Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

2nd Circuit: No standing if PII is uncompromised

Courts Appellate Second Circuit Data Breach Privacy/Cyber Risk & Data Security Class Action State Issues

Courts

On April 26, the U.S. Court of Appeals for the Second Circuit affirmed a district court’s dismissal of a proposed class action settlement, concluding that although, “in the context of unauthorized data disclosures,” plaintiffs may establish Article III standing on the theory that a data breach increases the risk of identity theft, the appealing plaintiff failed to show that her sensitive personally identifiable information (PII) had been misused or compromised. The plaintiff filed a proposed class action against a former employer after a company employee accidentally sent an email to approximately 65 company employees with an attachment containing PII for roughly 130 current and former workers, including Social Security numbers, home addresses, and birth dates. The plaintiff alleged that the defendant, among other things, violated several state consumer protection statutes, and contended that workers “were ‘at imminent risk of suffering identity theft.’” The plaintiff further claimed that workers had to spend time canceling credit cards, assessing whether to apply for new Social Security numbers, and purchasing credit monitoring and identity theft protection services. While the parties reached a settlement, the court ultimately denied the settlement and dismissed the case for lack of subject-matter jurisdiction after finding the plaintiff lacked Article III standing because she failed to allege “an injury that is concrete and particularized and certainly impending.” According to the district court, it was “arguably a misnomer to even call this case a ‘data breach’ case,” because, “[a]t best, the data was ‘misplaced’” internally rather than accessed by a third party.

On appeal, the Second Circuit agreed with the district court, concluding that the plaintiff failed to demonstrate an increased risk of identity theft and that the cost of taking proactive measures to prevent future identity theft is insufficient to constitute an injury in fact when the threat is speculative. “This notion stems from the Supreme Court’s guidance in [Clapper v. Amnesty Int’l USA], where it noted that plaintiffs ‘cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.’”