29 October 2021

Second Circuit Rules That Risk Of Future Identity Theft Not Enough To Support Standing In Data Breach Class Action

Thompson Coburn LLP


For almost 90 years, Thompson Coburn LLP has provided the quality legal services and counsel our clients demand to achieve their most critical business goals. With more than 380 lawyers and 40 practice areas, we serve clients throughout the United States and beyond.
The Second Circuit recently joined a growing number of federal courts to decide when a data breach of personally identifiable information ("PII") is actionable. According to the Second Circuit...
United States Litigation, Mediation & Arbitration
To print this article, all you need is to be registered or login on

The Second Circuit recently joined a growing number of federal courts to decide when a data breach of personally identifiable information ("PII") is actionable. According to the Second Circuit, plaintiffs do not have standing to bring a lawsuit when there is no allegation their PII was targeted or misused. 

The Second Circuit's decision

To bring a lawsuit in federal court, a plaintiff must have standing. To have standing, the plaintiff must establish, among other things, an "injury in fact." This means an injury that is "concrete and particularized" as well as "actual or imminent." A "conjectural" or "hypothetical" injury is not enough. This distinction is important in data breach cases, where courts are increasingly asked to decide whether a future risk of identity theft is sufficient to maintain claims in federal court.

In McMorris v. Carlos Lopez & Associates, former employees brought a class action after an employer accidentally emailed 65 employees a spreadsheet containing social security numbers, home addresses, dates of birth, telephone numbers, educational degrees, and dates of hire for approximately 130 current and former employees.1 The plaintiffs alleged they were "at imminent risk of suffering identity theft" and becoming victims of "unknown but certainly impending future crimes." However, the plaintiffs did not allege that the spreadsheet was shared with anyone outside the employer or otherwise taken or misused by third parties.

The parties settled the case after the employer filed a motion to dismiss. However, the district judge declined to approve the settlement agreement and dismissed the case for lack of standing. According to the judge, the plaintiffs failed to allege "a substantial risk of identity theft" or that such harm "was certainly impending."

On appeal, the Second Circuit recognized that a plaintiff could, theoretically, establish standing based on an "increased risk" of identity theft. But the plaintiffs in McMorris failed to do so. The court identified three factors courts should consider: 

  • Whether the data had been exposed as the result of a targeted attempt to obtain that data;
  • Whether any portion of the dataset had already been misused; and
  • Whether the type of data that had been exposed is sensitive such that there is a high risk of identity theft or fraud.

Because the PII in the spreadsheet was highly sensitive, the plaintiffs met the third factor. However, they didn't meet the other factors, because there were no facts suggesting an unauthorized third party took the PII or that the PII was otherwise misused. Unlike in a case involving a malicious cyberattack "carried out to obtain sensitive information for improper use," the court reasoned, the plaintiffs didn't allege that their data was "intentionally targeted or obtained." As such, any actions they took to purchase credit monitoring or identity theft protection services were not enough to establish injury.

The McMorris decision underscores a distinction between targeted data attacks by a threat actor and inadvertent data disclosures. In this particular case, the latter was not enough to establish a substantial risk of future harm.

The view from other courts 

Prior to McMorris, other courts reached similar decisions. For example, the Third Circuit did not find standing even when an unknown hacker penetrated a firewall of a payroll processing firm-potentially gaining access to the PII of approximately 27,000 employees at approximately 1,900 companies-because there was no evidence of maliciousness or that the hacker read, copied, or understood the data.2On the other hand, other courts have refused to require allegations of malicious targeting or misuse.3 

In the wake of the Supreme Court's Ramirez decision, it is unclear how courts will view "risk of future harm" allegations in data breach cases. In Ramirez, the Court rejected a "risk of future harm" argument made by plaintiffs whose credit reports were never provided to third parties. But the facts of that case involved the Fair Credit Reporting Act, which courts may distinguish in other cases. 


Despite these evolving legal nuances, one takeaway seems clear: securing PII and mitigating the risk of threats posed by disclosure is increasingly important. The various cases suggest that it matters whether a third party targeted or misused the data. This underscores the need for robust implementation of cybersecurity best practices and cross-functional team involvement in navigating incident responses.


1. McMorris v. Carlos Lopez & Assoc., LLC, 995 F.3d 295, 298 (2d. Cir. 2021).

2.Reilly v. Ceridian Corp., 664 F.3d 38, 40, 42 (3d. Cir. 2011).

3. See e.g., Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010) (the theft of a laptop containing unencrypted personal data was, alone, sufficient injury to confer standing).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More