Second circuit confirms rejection of class action lawsuit for violation of Article III Standing Grounds
As reported on the Hunton Retail Law Blog, on April 26, 2021, the U.S. Circuit Court of Appeals upheld the dismissal of an Article III class action lawsuit based on an alleged increased risk of identity theft. McMorris v Carlos Lopez & Assocs., LLC, No. 19-4310, 2021 WL 1603808 (2d Cir. April 26, 2021). In particular, the district court, which dismissed the lawsuit, raised the issue of spontaneous liability before a planned hearing on the fairness of the comparison classes.
McMorris was referring to the alleged disclosure of employee information – including social security numbers, home addresses, birth dates, phone numbers, educational qualifications, and hiring dates – after one of the defendant’s employees accidentally emailed this information to all employees at the company (approximately 65).
In particular, plaintiffs did not allege that they suffered fraud or identity theft as a result of the accidental disclosure, nor did they allege that their information was disclosed to anyone outside the company or that third parties otherwise took or misused it. However, plaintiffs said they were “at immediate risk of identity theft” and canceled credit cards, bought credit monitoring and identity theft protection services, and spent time looking into applying for new Social Security numbers after the email incident.
In relation to these facts, the court found that the plaintiffs lacked Article III. The court described the decision as one that “accedes[s] all  Sister groups that have specifically addressed the issue that the increased unauthorized disclosure of their information allows plaintiffs to take a stand due to an increased risk of identity theft or fraud. However, the court found that the plaintiffs “have not demonstrated that they are at a significant risk of future identity theft or fraud sufficient to justify the position of Article III”.
The court formulated a “non-exhaustive” list of three factors to consider when faced with allegations that unauthorized disclosure of information puts plaintiffs at increased risk of identity theft or fraud “:
- Whether the plaintiffs’ data was disclosed as a result of a targeted attempt to obtain that data;
- Whether part of the data set has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and
- Whether the type of information disclosed is sensitive so that there is a high risk of identity theft or fraud.
Applying these factors, the court found that, despite the sensitivity of the information, the plaintiffs did not allege that their information had been subject to a targeted data breach or that there was any evidence alleging that their information (or that of others) was being misused were. Accordingly, the court upheld the permanent dismissal under Article III.
Read the full court decision.