even though U.S. privacy laws currently focus more on privacy related to consumers, employee privacy issues clearly present risks that should be thoughtfully addressed.

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.