No Injury, No Data Breach Claims? Recent Trends in Evaluating Standing in Data Breach Class Actions

A key contested issue in data breach class actions is whether plaintiffs can satisfy Article III’s injury-in-fact requirement by alleging risk of future harm rather than actual misuse of plaintiffs’ personal information. As the number of data breach class actions filed continues to rise, a promising ruling by the Supreme Court seemed poised to resolve appellate courts’ diverging rulings on this issue. Almost two years later, though, the circuit split persists. We discuss that split and a few emerging trends below.

The Article III Standing Requirement

To sue in federal court, a plaintiff must demonstrate: (1) an alleged injury in fact that is concrete, particularized, and actual or imminent; (2) that the injury was likely caused by the defendant; and (3) that it is likely, and not merely speculative, that the alleged injury will be redressed by a favorable decision.[1] The contentious issue in data breach lawsuits is whether plaintiffs can sufficiently demonstrate the first element, injury in fact.

In 2021, the Supreme Court once again took up the question of whether the plaintiffs’ injury was sufficiently “concrete” to satisfy the Article III standing requirement. In TransUnion LLC v. Ramirez, plaintiffs did not prove any actual harm caused by defendant credit reporting agency’s inaccurate credit reporting and instead provided evidence only of possible future harm. The Court held that plaintiffs lacked Article III standing because the future harm they relied on was too speculative. The Court explained that the “the mere risk of future harm, standing alone, cannot qualify as a concrete harm,” but a sufficiently imminent and substantial future harm could conceivably still meet this requirement.[2]

TransUnion was the latest in a string of cases in which the Supreme Court tightened Article III standing requirements. Despite the Supreme Court’s guidance, the circuits remain split on the types of allegations required to meet these requirements in data breach class actions.

Injury-in-Fact Post-TransUnion

Only one circuit court has considered Article III standing in a data breach class action since the Supreme Court decided TransUnion. Reversing the district court, in Clemens v. ExecuPharm Inc., the Third Circuit found a concrete injury in fact based on three “non-exhaustive factors” for determining when an alleged risk of future harm is sufficiently imminent and substantial to satisfy Article III’s injury-in-fact requirement: (1) intentional access to the data by the threat actor; (2) misuse of the data; and (3) access to the types of data that could be used for identify theft or other fraud.[3] The court found plaintiff had pled the requisite substantial risk of future harm that was imminent or certainly impending because plaintiff’s sensitive personal information was targeted by a known hacking group, and plaintiff suffered currently felt concrete harms, including emotional distress, money spent on mitigation measures, and publication of sensitive personal information on the dark web, where it was available to criminals.[4]

No other circuit has considered Article III standing in a data breach class action since TransUnion was decided. Even though the Third Circuit’s ruling came after TransUnion, the court adopted its test from a Second Circuit case decided shortly before TransUnion. In that case, McMorris v. Carlos Lopez & Assocs., LLC, the court established a similar three-step inquiry: “(1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.”[5]

The Second Circuit affirmed the lower court’s finding that plaintiffs lacked Article III standing because the data breach was not the result of a targeted attack, plaintiffs did not allege actual misuse, and the fact that the impacted data included Social Security numbers was not sufficient to meet the injury-in-fact requirement. Some district courts have found that TransUnion abrogated McMorris to the extent that McMorris suggested anything less than a concrete injury can constitute injury in fact.[6]

Before TransUnion was decided, the Sixth, Seventh, Ninth, Eleventh, and D.C. Circuits had found alleged risk of future harm may satisfy Article III, depending on the circumstances pled.[7] Note, though, that some of these courts have reached this conclusion based on allegations that some of the plaintiffs had already experienced harm such as identity theft.[8] Lower courts in many of these circuits have worked to reconcile their circuit’s case law with TransUnion.[9]

In contrast, the Fourth and Eighth Circuits have found that alleged risk of future harm is too speculative to confer Article III standing without actual or attempted misuse of personal information.[10]

Emerging Trends

We are seeing trial courts focus or continue to focus on certain factors as they grapple with the impact of TransUnion:

• In evaluating intentional access to data by threat actors (the first Clemens and McMorris factor), a few lower courts have distinguished ransomware attacks from attacks targeted at exfiltrating sensitive data, finding that “the primary purpose of a ransomware attack is the exchange of money for access to data, not identity theft.”[11]
• The types of data exposed in a breach (the third Clemens and McMorris factor) continues to play a significant role in courts’ standing analysis. Clemens, for example, involved exfiltration of several types of highly sensitive data, including financial information, Social Security numbers, and passport numbers.  In comparison, one court found disclosure of contact information along with less sensitive data did not create the requisite substantial risk of identity theft or fraud.[12]

Takeaways

Even with further guidance from the Supreme Court, the circuits remain split on whether plaintiffs in data breach class actions can meet Article III’s injury-in-fact requirement without pleading actual misuse of stolen data. Forum still matters, but so does the nature of the breach, the actions of the threat actor, and the types of exfiltrated data. Defendants also should consider whether plaintiffs have adequately alleged harm proximately caused by the breach, as required to support negligence and other claims commonly asserted in data breach class actions, a separate inquiry from Article III standing.

[1] TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2203 (2021) (citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–61 (1992)).

[2] TransUnion, 141 S. Ct. at 2210–11.

[3] 48 F.4th 146, 153–54 (3d Cir. 2022).

[4] Id. at 155–56.

[5] 995 F.3d 295, 303 (2d Cir. 2021).

[6] In re Practicefirst Data Breach Litig., No. 1:21-CV-00790(JLS/MJR), 2022 U.S. Dist. LEXIS 19272, at *15 n.7 (W.D.N.Y. Feb. 2, 2022), report and recommendation adopted, 2022 U.S. Dist. LEXIS 137188 (W.D.N.Y. Aug. 1, 2022); see also Aponte v. Ne. Radiology, P.C., No. 21 CV 5883 (VB), 2022 US Dist. LEXIS 87982, at *7–8 (S.D.N.Y. May 16, 2022); Bohnak v. Marsh & McLennan Cos., 580 F. Supp. 3d 21, 29 (S.D.N.Y. Jan. 17, 2022), appeal pending, Case No. 22-319 (2d Cir.).

[7] Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384 (6th Cir. 2016); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692 (7th Cir. 2015); In re Zappos.com, Inc., Customer Data Sec. Breach Litig., 888 F.3d 1020 (9th Cir. 2018); In re Equifax Customer Data Sec. Breach Litig., 999 F.3d 1247, 1261–63 (11th Cir. 2021) (citing McMorris), cert. denied sub nom. Shiyang Huang v. Spector, 142 S. Ct. 431 (2021); In re U.S. OPM Data Sec. Breach Litig., 928 F.3d 42 (D.C. Cir. 2019).

[8] See, e.g., In re Equifax, 999 F.3d at 1262–63.

[9] District courts in the Ninth Circuit are split on whether the pre-TransUnion circuit decisions remain good law. Compare Riordan v. W. Digit. Corp., No. 5:21-cv-06074-EJD, 2022 U.S. Dist. LEXIS 101685, at *9, *11 (N.D. Cal. June 7, 2022) with I.C. v. Zynga, Inc., 600 F. Supp. 3d 1034, 1050–52 (N.D. Cal. 2022).

[10] Beck v. McDonald, 848 F.3d 262, 274–75 (4th Cir. 2017); In re SuperValu, Inc. Customer Data Sec. Breach Litig., 870 F.3d 763, 771–73 (8th Cir. 2017). Note that the Tenth Circuit has not yet weighed in, but trial courts in the Circuit have found risk of future harm is not sufficient. See, e.g., Blood v. Labette Cnty. Med. Ctr., No. 5:22-cv-04036-HLT-KGG, 2022 U.S. Dist. LEXIS 191922, at *17, *20 (D. Kan. Oct. 20, 2022).

[11] In re Practicefirst Data Breach Litig., 2022 U.S. Dist. LEXIS 19272, at *13, *16.

[12] Cooper v. Bonobos, Inc., No. 21-CV-854 (JMF), 2022 U.S. Dist. LEXIS 9469, at *9 (S.D.N.Y. Jan. 19, 2022).