Updates AND Supplemental material to Chapter 4

Data Breach Litigation – Standing

UPDATES TO THE SECOND EDITION

4.1.4 Standing in State Courts

Any inclination of plaintiffs to seek refuge from TransUnion in state courts is likely to be tempered by cases like Greco v. Syracuse ASC, LLC, 218 A.D.3d 1156, 193 N.Y.S.3d 511 (N.Y. App. Div. 2023), where the court applied McMorris-type factors to dismiss a data breach case for lack of standing. “Plaintiff failed to allege an injury-in-fact inasmuch as the potential for future misuse of her data and possible economic harm is too "conjectural, tenuous [and] hypothesized" to constitute an interest that is sufficiently concrete to confer standing. … To the extent that plaintiff also contends that she established an injury-in-fact by virtue of the cost of identity protection and other mitigation efforts, we conclude that such mitigation efforts cannot confer standing absent a sufficiently concrete injury-in-fact legitimizing or warranting such efforts.”

4.2.1.1 Standing Based on Financial Loses, Fraudulent Charges, or Actual Identity Theft

Granting standing based on unsolicited telephone calls: Tate v. Eyemed Vision Care, LLC, 2023 U.S. Dist. LEXIS 175840 (W.D. Ohio Sept. 29, 2023). “Plaintiffs claim that, after the data breach, they received a significantly increased number of scam and phishing calls, texts, and emails. Such communications annoy, harass, and, in the case of phone calls, temporarily claim control over an individual's personal device. … So Plaintiffs adequately allege a concrete and particularized injury—if barely.”

The Sixth Circuit held that unsolicited calls and messages constitute cognizable Article III injuries in fact. See Dickson v. Direct Energy, LP, 69 F.4th 338, 345 (6th Cir. 2023) (TCPA case, finding standing based on one unsolicited voicemail, likening unsolicited calls and messages to the common law tort of intrusion-upon-seclusion).

4.2.1.2 Standing Based on the Privacy Intrusion or Loss Itself

Rejecting standing based on an intangible violation of privacy. Tate v. Eyemed Vision Care, LLC, 2023 U.S. Dist. LEXIS 175840 (W.D. Ohio Sept. 29, 2023).

Rejecting loss of privacy as grounds for standing: Maser et al. v. CommonSpirit Health, no. 1:23-cv-01073, 2024 U.S. Dist. LEXIS 102196 *22-24, 2024 WL 2863579 (D. Colo. Apr. 16, 2024) (magistrate’s recommendation; distinguishes In re Horizon on the ground that its reasoning was applicable only to cases brought under the FCRA).

Granting standing based on allegation that cybercriminals had obtained plaintiff’s Social Security number and other sensitive data: Miller v. Syracuse Univ., 662 F. Supp. 3d 338 (N.D.N.Y. 2023). “Plaintiff has sufficiently ‘alleged an intangible concrete injury, analogous to that associated with the common-law tort of public disclosure of private information.’ ... Plaintiff's allegation that Defendant's conduct resulted in the exposure of Sensitive Information, including his Social Security Number, to cybercriminals is ‘plausibly . . . offensive to a reasonable person,’ which is a key element of the common-law tort of public disclosure of private information. ... And while one might dispute whether the disclosure of Plaintiff's Sensitive Information to cybercriminals is sufficiently ‘public’ under the tort . . . the common-law analogue need not be an ‘exact duplicate.’" (Internal quotation marks simplified.) ​Responding to the argument that the ​tort of public disclosure of private information historically required the showing of a willful disclosure, ​t​he ​court also ​f​ound that ​plaintiff's allegation that ​defendant willfully misrepresented the sufficiency of its data privacy and security practices, despite the well-known risks of cybersecurity threats, is sufficiently analogous to willful disclosure required to state the common-law tort.

“[P]laintiffs plausibly allege injury-in-fact in the form of a loss of privacy protected under the DPPA [Drivers Privacy Protection Act]. The loss of privacy arising out of the data breach, against which the DPPA was intended to protect, bears a sufficiently ‘close relationship’ to the tort of public disclosure of private information, recognized at common law. … To be clear, it is debatable whether USAA's disclosure to even a group of cybercriminals is sufficiently ‘public’ under the tort, and whether the type of disclosure here is sufficiently ‘offensive,’ but the Supreme Court is equally clear that the common-law analogue need not be an ‘exact duplicate.” In re USAA Data Sec. Litig., 621 F. Supp. 3d 454, 465-66 (S.D.N.Y. 2022).

4.2.1.3. Standing Based on Risk of Future Harm Plus Current Emotional Harm

Granting standing based plaintiff’s “financial security concerns, a cognizable emotional injury under Article III.” Whitfield v. ATC Healthcare Servs., LLC, 2023 U.S. Dist. LEXIS 147602 *14 (E.D.N.Y. Aug. 22, 2024).

Rejecting standing based on emotional distress:

  • Tate v. Eyemed Vision Care, LLC, 2023 U.S. Dist. LEXIS 175840 (W.D. Ohio Sept. 29, 2023).

  • Florence v. Order Express, 674 F. Supp. 3d 472, 482 (E.D. Ill. 2023).

Where plaintiffs seek to base standing on risk of future harm plus a current harm (either emotional harm or the costs of avoiding or mitigating the risk of future harm, pay attention to the separate “imminence” prong of injury-in-fact. To address imminence, courts apply the McMorris factors, including the sensitivity of the data. Compare, e.g., Farley v. Eye Care Leaders Holdings, LLC, 2023 U.S. Dist. LEXIS 15480 *11-12, 2023 WL 1353558 (M.D.N.C. Jan. 31, 2023) (where some data breach victims had already experienced the misuse of their data, resulting in spam messages, hacked email addresses, fraudulent credit card charges, and adverse impacts to their credit scores, plaintiffs' fear of future injury was not just speculative), with Perkins v. CommonSpirit Health, 2023 U.S. Dist. LEXIS 179479, 2023 WL 6520264 (N.D. Ill. Oct. 5, 2023) (where compromise involved non-sensitive demographic information, including names, addresses, phone numbers, and dates of birth, future losses were not imminent).

Applying the Clemens version of the McMorris factors, a district court in Pennsylvania found that the alleged injury in fact of one plaintiff was sufficiently imminent because she had alleged that her PII had been used to submit two fraudulent credit card applications. Her allegation that she had suffered fear, anxiety, and stress satisfied the concreteness prong. However, the court found no standing for a different plaintiff who did not plead that her PII was used for fraudulent activity, identity theft, or published on the dark web. “Without sufficient allegations of misuse, the Court cannot find her alleged injury to be imminent. By failing to establish imminence, [plaintiff] has not adequately pled an injury in fact.” It didn’t help that this plaintiff not certain that the hackers behind the data breach even accessed her PII. Tignor v. Dollar Energy Fund, Inc., 2024 U.S. Dist. LEXIS 146125 at *20-22 (W.D. Pa. Aug. 15, 2024).

4.2.1.4 Standing Based on Costs of Mitigating the Risk of Future Harm

Greenstein v. Noblr, No. 22-17023, 2024 U.S. App. LEXIS 21104 (9th Cir. Aug 21. 2024), highlights that the first step in establishing standing is to clearly allege that the plaintiff’s data was actually stolen, and the case shows that a carefully crafted breach notice letter may not resolve that question. The case involved a possible compromise of driver’s license numbers. The complaint had relied heavily on a breach notice the defendant sent to 97,633 individuals, including plaintiffs.  The court found that the description of the attack provided in the notice was insufficient to establish that plaintiffs’ driver’s license numbers were stolen. While the notice confirmed that “the attackers were able to access driver’s license numbers,” it stopped short of confirming that any individual recipient of the notice had his or her driver’s license number stolen.  Instead, in explaining (as required under California law) “what information was involved,” the notice stated only that each recipient’s “name, driver’s license number, and address may have been accessed.” That “may” was fatal to plaintiffs’ standing. (Breached entities must be careful, of course, not to understate the certainty of a breach and must not suggest ambiguity where there is none.) Although plaintiffs had included in their complaint at least some affirmative allegations that their driver’s license numbers were stolen, the appeals court concluded that these statements were merely conclusory and that it did not need to accept them where they were unsupported by plaintiffs’ heavy reliance on the facts contained in the notice.  “Where, as here, Plaintiffs have not sufficiently alleged that their personal information was actually stolen, they cannot rely on the increased risk such a theft might have posed had it occurred.” Because plaintiffs had not established a sufficient risk of future harm, their argument that they had alleged separate concrete harms stemming from that risk (in the form of mitigation costs) also failed.

Rejecting standing based on loss of time: Owens v. Smith, Gambrell and Russell International, LLP, 2024 U.S. Dist. LEXIS 96648 (C.D. Ca May 30, 2024). “[L]oss of time spent on mitigation efforts is cognizable as an injury-in-fact only where it is a reasonable reaction to the plaintiff’s foreseen risk of future harm.” Since the complaint had not alleged that hackers had taken steps to use plaintiffs’ PII, or that plaintiffs had spent a substantial amount of time on mitigation, or had been adversely affected by the events that led to, and occurred after such efforts began, the allegations in the complaint “are insufficient to establish that Plaintiffs have suffered an injury-in-fact through lost time.”

Expenditure of resources remediating and mitigating caused by a data breach establishes standing. Whitfield v. ATC Healthcare Servs., LLC, 2023 U.S. Dist. LEXIS 147602 *10-12 (E.D.N.Y. Aug. 22, 2024).

Rejecting standing based on time spent monitoring financial accounts. Tate v. Eyemed Vision Care, LLC, 2023 U.S. Dist. LEXIS 175840 (W.D. Ohio Sept. 29, 2023).

“[B]ecause plaintiffs adequately plead an imminent risk of future identity theft, the costs plaintiffs allegedly incurred mitigating that risk (including fees for credit freezes, fees for credit monitoring services, and the time and resources spent monitoring credit and financial transactions), constitute an independent injury-in-fact.” In re USAA Data Sec. Litig., 621 F. Supp. 3d 454, 467 (S.D.N.Y. 2022).

4.2.1.5 Standing Based on Risk of Future Harm

Despite TransUnion, some courts have still granted standing based on risk of future harm.

For example, in Weekes v. Cohen Cleary PC, no. 1:23-cv-10817, 2024 U.S. Dist. LEXIS 47673 *6-8 (D. Mass Mar. 15, 2024), the court held that “risk of future identity theft, after actual identity theft of another individual affected by the same breach has occurred, combined with other indicia of risk,” was an independent basis to establish an Article III injury.

Also granting standing based on risk of future identity fraud or theft: Owens v. Smith, Gambrell and Russell International, LLP, 2024 U.S. Dist. LEXIS 96648 (C.D. Ca May 30, 2024). “Because Plaintiffs have alleged the stealing of sufficiently sensitive information as to render future identity fraud or theft likely, they have alleged a sufficient injury-in-fact to establish standing under Article III.” The court relied heavily on Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), and In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018). “The exposure of social security numbers has particular force, for ‘[w]ithout a hack of information such as social security numbers, account numbers, or credit card numbers, there is no obvious, credible risk of identity theft that risks real, immediate injury.’”

In re Lakeview Loan Servicing Data Breach Litig., 2023 U.S. Dist. LEXIS 224865 (S.D. Fla. Dec. 15, 2023): “Eleventh Circuit precedent is clear: ‘[t]he actual identity theft already suffered by some [p]laintiffs further demonstrates the risk of identity theft all [p]laintiffs face.’ In re Equifax Inc. Customer Data Sec. Breach Litig., 999 F.3d 1247, 1262 (11th Cir. 2021). Here, some of the named Plaintiffs allege actual injuries resulting from the Data Breach, including unauthorized credit card charges, identity theft, and unauthorized opening of bank accounts. … Though the five Plaintiffs at issue have not experienced such injuries, they do allege that the third-party hacker obtained the PII of about 4 million customers and that the exposed PII can be and, in certain cases, has been sold to other identity thieves or on the dark web.  … Such allegations are sufficient to show that the risk of identity theft and fraud is material and imminent. In re Equifax, 999 F.3d 1262-63. Additionally, the Eleventh Circuit has also held that exposure of one's PII on the dark web shows a present injury as well. Green-Cooper, 73 F.4th at 889-890.”

Magistrate’s opinion recommending dismissal for lack of standing, applying factors relied on by the Third Circuit in its Clemens ruling and comparing Clemens with the Circuit’s pre-TransUnion ruling in Reilly: McGowan v. Core Cashless, LLC, 2023 U.S. Dist. LEXIS 187257 (W.D. Pa. Oct. 17, 2023). Among other things, the court noted that 18 months had passed since the breach without plaintiff experiencing any attempted identity theft or fraud.

Rejecting standing based on the risk of future fraud or identity theft:

  • Tate v. Eyemed Vision Care, LLC, 2023 U.S. Dist. LEXIS 175840 (W.D. Ohio Sept. 29, 2023).

  • McCombs v. Delta Group Electronics, Inc., 676 F. Supp. 3d 1064 (D.N.M. 2023).

4.2.1.6 Standing Based on Diminished Value of Compromised PII

Rejecting standing based on diminution of value of PII: Owens v. Smith, Gambrell and Russell International, LLP, 2024 U.S. Dist. LEXIS 96648 (C.D. Ca May 30, 2024). “[T]o survive a motion to dismiss on this theory of injury, a plaintiff ‘must establish both the existence of a market for her personal information and an impairment of her ability to participate in that market.’”

Rejecting standing based on diminished value of PII: Tate v. Eyemed Vision Care, LLC, 2023 U.S. Dist. LEXIS 175840 (W.D. Ohio Sept. 29, 2023). “Plaintiffs have not alleged that the theft of their PII from one entity will interfere with their ability to conduct such exchanges down the road (e.g., Facebook will not deny them an account because their PII has been stolen and is thus less valuable than it otherwise might be).”

4.2.1.7 Standing Based on Loss of Benefit of the Bargain Regarding Data Security

Rejecting standing based on lost benefit of the bargain: Tate v. Eyemed Vision Care, LLC, 2023 U.S. Dist. LEXIS 175840 (W.D. Ohio Sept. 29, 2023). “Plaintiffs' retroactive attempt to characterize consideration for vision benefits as payment for data security is a stretch to say the least. Plaintiffs do not allege that data security ever formed part of the contractual bargain for vision benefits.”

4.2.1.9 Statutory Standing (Under Federal Laws and State Reasonable Security Measures Statutes)

Although the federal Driver’s Privacy Protection Act provides a private right of action, 18 U.S. Code § 2724, the Ninth Circuit concluded in Greenstein v. Noblr, No. 22-17023, 2024 U.S. App. LEXIS 21104 (Aug 21. 2024), that the DPPA provided no basis for standing because the disclosure of driver’s license numbers was not analogous to the common law torts of intrusion upon seclusion, invasion of privacy, or public disclosure of private facts, being neither “highly offensive,” nor “an egregious breach of the social norms,” nor “offensive and objectionable to the reasonable person.” Accord Baysal v. Midvale Indem. Co., 78 F.4th 976 (7th Cir. 2023).

4.2.3 “fairly traceable” and “redressable”

Finding no traceability: Greenstein v. Noblr, No. 22-17023, 2024 U.S. App. LEXIS 21104 (Aug 21. 2024).

The district court for the Western District of Pennsylvania stated that but-for causation and concurrent causation are both sufficient to satisfy the traceability requirement. Where plaintiffs alleged that their PII could not have been exfiltrated in the data breach “but for” defendant’s failure to safeguard it, that is sufficient to establish traceability in the face of a 12(b)(1) motion. Tignor v. Dollar Energy Fund, Inc., 2024 U.S. Dist. LEXIS 146125 at *9 (W.D. Pa. Aug. 15, 2024).

Finding allegations inadequate to establish traceability: Maser et al. v. CommonSpirit Health, no. 1:23-cv-01073, 2024 U.S. Dist. LEXIS 102196 *22-24, 2024 WL 2863579 (D. Colo. Apr. 16, 2024) (magistrate’s recommendation).

Standing for Injunctive Relief

In TransUnion, the Supreme Court indicated that standing would be available for risk of future harm on claims for injunctive relief. However, standing in such cases is not automatic. For example, in Weekes v. Cohen Cleary PC, no. 1:23-cv-10817 (D. Mass Mar. 15, 2024), the court refused to grant standing to seek injunctive relief, because the pleadings were insufficient to establish that plaintiff faces a certainly impending or substantial risk that her PII in the hands of the defendants will once again be exposed to hackers. “An injunction here would not redress the harm caused by the current or a future breach.”

________________________________________________________________ 

SUPPLEMENTAL MATERIAL TO THE SECOND EDITION (ADDITIONAL CASES)

4.1.3 Injury for Standing Is Different from Injury as an Element of a Legal Claim

Here are some more cases where an alleged injury was sufficient to establish standing but not sufficient to state a claim under the relevant substantive law doctrine:

  • Kuhns v. Scottrade, Inc., 868 F.3d 711, 716 (8th Cir. 2017) (there was injury-in fact for standing (diminished value of bargain), but case dismissed because the alleged injury was not the kind of actual damage required to state a claim of breach of contract).

  • Krottner v. Starbucks, 406 F. App’x 129, 131 (9th Cir. 2010) (after an earlier ruling finding standing, dismissed for failure to state a claim).

  • Bohnak v. Marsh & McLennan, 1:21-CV-06096 (S.D.N.Y. Jan. 17, 2022) (post-TransUnion, holding that plaintiffs had standing based on risk of future harm, but dismissing because the harm alleged was not adequate to support the damages element of the claim being asserted).

  • Gardiner v. Walmart Inc., 2021 U.S. Dist. LEXIS 75079 *13, 2021 WL 2520103 (N.D. Ca. March 5, 2021) (pre-TransUnion, dismissing under 12(b)(6) negligence, breach of contract, and unfair competition law claims: “the allegations required to sufficiently plead injury-in-fact for purposes of Article III standing are not the same as those required to plead damages for purposes of state law claims”). See also Gardiner v. Walmart, Inc., 2021 U.S. Dist. LEXIS 211251 (N.D. Ca. July 28, 2021) (dismissal with prejudice).

4.2.1.1 Standing Based on Actual Identity Theft or Out-of-Pocket Expenses

Other illustrative cases finding standing based on actual identity theft or fraudulent charges:

  • In re GEICO Customer Data Breach Litig., 2023 U.S. Dist. LEXIS 127536

  • In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., No. 19-2904, 2021 U.S. Dist. LEXIS 240360, 2021 WL 5937742 (D.N.J. Dec. 16, 2021) (the harms to plaintiffs who alleged that they discovered fraudulent charges on their financial accounts and had new fraudulent accounts opened in their names were “quintessentially concrete”).

  • Enslin v. Coca-Cola Co., 136 F. Supp. 3d 654 (E.D. Pa. 2015) (standing where credit cards or bank accounts had been misused by thieves).

  • Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012) (standing where plaintiffs alleged that they suffered identity theft and incurred monetary losses).

  • Lambert v. Hartman, 517 F.3d 433 (6th Cir. 2008) (“actual financial injuries are sufficient to meet the injury-in-fact requirement”).

Other cases treating time spent as a harm adequate to establish standing, at least pre-TransUnion:

  • Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 828 (7th Cir. 2018) (“[T]he value of one’s own time needed to set things straight is a loss from an opportunity-cost perspective.”).

  • Bass v. Facebook, 394 F.Supp. 3d 1024, 1035 (N.D. Cal. 2019) (“True, sorting through a few dozen e-mails may or may not have taken an hour to rectify and perhaps the time spent later proves de minimis. This story, however, has yet to end. As consequences of this data breach continue to unfold, so too, will plaintiff’s invested time.”). 

Cases holding that the hassle of dealing with unsolicited calls or spam emails alone did not give rise to standing:

  • Cooper v. Bonobos, 21-CV-854, 2022 U.S. Dist. LEXIS 9469 (S.D.N.Y. Jan. 19, 2022).

  • Legg v. Leaders Life Ins. Co., No. 21-655, 2021 U.S. Dist. LEXIS 232833 (W.D. Okla. Dec. 6, 2021) (receipt of phishing emails, while perhaps “consistent with” data misuse, did not “plausibly suggest” that any actual misuse of plaintiff's personal identifying information had occurred).

  • Travis v. Assured Imaging LLC, 2021 U.S. Dist. LEXIS 89129 at *19  (D. Ariz. May 10, 2021) (a dramatic increase in targeted spam phone calls after ransomware attack did not constitute an injury for purposes of standing).

  • Cherny v. Emigrant Bank, 604 F. Supp. 2d 605, 609 (S.D.N.Y. Mar. 12, 2009) (“The receipt of spam by itself... does not constitute a specific injury entitling [plaintiff] to compensable relief.”).

  • Gordon v. Virtumundo, Inc., 06-0204, 2007 U.S. Dist. LEXIS 35544 (W.D. Wash. May 15, 2007) (the harm suffered “must rise beyond the level typically experienced by consumers - i.e., beyond the annoyance of spam.”).

4.2.1.2 Standing Based on the Privacy Intrusion or Loss Itself

Granting standing based on the loss of privacy:

  • Florence v. Order Express Inc, no. 1:22-cv-07210 (N.D. Ill. May 23, 2023) (“Plaintiffs’ alleged loss of privacy resulting from the data breach is a concrete injury in fact. The publication [on the dark web] of Plaintiffs’ sensitive personal information—including social security numbers, driver’s license numbers, and tax identification numbers—has a close relationship to disclosure of private information, a common-law theory of harm.” The court cited the “highly offensive” standard, but found it sufficient that the compromised information was information which a reasonable person would prefer to keep private.).

  • Miller v. Syracuse University, 2023 WL 2572937 (N.D.N.Y. Mar. 20, 2023) (allegation that defendant's conduct resulted in the exposure of sensitive information, including his Social Security Number, to cybercriminals is “plausibly ... offensive to a reasonable person,” which is a key element of the common-law tort of public disclosure of private information, relying on statements in Spokeo and TransUnion that the common-law analogue need not be an “exact duplicate”).

As noted in the book, the Third Circuit held in In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 639 (3d Cir. 2017) that "the unauthorized dissemination of personal information" causes "an injury in and of itself—whether or not the disclosure of that information increase[s] the risk of identity theft or some other future harm." For a post-TransUnion case treating In re Horizon as good precedent, see Mantagas v. Shi Int'l Corp., 2023 U.S. Dist. LEXIS 154110 (D. N.J. Aug. 32, 2023), where the court, although it found that allegations had fallen short, started from the proposition that “once a plaintiff satisfies his burden to allege facts suggesting the actual dissemination of his personal information, he may establish standing without an additional showing of direct economic injury.”

Other cases finding no standing arising out of ransomware attacks:

  • Graham v. Universal Health Serv., 2021 U.S. Dist. LEXIS 93075 (E.D. Pa. May 17, 2021).

  • Quintero v. Metro Santurce, Inc., 2021 U.S. Dist. LEXIS 237071 (D. P.R. Dec. 9, 2021).

  • Travis v. Assured Imaging LLC, 2021 U.S. Dist. LEXIS 89129 (D. Ariz. May 10, 2021).

Denying standing based on an interpretation of traditional privacy law:

  • Kim v. McDonald's USA, No. 1:21-cv-05287 (N.D. Ill. Sept. 27, 2022) (disclosure of delivery addresses, phone numbers, and email addresses did not bear a close relationship to a traditional harm recognized in the courts).

  • Aponte v. Northeast Radiology, P.C., 21 CV 5883 (VB) (S.D.N.Y. May 16, 2022) (plaintiffs claimed that they suffered an injury-in-fact through intrusion upon their seclusion, but the court, in a discussion that seemed to conflate injury-in-fact with the elements of the tort of intrusion upon seclusion, rejected this theory on the ground that it was not the defendants who intruded upon plaintiffs’ seclusion, but instead other, unauthorized third parties, thus no close historical or common-law analogue to the alleged injuries they suffered from defendants’ actions).

  • In re Practicefirst Data Breach Litigation, 1:21-CV-00790 (JLS/MJR), 2022 U.S. Dist. LEXIS 19272 *25-27, 2022 WL 354544 (W.D.N.Y. Feb. 2, 2022) (citing multiple other cases).

4.2.1.3. Standing Based on Emotional Harm

Granting standing for emotional harm: Bowen v. Paxton Media Grp., LLC, no. 5:21-CV-00143-GNS, 2022 U.S. Dist. LEXIS 162083, 2022 WL 4110319 (W.D. Ken. Sept. 8, 2022).

Denying standing for emotional harm:

  • Florence v. Order Express Inc, no. 1:22-cv-07210 (N.D. Ill. May 23, 2023) (relying on Seventh Circuit precedent repeatedly rejecting standing arguments based on emotional distress, anxiety, and annoyance).

  • Patterson v. Med. Review Inst., 2022 U.S. Dist. LEXIS 154193, 2022 WL 3702102 (N.D. Cal. Aug. 26, 2022).

  • Callahan v. Ancestry.com, Inc., No. 20-cv-08437-LB, 2021 U.S. Dist. LEXIS 112036, 2021 WL 2433893, at *4-5 (N.D. Cal. June 15, 2021) (holding, in data breach context, “anxiety and stress” without “credible threat of future identity theft” is not cognizable injury in fact).

4.2.1.4 Standing Based on Costs of Mitigating the Risk of Future Harm

Granting standing based on mitigation expenses:

  • Florence v. Order Express Inc, no. 1:22-cv-07210 (N.D. Ill. May 23, 2023) (distinguishes Kim v. McDonald’s USA, 2022 WL 4482826 (N.D. Ill. Sept. 27, 2022).

  • Mackey v. Belden, Inc., 2021 U.S. Dist. LEXIS 145000 (E.D. Mo. Aug. 3, 2021). The court found that “injury is clearly imminent where PII including social security numbers has been stolen by hackers and unauthorized persons have already attempted to use such information to falsely file a tax return on a plaintiff's behalf,” but it is not clear if this risk of future harm alone was enough, as the court went on to say that it “finds that Mackey suffered injury in fact by expending time and resources in responding to an actual attempted identity theft.”

  • Bowen v. Paxton Media Grp., LLC, no. 5:21-CV-00143-GNS, 2022 U.S. Dist. LEXIS 162083, 2022 WL 4110319 (W.D. Ken. Sept. 8, 2022) (relying on TransUnion, holding that risk of future harm plus mitigation costs establish standing)

Rejecting standing based on mitigation costs:

  • Burns v. Mammoth Media, Inc., 2023 U.S. Dist. LEXIS 153846 (C.D. Cal. Aug. 29, 2023) (“[T]he data accessed in the Wishbone breach was not sensitive enough to create a sufficient risk of identity theft to constitute an actual injury for purposes of standing. Plaintiff's efforts to mitigate any such illusory risk are, therefore, also insufficient to support standing.”).

  • De Medicis v. Ally Bank, no. 21 Civ. 6799 NSR, 2022 U.S. Dist. LEXIS 137337 *14-17 (S.D.N.Y. Aug. 2, 2022) (time spent on mitigating future risks only counts if the risk was substantial; in this case, it wasn’t, applying the McMorris factors to the facts alleged).

  • Greenstein v. Noblr Reciprocal Exch., 585 F.Supp. 3d 1220 (N.D. Cal. 2022).

  • Kim v. McDonald's USA, No. 1:21-cv-05287, 2022 WL 4482826 (N.D. Ill. Sept. 27, 2022) (time spent responding to the breach qualifies as “actual injuries” only when the harm is imminent, and here the data compromised was not sensitive enough to be used to commit fraud).

  • Patterson v. Med. Review Inst., 2022 U.S. Dist. LEXIS 154193 at *6-7, 2022 WL 3702102 (N.D. Cal. Aug. 26, 2022).

  • In re Practicefirst Data Breach Litigation, 1:21-CV-00790 (JLS/MJR), 2022 U.S. Dist. LEXIS 19272, 2022 WL 354544 (W.D.N.Y. Feb. 2, 2022) (applying McMorris factors, no imminent risk of future harm, therefore mitigation costs don’t qualify).

  • Aponte v. Northeast Radiology, P.C., no. 21 CV 5883 (VB), 2022 U.S. Dist. LEXIS 87982 (S.D.N.Y. May 16, 2022).

  • Cooper v. Bonobos, 21-CV-854, 2022 U.S. Dist. LEXIS 9469 (S.D.N.Y. Jan. 19, 2022).

4.2.1.5 Standing Based on Risk of Future Harm

Pre-TransUnion cases granting standing based on risk of future harm:

  • McMorris v. Carlos Lopez & Assoc., LLC, 995 F.3d 295 (2d Cir. 2021): “[P]laintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.”

  • Hutton v. National Board of Examiners in Optometry, Inc., 892 F.3d 613 (4th Cir. 2018) (distinguishes Beck, finds standing).

  • Galaria v. Nationwide Mutual Ins., 663 F. App'x 384 (6th Cir. 2016) (theft of credit card data created continuing, increased risk of fraud and identity theft sufficient to establish standing).

  • Remijas v. Neiman Marcus, 794 F.3d 688 (7th Cir. 2015) (stolen credit card data; increased risk of fraudulent credit card charges and identity theft sufficient to establish standing; "customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an 'objectively reasonable likelihood' that such an injury will occur," quoting Clapper, 568 U.S. at 410). Accord: Lewert v. P.F. Chang’s, 819 F.3d 963 (7th Cir. 2016).

  • In re SuperValu, Inc., Customer Data Security Breach Litigation, 870 F.3d 763 (8th Cir. 2017) (substantial risk of identity theft may give rise to standing, but not on these allegations).

  • Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010). Accord: In re Zappos, 888 F.3d 1020 (9th Cir. 2018), cert. denied sub nom. Zappos.com v. Stevens, 139 S. Ct. 1373 (2019) (risk of future identity fraud or identity theft establishes standing).

  • Attias v. CareFirst, 865 F.3d 620 (D.C. Cir. 2017), cert. denied (2018) (substantial risk of harm exists, giving rise to standing, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken). Accord: AFGE v. OPM (In re United States OPM Data Sec. Breach Litig.), 928 F.3d 42 (D.C. Cir. 2019).

Pre-TransUnion cases deny standing based on risk of future harm:

  • Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir. 2012)(where plaintiff did not allege that there had been a breach of her information, but only that a breach might occur given the frequency of data breaches in general, her purchase of identity theft insurance and credit monitoring services to guard against a possibility that her information might someday be pilfered was not enough to establish standing).

  • Whalen v. Michaels Stores, Inc., 689 F. App’x 89, 91-92 (2d Cir. 2017) (no standing even though there had been attempts to make fraudulent charges using the plaintiff’s stolen data).

  • Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (“allegations of hypothetical, future injury do not establish standing under Article III”).

  • Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), cert. denied sub nom. Beck v. Shulkin, 137 S. Ct. 2307 (2017) (on the facts, risk of future harm coupled with mitigation costs not enough to create standing).

  • Tsao v. Captiva MVP Rest. Partners, LLC, 986 F. 3d 1332 (11th Cir. 2021) (based on the nature of the information compromised, no standing for risk of future identity theft).

Post-TransUnion cases rejecting standing based on risk of future harm:

  • Greenstein v. Noblr Reciprocal Exch., 585 F.Supp. 3d 1220, 1227-29 (N.D. Cal. 2022) (reviewing cases in the Ninth Circuit that treated different kinds of data differently (social security numbers, credit card numbers, driver’s license data, addresses), the court found no standing based on risk of future harm because the type of data at issue in the case did not pose an imminent risk of harm).

  • Kim v. McDonald's USA, No. 1:21-cv-05287 (N.D. Ill. Sept. 27, 2022) (rejected standing based on increased risk of becoming the victims of phishing scams and identity theft in the future, relying on the conclusion that the data stolen (delivery addresses, phone numbers, and email addresses) was not sensitive).

  • Aponte v. Northeast Radiology, P.C., no. 21 CV 5883 (VB), 2022 U.S. Dist. LEXIS 87982 (S.D.N.Y. May 16, 2022) (in the absence of allegations that third parties misused or attempted to misuse their data, and applying the McMorris factors, no standing based on risk of future harm).

  • In re Practicefirst Data Breach Litigation, 1:21-CV-00790 (JLS/MJR), 2022 U.S. Dist. LEXIS 19272, 2022 WL 354544 (W.D.N.Y. Feb. 2, 2022).

  • Cooper v. Bonobos, 21-CV-854 (JMF), 2022 U.S. Dist. LEXIS 9469 (S.D.N.Y. Jan. 19, 2022) (applying the McMorris factors and concluding that the third one was fatal, because the type of data exposed (name, address, email address, order history, IP address, encrypted password and the last four digits of his credit card number) was not susceptible to misuse).

  • Burns v. Mammoth Media, Inc., no. CV 20-04855 DDP (SKx), 2021 U.S. Dist. LEXIS 149190, 2021 WL 3500964 (Aug. 6, 2021) (without citing TransUnion, court credits defendant’s declaration that information compromised was essentially useless (an assertion plaintiff failed to respond to); good example of factual challenge to standing). See also Burns v. Mammoth Media, Inc., 2023 U.S. Dist. LEXIS 153846 (C.D. Cal. Aug. 29, 2023), coming to the same conclusion about plaintiff’s second amended complaint.

4.2.1.6   Standing Based Diminished Value of Compromised PII

Also rejecting standing based on diminution in value:

  • Burns v. Mammoth Media, Inc., 2023 U.S. Dist. LEXIS 153846 (C.D. Cal. Aug. 29, 2023).

  • Greenstein v. Noblr Reciprocal Exch., 585 F.Supp. 3d 1220, 1229 (N.D. Cal. 2022). 

  • In re Practicefirst Data Breach Litigation, 1:21-CV-00790 (JLS/MJR), 2022 U.S. Dist. LEXIS 19272 *24, 2022 WL 354544 (W.D.N.Y. Feb. 2, 2022) (“plaintiffs do not allege that they attempted to sell their personal information and were forced to accept a decreased price, nor do they allege any details as to how their specific, personal information has been devalued because of the breach”).

  • Cooper v. Bonobos, Inc., No. 21-CV-854, 2022 U.S. Dist. LEXIS 9469 * 15-16, 2022 WL 170622 (S.D.N.Y. Jan. 19. 2022).

  • Legg v. Leaders Life Ins. Co., No. 21-655, 2021 U.S. Dist. LEXIS 232833 (W.D. Okla. Dec. 6, 2021).

  • Rahman v. Marriott Int’l, Inc., No. SA CV 20-00654-DOC-KES, 2021 U.S. Dist. LEXIS 15155 * 6 (C.D. Cal. Jan. 12, 2021) (based on pleadings, alleged loss of value of personal information was not grounds for standing).

  • Razuki v. Caliber Home Loans, Inc., No. CV 17- 1718-LAB (WVGx), 2018 WL 6018361, at *1 (S.D. Cal. Nov. 15, 2018) (finding allegations of damages based on diminution of value of personal data insufficient where plaintiff failed to allege enough facts to establish how his personal information was less valuable as a result of the breach).

  • Fero v. Excellus Health Plan, Inc., 236 F. Supp. 3d 735, 755-56 (W.D.N.Y. 2017).

  • Chambliss v. Carefirst, Inc., 189 F. Supp. 3d 564, 572 (D. Md. 2016) (court held that it “need not decide whether such personal information has a monetary value, as Plaintiffs have not alleged that they have attempted to sell their personal information or that, if they have, the data breach forced them to accept a decreased price for that information”).

  • Khan v. Children’s Nat’l Health Sys., 188 F. Supp. 3d 524, 533–34 (D. Md. 2016) (plaintiff did not “explain how the hackers’ possession of that information has diminished its value, nor does she assert that she would ever actually sell her own personal information”).

  • In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14 (D.D.C. 2014).

  • In re Google Android Consumer Privacy Litig., No. 11-MD-02264 JSW, 2013 U.S. Dist. LEXIS 42724, 2013 WL 1283236, at *4 (N.D. Cal. Mar. 26, 2013) (plaintiffs failed to allege facts sufficient to show injury based on purported diminution of their PII for the purposes of Article III standing).

Note, moreover, that generalized allegations of lost value are not likely to be sufficient to satisfy the damages element of a claim in negligence or contract:

  • Pruchnicki v. Envision Healthcare Corp., 845 Fed. Appx. 613, 614-15 (9th Cir. 2021) (although personal information may have value in general, the plaintiff “failed to adequately allege that her personal information actually lost value,” and thus failed to establish the damages element for state law claims).

  • Gardiner v. Walmart Inc., 4:20-cv-04618, 2021 U.S. Dist. LEXIS 75079 *12, 2021 WL 2520103 (N.D. Ca. March 5, 2021) (where plaintiff had not alleged that he had been unable to sell, profit from, or monetize his personal information, allegations of the loss of value of PII insufficient to satisfy the damages element of UCL, negligence, and breach of contract claims).

Still, if properly pled, diminution of value of personal information can be a viable damages theory. See In re Facebook Privacy Litig., 572 F. App’x 494 (9th Cir. 2014). See also Svenson v. Google Inc., No. 13-cv-04080-BLF, 2016 WL 8943301, at *9 (N.D. Cal. Dec. 21, 2016).

4.2.1.7 Standing Based on Loss of Benefit of the Bargain Regarding Data Security

Cases rejecting lost benefit of the bargain as a basis for standing include:

  • Aponte v. Northeast Radiology, P.C., no. 21 CV 5883 (VB), 2022 U.S. Dist. LEXIS 87982 (S.D.N.Y. May 16, 2022).

  • C.C. v. Med-Data Inc., 2022 U.S. Dist. LEXIS 60555 at *22-25, 2022 WL 970862 (D. Kan. Mar. 31, 2022).

  • In re PracticeFirst Data Breach Litigation, 1:21-CV-00790 (JLS/MJR) (W.D.N.Y. Feb. 2, 2022).

  • In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 240360, at *46-47, 2021 WL 5937742, at *11 (D. N.J. Dec. 16, 2021) (“The [complaints] lack any allegation that Plaintiffs’ Personal Information was of any material economic value with respect to the services Plaintiffs received from Defendants.”).

  • Legg v. Leaders Life Ins. Co., No. 21-655, 2021 U.S. Dist. LEXIS 232833 (W.D. Okla. Dec. 6, 2021) (plaintiff had not “indicated that he paid any sort of [insurance] premium in exchange for data security or that the data breach diminished the value of the insurance products he received in return”).

  • In re Brinker Data Incident Litig., No. 18-686, 2020 U.S. Dist. LEXIS 247918, 2020 WL 691848, at *13 (M.D. Fla. Jan. 27, 2020) (rejecting benefit of the bargain theory alleging that defendants failed to protect financial information plaintiffs supplied to purchase food and drinks because “the food or drink purchased ha[d] no diminished value because of [defendant's] alleged inadequate data security”).

  • Khan v. Children’s Nat’l Health Sys., 188 F. Supp. 3d 524, 531, 533 (D. Md. 2016) (finding no standing based on overpayment allegations when plaintiff did “not allege any facts showing that she overpaid for … services or that she would have sought those services from another provider had she been aware of the hospital’s allegedly lax data security”).

  • In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 30 (D.D.C. 2014): “To the extent that Plaintiffs claim that some indeterminate part of their premiums went toward paying for security measures, such a claim is too flimsy to support standing. They do not maintain, moreover, that the money they paid could have or would have bought a better policy with a more bullet-proof information-security regime. Put another way, Plaintiffs have not alleged facts that show that the market value of their insurance coverage (plus security services) was somehow less than what they paid. Nothing in the Complaint makes a plausible case that Plaintiffs were cheated out of their premiums. As a result, no injury lies.”

Cases accepting lost benefit of the bargain as a basis for standing:

  • In re LinkedIn User Privacy Litig., 2014 U.S. Dist. LEXIS 42696, at *20-21 (N.D. Cal. Mar. 28, 2014) (finding Article III standing based on allegations that the plaintiff purchased her premium subscription on the basis of LinkedIn’s statement that its users’ data will be secured with industry standards and technology, that the statement was false when she read and relied on it, and that she would not have made the purchase (or that she would have negotiated for a lower price) but for the misrepresentation). 

  • Svenson v. Google Inc., 2015 U.S. Dist. LEXIS 43902, 2015 WL 1503429 (N.D. Cal. Apr. 1, 2015), was not a data breach case but rather a privacy case involving Google’s disclosure to app vendors of data obtained in the course of processing transactions through Google Wallet.  Most of the opinion focused on the elements of the causes of action alleged (breach of contract, breach of the implied covenant of good faith and fair dealing, and unfair competition), finding that Svenson had alleged facts sufficient to show damages based on a benefit of the bargain theory. This, the court said in a very short discussion, was also enough to establish injury-in-fact for standing purposes. 

  • Cain v. Redbox Automated Retail, LLC, 981 F. Supp. 2d 674, 687 (E.D. Mich. 2013) (also not a data breach case, but finding that the plaintiffs sufficiently alleged “that they didn’t receive the full benefit of their bargain” by alleging that they suffered monetary harm because “a portion of the price of each Redbox rental paid for by Plaintiffs … was intended to ensure the confidentiality of Plaintiffs’ … Personal Viewing Information”).

Courts sometimes use “standing” in a different way, to refer to the elements of a legal claim:

  • The district court in In re Yahoo! Inc. Customer Data Sec. Breach Litigation, 313 F. Supp. 3d 1113 (N.D. Cal. 2018), found that one representative plaintiff adequately alleged benefit-of-the-bargain injury to satisfy the showing of “lost money or property” required under the California Unfair Competition Law (UCL). The court referred to this as a standing requirement, but it was talking about the elements of the claim under state law, not Article III standing: “In order to establish standing for a UCL claim, Plaintiffs must show that they personally ‘lost money or property as a result of the unfair competition.’”

  • In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953, 985 (N.D. Cal. 2016) is another case where a court ruled that loss of benefit of the bargain is a cognizable injury, but it was referring not to Article III standing but rather to the injury needed to state a claim under New York General Business Law § 349, which prohibits deceptive acts or practices in the conduct of any business, trade, or commerce or in the furnishing of any service.

  • See also In re Adobe Sys. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. 2014).

4.2.1.9 Statutory Standing (Under Federal Laws and State Reasonable Security Measures Statutes)

Other cases where standing has been granted based on violations of statutory privacy rights—these are not data breach cases—include:

  • Campbell v. Facebook, Inc., 951 F.3d 1106 (9th Cir. 2020) (standing for violations of the federal Electronic Communications  Privacy Act and the California Invasion of Privacy Act).

  • In re Google Inc. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125, 134 (3d Cir. 2015) (“the actual or threatened injury required by Art. III may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing,” even absent evidence of actual monetary loss) (emphasis added).

  • In re Nickelodeon Consumer Privacy Litig., 827 F. 3d 262 (3d Cir. 2016).

4.2.3 “fairly traceable” and “redressable”

Cases finding that the plaintiffs had not satisfied the traceability requirement for standing:

  • Blood v. Labette Cnty. Med. Ctr., No. 5:22-cv-04036-HLT-KGG, 2022 U.S. Dist. LEXIS 191922, 2022 WL 11745549 (D. Kansas Oct. 20, 2022) (allegation that plaintiff’s data was found on the "dark web" lacked any further details showing a plausible connection to defendant's actions).

  • Fernandez v. Leidos, Inc., 127 F. Supp. 3d 1078, 1086 (E.D. Cal. 2015) (finding no traceability when the plaintiff did not allege that the medical conditions targeted by increased spam mailings were listed in the medical records compromised in the breach).

  • In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 31 (D.D.C. 2014) (claims that unauthorized charges were made to plaintiffs” credit cards or debit cards, or that money was withdrawn from an existing bank account, lacked causation for purposes of standing because the plaintiffs did not allege that credit-card, debit-card, or bank-account information was on the stolen tapes).

Other cases finding traceability:

  • AFGE v. OPM (In re United States OPM Data Sec. Breach Litig.), 928 F.3d 42 (D.C. Cir. 2019) (discussing traceability in the context of risk of future harm injury).

  • Resnick v. AvMed, Inc., 693 F.3d 1317, 1327 (11th Cir. 2012) (finding that a “logical connection” plausibly existed between a data breach and two instances of identity theft that occurred ten and fourteen months later).

  • Stollenwerk v. Tri-West Health Care Alliance, 254 F. App’x 664 (9th Cir. 2007).

  • In re: Marriott International, Inc., Customer Data Security Breach Litigation, 440 F. Supp. 3d 447, 466 (D. Md. 2020) (court rejected defendants’ argument that identity theft injuries were not fairly traceable to defendants because these injuries require Social Security numbers or banking information which no plaintiff alleged to have given to Marriott).

  • In re: Marriott International, Inc., Customer Data Security Breach Litigation, MDL No. 19-md-2879, 2020 U.S. Dist. LEXIS 200096, 2020 WL 6290670 (D. Md. Oct. 26, 2020) (consumer plaintiffs had sufficiently alleged that their injuries-in-fact were traceable to Accenture, which provided IT services to Marriott).

  • Enslin v. Coca-Cola Co., 136 F.Supp.3d at 659, 666 (E.D. Pa. 2015) (although it was unclear when the plaintiff's PII was stolen, and the theft may have occurred up to seven years before the PII was misused, this passage of time did not break the chain of “but for” causation required for traceability).

  • In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154 (D. Minn. 2014) (“Plaintiffs’ allegations plausibly allege that they suffered injuries that are ‘fairly traceable’ to Target’s conduct. This is sufficient at this stage to plead standing. Should discovery fail to bear out Plaintiffs’ allegations, Target may move for summary judgment on the issue.”).

4.2.4  Pleading Matters: Pay Attention to the Specific Data Elements Compromised

To illustrate how standing may turn on the specific data elements compromised, see just the following selection of district court cases in the seemingly standing-friendly Ninth Circuit:

  • Greenstein v. Noblr Reciprocal Exch., 2022 U.S. Dist. LEXIS 30228 (N.D. Cal. Feb. 14, 2022) (the breach allegedly compromised names, addresses, and driver’s license numbers, data that is “insufficient to open a new account in Plaintiffs’ names or to gain access to personal accounts likely to have more sensitive information” – no standing). 

  • Rahman v. Marriott, No. SA CV 20-00654-DOC-KES (D. C.D. Cal. Jan. 12, 2021) (“Plaintiff has not plausibly pled here that any of their more sensitive data—such as credit card information, passports, or social security numbers—has fallen into the wrong hands. Without a breach of this type of sensitive information, Plaintiff has not suffered an injury in fact and cannot meet the constitutional requirements of standing”).

  • Stasi v. Inmediata Health Grp. Corp., No. 19-CV-2353, 2020 WL 2126317 at *5 (S.D. Cal. May 5, 2020) (“Plaintiffs’ failure to allege that the exposed information included their social security numbers, or similarly sensitive financial or account information …, leaves Plaintiffs short of what is required”).

  • Adkins v. Facebook, Inc., 424 F. Supp. 3d 686 (N.D. Cal 2019) (standing found; no social security or credit card numbers were taken, but the lost data included “a constellation of social media data including ‘workplace, education, relationship status, religious views, hometown, self-reported current city’”).

  • Brett v. Brooks Bros. Grp., Inc., CV 17-4309-DMG, 2018 U.S. Dist. LEXIS 153150 (S.D. Cal. Sept. 6, 2018), appeal dismissed by Brett v. Brooks Bros. Grp., 2019 U.S. App. LEXIS 4698 (9th Cir. Feb. 15, 2019) (No standing where hackers stole plaintiffs’ names, credit and debit card numbers (along with card expiration dates and verification codes) and possibly the store zip codes where Plaintiffs made purchases as well as the time of those purchases. “This information simply does not rise to the level of sensitivity of the information in Krottner and Zappos or similar cases”).

  • Antman v. Uber Technologies, Inc., No. 15-CV01175, 2018 U.S. Dist. LEXIS 79371, 2018 WL 2151231 at *10 (N.D. Cal. May 10, 2018) (“Without a hack of information such as social security numbers, account numbers, or credit card numbers, there is no … credible risk of identity theft that risks real, immediate injury”).

________________________________________________________________________

ARCHIVED UPDATES TO THE FIRST EDITION, INCORPORATED INTO THE SECOND EDITION

4.1 Standing to Sue—The Constitutional Basics

In June 2021, in TransUnion LLC v. Ramirez, 594 U.S. _(2021), the Supreme Court held that risk of future harm does not provide standing for a damages claim. While the full implications of the ruling remain to be seen in district and appellate court responses, TransUnion quite abruptly upset the standing apple cart for data breach, superseding, or at the very least calling into question, all of the cases cited in the book that held that risk of future harm on its own could be the basis for standing. For more on how TransUnion has played out, see the new Chapter 4A.

TransUnion reaffirmed and re-emphasized basic principles of standing law:

  • The plaintiffs bear the burden of demonstrating that they have standing. Slip op. at 15.

  • Every class member must have Article III standing in order to recover individual damages. Id.

  • Plaintiffs must demonstrate standing for each claim they press and for each form of relief they seek. Slip op. at 15-16.

  • Plaintiffs must maintain their personal interest in the dispute at all stage of litigation. Slip op. at 15.

  • “Various intangible injuries can also be concrete.” Slip op. at 9.

  • “Central to assessing concreteness is whether the asserted harm has a ‘close relationship’ to a harm traditionally recognized as providing a basis for a lawsuit in American courts,” but this may include various intangible harms such as reputational harm. Slip op. at 1.

  • Congress’s views may be “instructive,” but Congress’s creation of a statutory prohibition and a cause of action may not be enough to create standing. Slip op. at 10-14

TransUnion was a case under the Fair Credit Reporting Act, which requires consumer reporting agencies to “follow reasonable procedures to assure maximum possible accuracy” in consumer reports. The Act provides that “[a]ny person who willfully fails to comply with any requirement imposed under this subchapter with respect to any consumer is liable to that consumer” for actual damages or for statutory damages not less than $100 and not more than $1,000, as well as for punitive damages and attorney’s fees. This express language, the Supreme Court ruled, did not create standing for inaccurate information in a credit report that was never disseminated. “[T]he mere existence of inaccurate information in a database is insufficient to confer Article III standing.” Slip op. at 18. See also slip op. at 19.

Plaintiffs argued that there was a material risk that the inaccurate information would be disseminated in the future to third parties and thereby cause them harm. The Court rejected this argument. It noted that “a person exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring.” But it agreed with TransUnion that, “in a suit for damages, the mere risk of future harm, standing alone, cannot qualify as a concrete harm.” Slip op. at 20.

TransUnion may have left some room for data breach victims to establish standing even in the absence of fraudulent charges or other out-of-pocket costs. First, when the Court stated that various intangible harms can also be concrete, it cited as examples “reputational harms, disclosure of private information, and intrusion upon seclusion.” Slip op. at 9. In this clause, when it referred to disclosure of private information, the Court was probably talking about public disclosure, but it also referred to disclosure more generally: “Nor did the plaintiffs demonstrate that there was a sufficient likelihood that TransUnion would otherwise intentionally or accidentally release their information to third parties.” Slip op. at 23 (emphasis added). In the case of a data breach, there actually has been an accidental release of private information to third parties. That is exactly what the Third Circuit held in In re Horizon Healthcare Services Inc. Data Breach Litigation, 846 F.3d 625 (3d Cir. 2017): “Even without evidence that the Plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury.”

Caution: before arguing that the negligent disclosure of private information to criminals or hostile foreign states is by itself the kind of intangible harm that gives rise to standing, plaintiffs’ lawyers should marshal the historical evidence regarding “harms traditionally recognized as providing a basis for lawsuits in American [or English] courts,” for that is now the touchstone of the Court’s standing jurisprudence.

The Court left open a second ground of standing: emotional distress due to a breach. The full text of the Court’s summary of TransUnion’s “persuasive argument” reads as follows: “in a suit for damages, the mere risk of future harm, standing alone, cannot qualify as a concrete harm—at least unless the exposure to the risk of future harm itself causes a separate concrete harm.” Slip op. at 20 (emphasis added).  In a footnote, the Court elaborates: “[A] plaintiff ’s knowledge that he or she is exposed to a risk of future physical, monetary, or reputational harm could cause its own current emotional or psychological harm. We take no position on whether or how such an emotional or psychological harm could suffice for Article III purposes—for example, by analogy to the tort of intentional infliction of emotional distress. … The plaintiffs here have not relied on such a theory of Article III harm.” Slip op. at 21, FN 7. The Court later makes the same point: “Nor did those plaintiffs present evidence that the class members were independently harmed by their exposure to the risk itself—that is, that they suffered some other injury (such as an emotional injury) from the mere risk that their credit reports would be provided to third-party businesses.” Slip op.at 22. The emotional injury from knowing that your data is not merely at risk of falling into the hands of criminals, but is actually in their hands and may be misused in various ways at the whim of the hackers, may be just the kind of current emotional distress that would constitute injury in fact. After all, “As Spokeo noted, ‘the law has long permitted recovery by certain tort victims even if their harms may be difficult to prove or measure.’” Slip op. at 22. See Krottner v. Starbucks, 628 F.3d 1139, 1142 (9th Cir. 2010) (one plaintiff’s allegation that he “has generalized anxiety and stress” as a result of the laptop theft is sufficient to confer standing, but only as to that plaintiff).

There may be a third avenue (a narrow lane?) available to plaintiffs, if they allege that they have incurred current harms in the form of time spent and expenses incurred in monitoring their accounts to mitigate the risk of identity theft. See Galaria v. Nationwide Mutual Ins., 663 Fed. Appx. 384, 387–89 (6th Cir. 2016) (risk of harm in the future plus mitigation costs equals standing); Remijas v. Neiman Marcus, 794 F.3d 688 (7th Cir. 2015) (time and money customers spent protecting against future ID theft or fraudulent charges was a current injury, one of several grounds for standing that the court found). Plaintiffs would have to be careful to allege that the risk of future harm was so likely that it took their present costs out of the realm of manufactured standing. Even Remijas stated that “Mitigation expenses do not qualify as actual injuries where the harm is not imminent.” 794 F.3d at 694. Courts that previously rejected mitigation costs as a basis for standing will certainly not change their minds. See Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), cert. denied sub nom. Beck v. Shulkin, 137 S. Ct. 2307 (2017) (“self-imposed harms cannot confer standing”).

TransUnion may drive plaintiffs to state courts, including in cases involving violations of federal statutes. The state courts can hear claims brought under federal law: “Upon the State courts . . . rests the obligation to guard, enforce, and protect every right granted or secured by the Constitution of the United States and the laws made in pursuance thereof, whenever those rights are involved in any suit or proceeding before them . . . .” Robb v. Connolly, 111 U.S. 624, 637 (1884). And “the state courts are not bound by the limitations of a case or controversy or other federal rules of justiciability even when they address issues of federal law.” ASARCO v. Kadish, 490 U.S. 605, 617 (1989). Of course, states may have their own standing rules that produce the same results as Article III. For example, in a pre-TransUnion case, the ​Superior Court of Delaware, applying that state’s standing principles, found in Abernathy v. Brandywine Urology Consultants, P.A., No. N20C-05-057 MMJ CCLD, 2021 Del. Super. LEXIS 46 (Del. Super. Ct. Jan. 21, 2021) that the notice of a data breach coupled with speculative future harm was insufficient to confer standing.

On state court jurisdiction, see Wyatt Sassman, A Survey of Constitutional Standing in State Courts, 8 Ky. J. Equine, Agric., & Nat. Res. L. 349, 354–98 (2015).

4.2 Standing in Data Breach Cases

Regarding the circuit split on standing, in April 2021, the Second Circuit in effect denied that there was a split, in McMorris v. Carlos Lopez & Assoc., LLC, 2021 U.S. App. LEXIS 12328 *9, 2021 WL 1603808 (2d Cir. Apr. 26, 2021) (“in actuality, no court of appeals has explicitly foreclosed plaintiffs from establishing standing based on a risk of future identity theft – even those courts that have declined to find standing on the facts of a particular case”). The court held expressly that “plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.” Id. However, this statement in McMorris, like similar statements in other cases that risk of future harm could serve as the basis for standing with regard to damages claims, is no longer reliable after the Supreme Court’s ruling in TransUnion LLC v. Ramirez. See discussion of TransUnion in the updates to Chapter 4.1 and see the new Chapter 4A on standing after TransUnion.

At least one district court has held that the compromise of data alone gives rise to standing: “A plaintiff who suffers a wrongful disclosure need not additionally demonstrate misuse resulting in economic harm.” In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 240360 at *43, 2021 WL 5937742 (D. N.J. Dec. 16, 2021).

In further support of the point made in the book (in Chapter 4.3.5), that the allegation of loss or damages required to state a claim, sometimes referred to as “standing,” is different from standing for Article III purposes and the two types of standing should be analyzed separately, see In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 151831, 2021 WL 3568394 (D.S.C. August 12, 2021) (“Statutory standing is a ‘distinct’ concept from Article III and prudential standing.”).

4.3.1 Standing Based on Actual Identity Theft or Out-of-Pocket Expenses

Defendants in class action cases where some customers have suffered identity theft but others have not will definitely want to emphasize the point reaffirmed in TransUnion, that every class member must have Article III standing in order to recover individual damages. Slip op. at 15.

Post-TransUnion, finding standing for plaintiffs who incurred fraudulent charges: In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 240360 at *39-40, 2021 WL 5937742 (D. N.J. Dec. 16, 2021). “[A]t a minimum, [plaintiffs who experienced fraudulent charges] have suffered the actionable intangible harm of the wrongful use and dissemination of their private information, like the interests protected by common law privacy torts. See TransUnion, 141 S. Ct. at 2208.” (The court also noted that these plaintiffs had alleged they incurred expenses in addressing and resolving these charges to mitigate their injury, but the first language quoted suggests that it was prepared to base standing on the fraudulent charges alone.)

4.3.2 Standing Based on Value of Time Spent

An allegation sufficient to give rise to standing under this theory (as with others), may not be sufficient to state a claim. For example, in Pruchnicki v. Envision Healthcare Corp., 845 Fed. Appx. 613 (9th Cir. 2021), after the standing hurdle was cleared, the Ninth Circuit affirmed dismissal of claims for negligence, breach of implied contract, negligent misrepresentation, and violation of Nevada’s deceptive practices statute on the ground that lost time was not a cognizable injury for the purpose of establishing compensable damages.

4.3.3 Standing Based on Risk of Future Harm

As noted in multiple other sub-chapters, in June 2021 the Supreme Court held in TransUnion LLC v. Ramirez, 594 U.S. _ (2021), that risk of future injury does not provide standing for a damages claim. Cases allowing for the possibility of standing based on the risk of future harm without more are no longer reliable in light of TransUnion. See discussion of TransUnion in the updates to Chapter 4.1, above, and in the new Chapter 4A.

Note that alleged risk of future harm, even if adequate for standing, may be inadequate to satisfy the damages component of a claim. Success in avoiding dismissal under 12(b)(1) may turn very quickly into defeat under 12(b)(6):

  • Gardiner v. Walmart Inc., 2021 U.S. Dist. LEXIS 75079 *13, 2021 WL 2520103 (N.D. Ca. March 5, 2021) (pre-TransUnion, dismissing under 12(b)(6) negligence, breach of contract, and unfair competition law claims: “the allegations required to sufficiently plead injury-in-fact for purposes of Article III standing are not the same as those required to plead damages for purposes of state law claims”).

  • Bohnak v. Marsh & McLennan, 1:21-CV-06096 (S.D.N.Y. Jan. 17, 2022) (after TransUnion, holding that plaintiffs had standing based on risk of future harm, but dismissing because the harm alleged was not adequate to support the damages element of the claim being asserted).

4.3.3.1 Risk of Future Harm Enough to Create Standing

Second Circuit

  • McMorris v. Carlos Lopez & Assoc., LLC, 2021 U.S. App. LEXIS 12328 *9, 2021 WL 1603808 (2d Cir. Apr. 26, 2021): “[P]laintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.” Since McMorris re-dates TransUnion, this statement, taken in isolation, is no longer reliable with regards to standing to bring a claim for damages. However, as explained in the new Chapter 4A, the McMorris factors, which put weight on whether there is any evidence of data misuse, are still used, especially by courts in the Second Circuit.

4.3.3.2 Risk of Future Harm Not Enough to Create Standing

The Second Circuit case described in the book, Whalen v. Michaels Stores, Inc,. was superseded by McMorris v. Carlos Lopez & Assoc., LLC, 2021 U.S. App. LEXIS 12328 *9, 2021 WL 1603808 (2d Cir. Apr. 26, 2021), holding that “plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.” But McMorris was promptly superseded by the Supreme Court’s June 2021 TransUnion ruling that risk of future injury does not provide standing for a damages claim. See discussion of TransUnion in the updates to Chapter 4.1 and in the new Chapter 4A.

4.3.3.3 Pay Attention to the Specific Data Elements Compromised

Give close attention to the facts alleged is exactly what the Second Circuit held in McMorris v. Carlos Lopez & Assoc., LLC, 2021 U.S. App. LEXIS 12328, 2021 WL 1603808 (2d Cir. Apr. 26, 2021), identifying three specific risk factors to be considered.

The general admonition to pay attention to the specific data elements that were compromised takes on a different significance after the Supreme Court’s ruling in TransUnion LLC v. Ramirez, 594 U.S. _ (2021), that risk of future harm does not provide standing for a damages claim. Going forward, plaintiffs may argue that they suffer current harm in the form of emotional distress. Demonstrating standing on that basis may require specific attention to the data elements compromised. See discussion of TransUnion in the updates to Chapter 4.1.

4.3.4   Standing Based on Loss of Property Value in Compromised PII

Also rejecting standing based on diminution in value:

  • In re PracticeFirst Data Breach Litigation, 1:21-CV-00790 (JLS/MJR) (W.D.N.Y. Feb. 2, 2022).

  • Cooper v. Bonobos, Inc., No. 21-CV-854, 2022 U.S. Dist. LEXIS 9469 * 15-16, 2022 WL 170622 (S.D.N.Y. Jan. 19. 2022).

  • In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 240360, 2021 WL 5937742 (D. N.J. Dec. 16, 2021). The court distinguished In re Marriott on a very interesting point: “In re Marriott, like other courts adopting this theory of injury, involved circumstances where the defendants collected information that was itself monetized and used for commercial purposes. 440 F. Supp. 3d 447, [WL] at *8. The plaintiffs therein provided their information, and Marriott collected it "to better target customers and increase its profits" and "pa[id] a customer analytics company to analyze personal information for this purpose." Id. The [complaints] here contain no similar allegation. Absent such circumstances, there is no loss of value in the information sufficient to state a concrete injury.”

  • Legg v. Leaders Life Ins. Co., No. 21-655, 2021 U.S. Dist. LEXIS 232833 (W.D. Okla. Dec. 6, 2021).

  • Rahman v. Marriott Int’l, Inc., No. SA CV 20-00654-DOC-KES, 2021 U.S. Dist. LEXIS 15155 * 6 (C.D. Cal. Jan. 12, 2021) (based on pleadings, alleged loss of value of personal information was not grounds for standing).

  • Razuki v. Caliber Home Loans, Inc., No. CV 17- 1718-LAB (WVGx), 2018 WL 6018361, at *1 (S.D. Cal. Nov. 15, 2018) (finding allegations of damages based on diminution of value of personal data insufficient where plaintiff failed to allege enough facts to establish how his personal information was less valuable as a result of the breach).

  • Fero v. Excellus Health Plan, Inc., 236 F. Supp. 3d 735, 755-56 (W.D.N.Y. 2017).

Note, moreover, that generalized allegations of lost value are not likely to be sufficient to satisfy the damages element of a claim in negligence or contract. For example, in Pruchnicki v. Envision Healthcare Corp., 845 Fed. Appx. 613, 614-15 (9th Cir. 2021), the Ninth Circuit stated that the “mere misappropriation of personal information” does not establish compensable damages. It was not a standing case, but in Gardiner v. Walmart Inc., 4:20-cv-04618, 2021 U.S. Dist. LEXIS 75079 *12, 2021 WL 2520103 (N.D. Ca. March 5, 2021), the court ruled that the plaintiff’s allegations of the loss of value of PII were insufficient to satisfy the damages element of his UCL, negligence, and breach of contract claims. The Plaintiff had not alleged that he had been unable to sell, profit from, or monetize his personal information. The court summarized other cases on the loss of value theory:

Diminution of value of personal information can be a viable damages theory. See In re Facebook Privacy Litig., 572 F. App’x 494 (9th Cir. 2014). A plaintiff must establish the existence of a market for the personal information and an impairment of the ability to participate in that market. Svenson v. Google Inc., No. 13-cv-04080-BLF, 2016 WL 8943301, at *9 (N.D. Cal. Dec. 21, 2016). Recently, in Pruchnicki v. Envision Healthcare Corp., the Ninth Circuit affirmed the district court’s finding that allegations of diminution of value of personal information were insufficient to establish the damages element for her state law claims. 845 F. App’x 613, 614-15 (9th Cir. 2021). The Ninth Circuit explained that although the plaintiff cited studies establishing that personal information may have value in general, the plaintiff “failed to adequately allege that her personal information actually lost value.” Id. The “‘mere misappropriation of personal information’ does not establish compensable damages.” Id. at 615 (quoting In re Google, Inc. Privacy Pol’y Litig., No. 5:12-cv-001382-PSG, 2015 WL 4317479, at *5 n.63 (N.D. Cal. July 15, 2015).

4.3.5 Standing Based on Loss of Benefit of the Bargain Regarding Data Security

Recent cases rejecting lost benefit of the bargain as a basis for standing:

  • Aponte v. Northeast Radiology, P.C., No. 21 CV 5883 (VB) (S.D.N.Y. May 16, 12022).

  • C.C. v. Med-Data Inc., 2022 U.S. Dist. LEXIS 60555 at *22-25, 2022 WL 970862 (D. Kan. Mar. 31, 2022).

  • In re PracticeFirst Data Breach Litigation, 1:21-CV-00790 (JLS/MJR) (W.D.N.Y. Feb. 2, 2022).

  • In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 240360, at *46-47, 2021 WL 5937742, at *11 (D. N.J. Dec. 16, 2021). “The [complaints] lack any allegation that Plaintiffs' Personal Information was of any material economic value with respect to the services Plaintiffs received from Defendants.”

  • In re Brinker Data Incident Litig., No. 18-686, 2020 U.S. Dist. LEXIS 247918, 2020 WL 691848, at *13 (M.D. Fla. Jan. 27, 2020) (rejecting “benefit of the bargain” theory alleging that defendants failed to protect financial information plaintiffs supplied to purchase food and drinks because “the food or drink purchased ha[d] no diminished value because of [defendant's] alleged inadequate data security”).

Although the book cites several cases holding that the loss of the benefit of the bargain did give rise to standing, the Southern District of New York stated in 2019 that “courts have consistently rejected as too tenuous to support an injury-in-fact [claim] that a defendant’s failure to comply with the law, or to prevent an actual data breach, diminished the benefit-of-the-bargain.” Rudolph v. Hudson’s Bay Co., 2019 WL 2023713, at *8 (S.D.N.Y. May 7, 2019)

4.3.7 Statutory Standing (Under Federal Laws and State Reasonable Security Measures Statutes)

The Supreme Court’s decision in TransUnion LLC v. Ramirez, 594 U.S. _ (2021), reemphasized that legislative “creation of a statutory prohibition or obligation and a cause of action does not relieve courts of their responsibility to independently decide whether a plaintiff has suffered a concrete harm under Article III.” Slip op. at 10. At the least, that weakens the rationale and holdings of the statutory standing cases cited in the book. Note, however, that the Third Circuit reaffirmed its Horizon reasoning just a few weeks after TransUnion was decided, stating in an opinion on the Fair Debt Collection Practices Act that “[d]isclosing ‘personal information’ is a concrete injury” giving rise to standing. Morales v. Healthcare Revenue Recovery Grp., LLC, 859 Fed. Appx. 625, 628, 2021 U.S. App. LEXIS 19972, 2021 WL 2800507 (3d Cir. July 6, 2021).

Update on the Horizon case: Upon remand, the district court addressed the issue left open by the Third Circuit, ruling that plaintiffs had failed to show that Horizon was a credit report agency under the FCRA. In re: Horizon Healthcare Services Inc. Data Breach Litigation, no. 2:13-cv-07418, 2021 U.S. Dist. LEXIS 243041, 2021 WL 6049549 (Dec. 21. 2021). Specifically, plaintiffs had failed to adequately allege that the defendant “assembles consumer information for the purpose of furnishing consumer reports.” (Emphasis in the original.) Whatever consumers information Horizon collected was for the purpose of providing health insurance coverage and administering health benefits plans.

[New subchapter:] 4.3.7A Standing Based on Traditional Privacy Torts

After TransUnion, plaintiffs have tried to fit within the Supreme Court’s statement that “[v]arious intangible harms can also be concrete. Chief among them are injuries with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts. … Those include, for example, reputational harms, disclosure of private information, and intrusion upon seclusion.” These efforts have met mixed reactions. In Aponte v. Northeast Radiology, P.C., 21 CV 5883 (VB) (S.D.N.Y. May 16, 2022), plaintiffs claimed that they suffered an injury-in-fact through intrusion upon their seclusion, but the court rejected this theory on the ground that it was not the defendants who improperly accessed plaintiffs’ data, but instead other, unauthorized third parties. In other words, plaintiffs had not identified a close historical or common-law analogue to the alleged injuries they suffered from defendants’ actions.

Likewise, in C.C. v. Med-Data Inc., 2022 U.S. Dist. LEXIS 60555, 2022 WL 970862 (D. Kan. March 31, 2022), the court rejected standing based on an invasion of privacy tort theory—specifically, public disclosure of private facts. Plaintiff had alleged that her data was uploaded to a public facing website, but the court held that, even if this upload qualifies as the requisite "publicity" for a public disclosure of private facts claim, plaintiff hasn't alleged a concrete harm resulted from this publicity. Relying on the Restatement (Second) of Torts, the court found that the public disclosure of private facts required some harm to reputation. Since the plaintiff hadn't alleged any harm to her reputation from the alleged breach, no standing. (Once again, it is remarkable how many complaints fail to allege all elements of a claim.)

The Med-Data court may have been correct in its reading of the Restatement and the complaint. However, the court in In re Practicefirst Data Breach Litig., No. 1:21-CV-00790(JLS/MJR), 2022 WL 354544, at *8 (W.D.N.Y. Feb. 2, 2022), seems to have misstated the test when it said, “[E]ven if plaintiffs could plead facts sufficient to allege the tort of public disclosure of private information, the Court would still find a lack of subject matter jurisdiction here. Indeed, this theory of standing has been rejected in the data breach context where, like in this case, plaintiffs have failed to demonstrate any concrete or particularized injury associated with the disclosure.” Under TransUnion, if a plaintiff has adequately alleged all elements of a traditional tort, that should be enough - there should be no need to allege additional injury. The harm may be (always is?) an element of the traditional tort, not something that needs to be alleged separately on top of the elements of the tort.

On the other hand, the court in In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 240360, 2021 WL 5937742 (D. N.J. Dec. 16, 2021), found standing based on its interpretation of traditional tort law. Citing TransUnion, the district court granted standing to one group of plaintiffs on the theory that the compromise of data alone gives rise to standing. “[I]ntangible harms are sufficiently ‘concrete’ to establish an injury-in-fact where they share a ‘close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.’ TransUnion, 141 S. Ct. at 2204.” The court went on to say, again citing TransUnion, “A plaintiff who suffers a wrongful disclosure need not additionally demonstrate misuse resulting in economic harm.” The court also found standing for plaintiffs who had experienced fraudulent charges, but for these plaintiffs too the court’s reasoning seemed expansive: “The fraudulent charges identified by [this group of] Plaintiffs permit the inference that their specific information has been accessed and misused. Therefore, at a minimum, they have suffered the actionable intangible harm of the wrongful use and dissemination of their private information, like the interests protected by common law privacy torts. See TransUnion, 141 S. Ct. at 2208.”

4.3.8 “fairly traceable” and “redressable”

Another case dismissed for failure to adequately allege traceability: Springmeyer v. Marriott International Inc., No. 20-cv-867-PWG (D. Md. Mar. 2, 2021). “Plaintiffs do not allege any facts about what measures Marriott did or did not take to protect PII, what alleged inadequacies in its systems it should have disclosed, what ‘standard and reasonably available steps’ existed that Marriott did not take, how Marriott failed to detect the data breach, or why it did not provide timely and accurate notice of the breach. Thus, Plaintiffs fail to ‘clearly . . . allege facts demonstrating’ their alleged injuries are fairly traceable to Defendant’s conduct, Spokeo, Inc. v. Robins, 136 S. Ct. at 1547, ‘and not injury that results from the independent action of some third party not before the court.’ Doe v. Obama, 631 F.3d at 161.” This case involved a 2020 breach, not the 2018 breach subject to an MDL before the same judge; in that other case, the court denied a motion to dismiss.

Going the other way: In re Blackbaud, Inc., 2021 U.S. Dist. LEXIS 123355, 2021 WL 2718439 (D.S.C. July 1, 2021) (concluding, among other factors supporting traceability, that plaintiffs had plausibly pled that hackers can commit identity fraud without contact information or SSNs by combining and cross-referencing data stolen during the breach at issue in the case with information obtained in other data breaches).

4.4 Summary: Appellate Decisions on Standing, by Circuit

Note regarding the list of cases in the book: Those allowing standing based on risk of future harm are no longer reliable in light of the Supreme Court’s June 2021 ruling in TransUnion LLC v. Ramirez, 594 U.S. _ (2021). The picture on risk of future harm has become very unclear. See discussion of TransUnion in the updates to Chapter 4.1.

Second Circuit

  • McMorris v. Carlos Lopez & Assoc., LLC, 2021 U.S. App. LEXIS 12328 *9, 2021 WL 1603808 (2d Cir. Apr. 26, 2021) (plaintiffs may establish standing based on an increased risk of identity theft or fraud, but it depends on at least three factors identified by the court). McMorris pre-dates TransUnion, so its holding on risk of future harm is no longer reliably good law (although courts within the Second Circuit have continued to use it after TransUnion). However, with its emphasis on whether the data at issue has been compromised as the result of a targeted attack intended to obtain the plaintiffs’ data as a key factor is assessing standing, McMorris certainly stands for the proposition that inadvertent disclosure alone does not give rise to standing. And it may be useful in arguing that any compromise by itself does not constitute harm.


Last updated: Nov. 20, 2024.

Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.