422 F.Supp.3d 801
S.D.N.Y.2019Background
- In June 2018 a CLA employee accidentally emailed personal information of ~130 current/former CLA employees to a distribution list of ~65 current employees. No evidence showed the information left CLA or was misused.
- Several affected individuals sued on behalf of a putative class, alleging negligence and statutory violations.
- Defendants moved to dismiss for lack of Article III standing. Before Plaintiffs opposed, parties reached a class-wide settlement and sought Rule 23(e) approval and attorneys’ fees.
- The court noted a duty to confirm Article III standing before approving a class settlement (citing Frank v. Gaos) and considered whether plaintiffs’ theories met the injury-in-fact requirement.
- The court held plaintiffs lacked standing: they alleged only a speculative increased risk of future identity theft (no hack, theft, access, or misuse by an unauthorized third party), and self‑help mitigation costs cannot manufacture standing.
- The court denied settlement approval and dismissed the case for lack of subject‑matter jurisdiction.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether named plaintiffs have Article III standing to approve a class settlement | Increased risk of future identity theft based on improper disclosure via internal misaddressed email | No standing because there is no actual or imminent injury; no evidence of access, theft, or misuse by a third party | No standing: speculative risk insufficient absent evidence of unauthorized third‑party theft or misuse |
| Whether mitigation expenditures (time/money monitoring accounts) confer standing | Plaintiffs alleged time and money spent monitoring accounts after the email | These costs are self‑inflicted responses to speculative risk and cannot create standing | Costs do not confer standing; self‑inflicted mitigation cannot manufacture Article III injury |
| Whether a court may approve a class settlement without resolving standing | Plaintiffs argued settlement moots defendants’ standing challenge; parties agreed defendants would not press standing | Court must independently assure Article III jurisdiction before approving a class settlement | Court must determine standing before approving settlement; cannot approve absent jurisdiction |
| Whether the facts here are analogous to data‑breach cases that find standing | Plaintiffs relied on precedents recognizing standing where data breaches increased identity‑theft risk | Defendants distinguished those cases because they involve intentional theft/hacking and evidence of misuse | Distinguished: precedents finding standing involved intentional third‑party access or actual misuse; those facts are absent here |
Key Cases Cited
- Steel Co. v. Citizens for a Better Env’t, 523 U.S. 83 (1998) (federal courts are courts of limited jurisdiction; must ensure Article III case-or-controversy)
- Sprint Commc’ns Co. v. APCC Servs., Inc., 554 U.S. 269 (2008) (standing is required to satisfy Article III)
- Frank v. Gaos, 139 S. Ct. 1041 (2019) (district courts must ensure named plaintiffs have standing before approving class settlements)
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (injury-in-fact must be concrete and particularized)
- Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013) (threatened injury requires harms that are certainly impending or pose a substantial risk; speculative chains fail)
- Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015) (where hackers intentionally steal data, a substantial risk of misuse and identity theft is plausible)
- In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig., 928 F.3d 42 (D.C. Cir. 2019) (data‑breach standing where plaintiffs alleged targeted theft and some misuse)
- Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017) (unauthorized third‑party access can support an inference of substantial risk of misuse)
- Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) (similar reasoning on plausibility of risk after intentional theft)
- Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017) (mere theft or loss, absent evidence the thief targeted or used data, is too speculative to confer standing)
- Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir. 2012) (no standing where data exposure lacks any indication of access or misuse)
- Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (time/money spent monitoring for speculative future crimes does not create standing)