The PII exposed included “Social Security numbers, home addresses, dates of birth, telephone numbers, educational degrees, and dates of hire.” The plaintiffs had alleged injuries in the form of risk of future harm as well as time and costs spent implementing proactive protective measures. 2021), the Second Circuit held that “plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.” One of defendant’s employees accidentally sent a company-wide email that included the personal identifying information (PII) of 130 current and former employees. Carlos Lopez & Assocs., LLC, 995 F.3d 295 (2d Cir. In April, the Second Circuit attempted to harmonize the circuits’ treatment of increased risk of future identity theft in data breach cases by articulating a three-factor test. The court found that those injuries constituted “manufactur standing” because the plaintiffs “inflict harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” The court left the door open to finding standing on the basis of increased risk of identity theft on a different set of facts. Plaintiffs had argued that they suffered concrete injuries because they were forced to respond to the breach. The plaintiffs therefore did not face a “substantial risk” of identity theft and did not have standing on this basis. The court found that the loss of credit card and account numbers rarely leads to identity theft. The Eleventh Circuit acknowledged that its sister circuits were divided on the question of whether increased risk of identity theft establishes injury-in-fact at the pleading stage. The plaintiffs also argued that they had already suffered concrete injuries, including lost credit card reward points, lost time and restricted card access, while their compromised cards were cancelled. However, no plaintiff could point to any actual identity theft as a result of the breach. The plaintiffs alleged that the breach, which lasted nearly a year, caused them to suffer a substantial risk of future identity theft. In February, the Eleventh Circuit held that conclusory allegations of an “elevated risk of identity theft” were insufficient to establish standing where hackers accessed a restaurant’s point-of-sale system, compromising victims’ credit and debit card information. federal circuit courts have followed varying approaches as to whether (1) increased risk of future identity theft is a sufficient basis to demonstrate injury-in-fact, and if so, (2) what allegations suffice to establish standing on that ground. Recent Circuit Court Decisions: Tsao, McMorris and In re Equifax. As the lower courts interpret and apply TransUnion, it will probably become more difficult for data breach victims who allege imminent harm-as opposed to a harm that has already been realized-to establish standing to sue. Although TransUnion did not involve a data breach, the Court’s opinion emphasizes that qualifying Article III injuries are those that go beyond procedural statutory violations and that a risk of future harm alone is insufficient under Article III in a suit for damages. June 25, 2021) will likely create new uncertainties. Recent decisions had been moving towards a more unified theory of standing, but the Supreme Court’s holding in TransUnion LLC v. The federal courts of appeal have taken divergent views on when an increased risk of future identity theft or fraud arising out of a data breach is sufficient to establish standing. Individuals whose personal information was compromised in a data breach have had mixed success in bringing lawsuits in federal court against the companies that held their data. In Part 2, we will discuss the implications of the decision for efforts to defeat class certification. This is Part 1 of a two-part article on the recent U.S.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |