Bohnak v. Marsh & McLennan Companies, Inc.
79 F.4th 276
| 2d Cir. | 2023Background
- Plaintiff Nancy Bohnak, a former MMA employee, alleges Defendants Marsh & McLennan Companies and Marsh & McLennan Agency stored unencrypted PII for ~7,000 people and that a targeted April 2021 hack of third‑party software exposed her name and Social Security number.
- Bohnak claims injuries including diminished value of PII, out‑of‑pocket mitigation costs, lost time/opportunity costs, and a continued increased risk of identity theft.
- Defendants moved to dismiss for lack of Article III standing and, alternatively, for failure to plausibly plead cognizable damages under Rule 12(b)(6).
- The district court found standing (based on an analogy to public disclosure of private facts) but held Bohnak failed to plead damages capable of proof with reasonable certainty and dismissed monetary and injunctive claims.
- The Second Circuit held TransUnion governs whether a risk‑based injury is "concrete" and McMorris governs whether it is "actual or imminent," concluded Bohnak alleged a concrete and imminent injury (standing), and reversed the dismissal of damages and remanded.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether exposure of PII and attendant risk of identity theft can supply Article III injury in fact | Bohnak: exposure of SSN/name in a targeted hack and mitigation costs are concrete, particularized, and imminent injuries | Defendants: mere risk of future misuse is not a concrete injury under TransUnion; no standing | Held: Yes. TransUnion makes disclosure of private information a cognizable "concrete" injury; McMorris factors show injury is "actual or imminent." |
| Whether TransUnion precludes risk‑based damages claims | Bohnak: TransUnion allows intangible harms (e.g., disclosure of private info) and separate present harms (emotional distress, mitigation costs) to be concrete | Defendants: TransUnion defeats standing for risk‑only claims | Held: TransUnion controls "concreteness" and supports damages claims where disclosure maps to common‑law analogs or causes present mitigation costs. |
| Whether the alleged future harm is sufficiently imminent (McMorris factors) | Bohnak: targeted attack + exposure of SSN (high‑risk data) creates a substantial, imminent risk | Defendants: absence of actual misuse undermines imminence | Held: McMorris factors (targeted attack, type of data) support a substantial risk here; imminence satisfied. |
| Whether alleged mitigation time/money and diminished PII value are cognizable damages provable with reasonable certainty | Bohnak: mitigation costs and lost time are concrete, provable damages; monetary relief appropriate | Defendants: damages are speculative and not provable with reasonable certainty | Held: Damages are cognizable; mitigation costs and lost time are reasonably provable, so dismissal under Rule 12(b)(6) was erroneous. |
Key Cases Cited
- TransUnion, LLC v. Ramirez, 141 S. Ct. 2190 (2021) (risk‑based harms are "concrete" when analogous to traditional harms or when exposure causes separate present harms)
- McMorris v. Carlos Lopez & Assocs., 995 F.3d 295 (2d Cir. 2021) (three‑factor framework for when data exposure creates a substantial, imminent risk of identity theft)
- Spokeo, Inc. v. Robins, 578 U.S. 330 (2016) (Article III concreteness inquiry and historical analogues)
- Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013) (standing for forward‑looking injunctive relief requires imminent and substantial risk)
- Thole v. U.S. Bank N.A., 140 S. Ct. 1615 (2020) (Article III standing elements summarized)
- Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015) (targeted hacks imply purpose to commit fraud; supports standing)
- Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365 (1st Cir. 2023) (time spent mitigating after breach can be a concrete injury)
- Clemens v. ExecuPharm Inc., 48 F.4th 146 (3d Cir. 2022) (post‑TransUnion: mitigation expenses or emotional distress from substantial risk suffice for concreteness)
- In re U.S. OPM Data Security Breach Litig., 928 F.3d 42 (D.C. Cir. 2019) (costs to mitigate or avoid harm can support standing where a substantial risk exists)
- Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826 (7th Cir. 2018) (credit‑monitoring fees after a breach are real, measurable damages)