In this month’s edition of our Privacy & Cybersecurity Update, we examine the Second Circuit’s ruling allowing standing for increased risk of identity theft following a data breach, the European Commission’s recently released Draft AI Regulation, the U.S. Department of Labor’s cybersecurity guidelines for retirement plans and the Indiana Supreme Court’s ruling that a ransomware attack may be covered under a crime insurance policy.
Second Circuit Allows Data Breach Claims for Increased Risk of Identity Theft
The U.S. Court of Appeals for the Second Circuit has ruled that plaintiffs can establish standing to pursue claims arising out data breaches based solely on an increased risk of identity theft, provided that the plaintiffs can demonstrate that the risk is sufficiently concrete.
On April 26, 2021, in McMorris v. Carlos Lopez and Associates,1 the Second Circuit ruled that affected data subjects who have alleged only an increased risk of identity theft following a data breach can have standing to bring a claim. The ruling is somewhat of a departure from other circuits’ decisions on similar issues, in which data subjects without a concrete injury had been denied standing to sue. However, although the court ruled that it was possible to have standing based solely on increased risk, it denied standing in the specific case before it based on its determination that the plaintiffs had not shown sufficient increased risk of harm.
In June 2018, an employee of Carlos Lopez & Associates, LLC (CLA), a veterans’ benefits organization, inadvertently emailed all 65 employees of the organization an attachment that included a spreadsheet containing sensitive information (such as Social Security numbers, home addresses, dates of birth and telephone numbers) of approximately 130 current and former employees. CLA later contacted the current employees to address the accidental disclosure, but not the former employees.
Three individuals whose information was shared filed a class action complaint against CLA, asserting state law claims for negligence, negligence per se and statutory consumer protection violations. The individuals did not allege that they were victims of actual identity theft or fraud as a result of the disclosure, nor did they claim that their information was taken or misused by third parties. Instead, they claimed that they were at “imminent risk of suffering identity theft” and of becoming the victims of “unknown but certainly impending future crimes.” The plaintiffs also claimed that they had cancelled credit cards, purchased credit monitoring and identity theft protection services, and spent time assessing whether they should apply for new Social Security numbers. However, the district court dismissed the case for lack of standing due to the lack of tangible injury to the plaintiffs.
Split on Increased Risk Cases
To date, there has been a split among U.S. circuits over whether an increased risk of identity theft establishes standing. The Sixth, Seventh,2 Ninth and D.C. circuits3 have held that an increased risk of future identity theft does establish standing, while the Second, Third, Fourth, Eighth and Eleventh circuits have reached the opposite conclusion, and have denied standing in a number of cases.4
Second Circuit Ruling
In McMorris, the Second Circuit disagreed that there is a circuit split on the question of standing for increased risk of identity theft, though it noted that some courts have perceived one to exist. Instead, the court noted that, in its view, no court of appeals has explicitly foreclosed plaintiffs from establishing standing on…