McMorris v. Carlos Lopez & Assocs., LLC
995 F.3d 295
| 2d Cir. | 2021Background
- CLA employee accidentally emailed an attached spreadsheet containing sensitive PII (including Social Security numbers, DOBs, addresses, phone numbers) of ~130 current and former employees to ~65 CLA employees in June 2018; current employees were notified two weeks later, former employees were not.
- Three affected individuals (including McMorris) sued as a putative class, asserting state-law negligence and consumer-protection claims, alleging they faced an imminent risk of identity theft though none alleged actual misuse of their PII.
- Plaintiffs sought class settlement approval; the district court sua sponte questioned Article III standing and held a hearing, then denied settlement approval and dismissed for lack of subject-matter jurisdiction.
- District court found plaintiffs failed to allege a "certainly impending" or "substantial" risk of identity theft because the disclosure was internal (no targeted third‑party theft and no alleged misuse), and therefore plaintiffs’ mitigation expenses/time could not create standing.
- The Second Circuit held that an increased-risk theory can, in principle, satisfy Article III standing after a data disclosure, but affirmed dismissal here because McMorris failed to allege facts showing a substantial, concrete, or imminent risk (no targeted attack, no misuse of any portion of the dataset, and sensitive data alone insufficient).
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether plaintiffs can establish Article III standing based on an increased risk of identity theft after unauthorized data disclosure | McMorris: risk of identity theft from disclosure of sensitive PII to many employees is sufficiently concrete and imminent to confer standing | CLA: no standing because there was no misuse, no evidence of third‑party access, and the disclosure was an internal mistake | Court: Yes in principle — increased‑risk theory can confer standing, but depends on facts (targeting, misuse, sensitivity) |
| Whether the internal, inadvertent disclosure (not a targeted theft) suffices to show a substantial risk of future identity theft | McMorris: internal dissemination still creates substantial risk because many employees received PII | CLA: internal error without evidence of leakage or malicious intent is too speculative to support standing | Held: Internal, inadvertent disclosure without allegations of external access or misuse is insufficient here to establish substantial risk |
| Whether mitigation costs/time spent protecting oneself after disclosure can constitute injury in fact | McMorris: expenses and time spent (credit monitoring, cancelling cards) are injuries caused by the disclosure | CLA: such self‑inflicted mitigation cannot create standing absent a substantial risk of future harm | Held: Mitigation expenses can be an injury only if plaintiffs have otherwise shown a substantial risk; here plaintiffs failed that predicate, so mitigation expenses do not create standing |
| Whether a district court may approve a class settlement absent named‑plaintiff standing | McMorris: (seeking settlement approval) | CLA: (opposed or defended on merits) | Held: Court cannot approve a class settlement without subject‑matter jurisdiction; named plaintiffs must have standing |
Key Cases Cited
- Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013) (future injury must be certainly impending or present a substantial risk to support standing)
- Susan B. Anthony List v. Driehaus, 573 U.S. 149 (2014) (threatened injury qualifies if certainly impending or substantial risk)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (standing burden and proof standards)
- Thole v. U.S. Bank N.A., 140 S. Ct. 1615 (2020) (Article III standing elements summarized)
- Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015) (targeted hacks imply likely misuse and support standing)
- In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig., 928 F.3d 42 (D.C. Cir. 2019) (evidence of misuse in a breach supports standing; targeted theft is significant)
- In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018) (misuse by some victims in same breach supports standing for others)
- Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017) (internal loss or non‑targeted exposure often too speculative for standing)
- Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (no misuse alleged, no standing on facts of that case)
- In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017) (mitigation costs do not create standing absent substantial risk)
- Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2017) (sensitive identifiers like SSNs increase risk and bear on standing analysis)
- Fero v. Excellus Health Plan, Inc., 304 F. Supp. 3d 333 (W.D.N.Y. 2018) (availability of PII on Dark Web can support Article III injury)