'McMorris Factors' Create Obstacles For Data Breach Plaintiffs

This article was originally published in Law360. 

There has been much class action litigation in recent years over the potential disclosure of personally identifiable information.

Often, the potential disclosure follows from some type of data breach by a threat actor with nefarious motive. Sometimes, however, PII is disclosed through an accidental release by the entity holding the data.

An emerging issue is whether, in that second scenario, plaintiffs can establish standing even if they cannot demonstrate that the data was ever misused.

Earlier this year, the U.S. Court of Appeals for the Second Circuit addressed this question in McMorris v. Carlos Lopez & Associates LLC.[1] As we discuss below, the Second Circuit's decision suggests that it will be difficult, if not impossible, for plaintiffs to establish standing without a threat actor or evidence that PII was actually misused.

This decision will be an important lever for defendants to use to defeat class actions involving the unauthorized disclosure of PII.

The McMorris Decision

The Second Circuit in McMorris declined to find standing where plaintiffs did not allege that any of their data was either targeted or misused.

McMorris was a class action brought against a company after an employee of the company accidentally emailed to all 65 employees of the company the PII — including Social Security numbers — of 130 current and former employees. The district court sua sponte refused to approve a settlement that had been negotiated by the parties, holding that the plaintiffs lacked standing to bring the lawsuit. The Second Circuit affirmed.

The plaintiffs in McMorris did not allege that they had become the victims of fraud or identity theft as a result of the inadvertent disclosure, or that their PII otherwise had been misused. Instead, they claimed that they were at imminent risk of suffering identity theft and becoming the victims of "unknown but certainly impending future crimes."[2]

Deciding an issue of first impression within the Second Circuit, the court held that a plaintiff may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.[3] However, while holding that Article III standing could follow from a risk, the court also explained that, under U.S. Supreme Court precedent, the threat must be "concrete, particularized, and ... imminent."[4]

The McMorris court put forth a nonexhaustive list of factors that courts should consider when evaluating standing in the context of allegations involving the unauthorized disclosure of PII:

Whether the plaintiff's data was exposed as the result of a targeted attempt to obtain that data;

Whether any portion of the compromised dataset already has been misused; and

Whether the exposed data includes high-risk information — e.g., Social Security numbers and dates of birth.[5]

Although the third factor — involving the disclosure of high-risk information — was undoubtedly satisfied in McMorris, the court nonetheless determined that "this factor alone does not establish an injury in fact."[6]

Ultimately, the Second Circuit court reasoned that the plaintiffs lacked standing to pursue their claims primarily because the case "merely involve[d] the inadvertent disclosure of PII" and did not involve allegations that any data had been misused.[7] Unlike in a case involving a sophisticated or malicious cyberattack "carried out to obtain sensitive information for improper use," the court reasoned, the plaintiffs "never alleged that their data was intentionally targeted or obtained."[8]

This distinction — between targeted data attacks by a threat actor and inadvertent data disclosures — was particularly meaningful to the court, which reasoned that the latter gave rise to only an attenuated chain of possibilities insufficient to establish a substantial risk of future harm.[9]

According to the court:

Where plaintiffs fail to present evidence or make any allegations that an unauthorized third party purposely obtained the plaintiff's data, courts have regularly held that the risk of future identity theft is too speculative to support Article III standing.[10]

Circuits are split on whether there can be standing absent allegations that data was targeted by a threat actor or misused.

Before the McMorris Decision

Even prior to the Second Circuit's decision in McMorris, numerous federal courts of appeal implicitly expressed agreement with the McMorris approach.[11]

In the 2011 Reilly v. Ceridian Corp. decision, for example, the U.S. Court of Appeals for the Third Circuit affirmed the dismissal on standing grounds of a purported class action brought after a hacker accessed the computer system of a payroll processing firm and potentially gained access to PII.[12]

While the case was decided a decade before McMorris, the reasoning is identical:

Here, there is no evidence that the intrusion was intentional or malicious. Appellants have alleged no misuse, and therefore, no injury. Indeed, no identifiable taking occurred; all that is known is that a firewall was penetrated. Appellants' string of hypothetical injuries do not meet the requirement of an "actual or imminent" injury.[13]

Likewise, in its 2017 decision in Beck v. McDonald, the U.S. Court of Appeals for the Fourth Circuit affirmed the dismissal on standing grounds of two purported class actions brought against a hospital — one involving a missing laptop containing unencrypted PII of 7,400 hospital patients, and the other involving four missing boxes containing pathology reports for over 2,000 hospital patients.[14]

Even accepting as true the plaintiffs' allegations that the laptop and pathology reports had been stolen, the court still deemed the plaintiffs' contention of an enhanced risk of identity theft too speculative where there was "no evidence that the information contained on the stolen laptop has been accessed or misused or that they have suffered identity theft, nor, for that matter, that the thief stole the laptop with the intent to steal their private information."

Other courts of appeal have taken a more liberal approach to conferring standing in unauthorized data disclosure cases, requiring neither allegations that data was targeted nor allegations that any of the data already had been misused.[15]

For instance, in its 2010 decision in Krottner v. Starbucks Corp., the U.S. Court of Appeals for the Ninth Circuit determined that the plaintiffs had standing in a case involving the theft of a company laptop containing employees' PII.[16] Notwithstanding that there was no evidence that any data from the stolen laptop had been either targeted or misused, the court decided that the plaintiffs alleged a "credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data."[17]

Of course, the decision in Krottner stands in sharp contrast to the decision in Beck, issued seven years later, in which the Fourth Circuit decided that the plaintiffs' risk of identity theft under substantially similar circumstances was too speculative to confer standing.

In its 2007 Pisciotta v. Old National Bancorp decision,[18] the U.S. Court of Appeals for the Seventh Circuit expressly rejected the proposition that "plaintiffs whose data has been compromised, but not yet misused, have not suffered an injury-in-fact sufficient to confer Article III standing."[19]

These rulings are at odds with McMorris. Although that may be explained in part by the fact that both decisions were decided a decade ago — before the distinction between accidental disclosure of PII and theft of PII by threat actors was as marked — there is no such explanation for more recent decisions that likewise diverge from McMorris in their reluctance to require allegations of data misuse.[20]

Implications of McMorris

We see three implications of McMorris and the other appellate rulings on this topic.

First, particularly over the past decade, as instances of unauthorized data disclosures have become more prevalent, courts have come to recognize that not all PII disclosure cases are the same. The decision in McMorris highlights some important distinctions among such cases.

For the purpose of assessing the imminence of the threat posed by the particular disclosure, it matters whether a threat actor targeted or misused the data, as opposed to the data having been accidentally disclosed. In the latter scenario, courts are increasingly unwilling to confer Article III standing based merely on the chain of possibilities or string of hypothetical injuries conjured by would-be plaintiffs on account of an accidental disclosure of their PII.

Second, because no doubt there exists a split among circuits in terms of their level of willingness to confer standing absent the existence of a threat actor or demonstrated misuse of data, it will matter where the data disclosure case is being litigated.

As the issue evolves and the McMorris factors wind their way through future opinions issued in a variety of jurisdictions, their application presumably being adopted, amended or rejected to varying degrees, the strength of a standing challenge ultimately may depend most on the forum in which the plaintiffs bring suit.

Third, within the Second Circuit, and the numerous other courts that adopt the McMorris approach, defendants have an important tool to achieve an early defeat of class actions for certain types of PII disclosure cases.

Where there is no threat actor and no evidence of misuse of the PII, defendants will have meaningful grounds to dispose of the case on a motion to dismiss. And, facing likely defeat, the plaintiffs' bar may become more reluctant to file such cases in the first place.

[1] McMorris v. Carlos Lopez & Associates LLC , 995 F.3d 295 (2d Cir. 2021).

[2] Id. at 298.

[3] See id. at 301.

[4] Id. at 301 (quoting Thole v. U.S. Bank N.A. , 140 S. Ct. 1615, 1618 (2020)).

[5] Id. at 302-03.

[6] Id. at 304.

[7] Id. at 303-04.

[8] Id. at 303, quoting In re United States OPM Data Sec. Breach Litig. , 928 F.3d 42, 52 (D.C. Cir. 2019).

[9] Id. at 303-04.

[10] Id. at 301.

[11] See, e.g., Katz v. Pershing LLC , 672 F.3d 64 (1st Cir. 2012); Reilly v. Ceridian Corp. , 664 F.3d 38, 44 (3d Cir. 2011); Beck v. McDonald , 848 F.3d 262 (4th Cir. 2017); Alleruzzo v. SuperValu Inc. (In re SuperValu, Inc., Customer Data Sec. Breach Litig., 870 F.3d 763 (8th Cir. 2017); Tsao v. Captiva MVP Rest. Partners LLC , 986 F.3d 1332 (11th Cir. 2021).

[12] 664 F.3d 38, 44 (3d Cir. 2011).

[13] Id.

[14] 848 F.3d 262 (4th Cir. 2017).

[15] See, e.g., AFGE v. OPM (In re United States OPM Data Sec. Breach Litig.), 928 F.3d 42 (D.C. Cir. 2019); Galaria v. Nationwide Mut. Ins. Co. , 663 Fed. Appx. 384 (6th Cir. 2016); Pisciotta v. Old Nat'l Bancorp , 499 F.3d 629 (7th Cir. 2007); Krottner v. Starbucks Corp. , 628 F.3d 1139 (9th Cir. 2010).

[16] 628 F.3d 1139 (9th Cir. 2010).

[17] Id. at 1143.

[18] 499 F.3d 629 (7th Cir. 2007).

[19] See id. at 634.

[20] See AFGE v. OPM (In re U.S. OPM Data Sec. Breach Litig.), 928 F.3d 42 (D.C. Cir. 2019); Galaria v. Nationwide Mut. Ins. Co., 663 Fed. Appx. 384 (6th Cir. 2016).