This post is part of a series of articles we are doing on 2023 data protection litigation trends. To stay up to date with our writings, please subscribe to the WilmerHale Privacy and Cybersecurity Blog.
One of the main risks that a company faces after a data breach is a potential lawsuit. Plaintiffs often will allege creative statutory and common law theories of harm after they learn that their personal information has been subject to a breach. However, one of the initial hurdles that plaintiffs face is meeting the standing requirement under Article III for federal court actions. This is particularly challenging for plaintiffs that have not experienced any actual misuse of their data at the time of filing their lawsuit. They rely instead on the argument that they face a substantial risk of future harm, which is sufficient for standing. This argument has faced challenges in federal courts, especially after the Supreme Court's 2021 decision in TransUnion v. Ramirez, which ruled that a risk of future harm alone is not enough to establish standing to sue for damages. The Court left open the possibility, however, that a risk of future harm could confer standing if it also caused some other concrete harm to the plaintiffs, such as emotional distress, financial losses, or mitigation costs.
Since then, some federal circuit courts have adopted this reasoning and allowed data breach plaintiffs to proceed with their claims for damages, while others have dismissed them for lack of standing. This post examines data breach litigation cases in 2023, with a specific focus on how courts have evaluated standing claims that have implicated the TransUnion decision.
In light of the increasing number of data breaches, companies should pay close attention to data breach litigation trends. While the Supreme Court's TransUnion decision made it harder for plaintiffs to establish standing based on a mere risk of future harm, some lower courts have found ways to allow such claims to proceed if the risk has caused some other concrete injury. Companies should be aware of these developments and take proactive steps to prevent data breaches, mitigate their impact, and prepare to defend against potential lawsuits.
To stay up to date on these developments, please subscribe to the WilmerHale Privacy and Cybersecurity Blog.
Background
Plaintiffs in data-breach cases often sue before their breached data is misused. To establish standing in federal court, they often do not claim an actual injury, but a risk of future identity theft or fraud. The Supreme Court’s 2021 decision in TransUnion v. Ramirez appeared to deal a blow to such plaintiffs; it held that the risk of future harm alone cannot support standing to sue for damages.1 But three federal circuit court decisions—one in 20222 and two in 20233 —have revived the hopes of plaintiffs who claim a risk of future harm. These decisions have held that data-breach plaintiffs have standing to seek damages based on an imminent risk of future identity theft or fraud, if that imminent risk has already caused them some separate, concrete harm.4
To establish standing to sue in federal court, plaintiffs need to show that they have suffered an injury in fact, traceable to the defendant, and redressable by the relief sought. An injury in fact, in turn, must be concrete and either actual or imminent. In 2023, data-breach decisions focused on this injury in fact requirement, as plaintiffs continued to sue before actually suffering an injury, claiming instead a substantial risk of future harm. While such a risk can confer standing to sue for injunctive relief, the Supreme Court made clear in TransUnion v. Ramirez that mere risk alone cannot support standing to seek retrospective damages.5 The Court suggested, however, that the “risk of future harm” could give rise to standing in an action for damages where the risk “itself causes a separate concrete harm.”6
Overview of Notable 2023 Data Breach Litigation Decisions
In 2023, the First and Second Circuits seized on this suggestion from TransUnion, holding that a plaintiff who has established an imminent risk of future identity theft or fraud can sue for damages where they separately establish a present, concrete harm arising from the risk of future injury.7 Among other theories discussed below, the First and Second Circuits concluded that plaintiffs already suffered concrete harms because they spent time and money mitigating the risks that their breached data will be misused. These decisions bring the First and Second Circuits into alignment with the Third Circuit’s 2022 decision in Clemens v. ExecuPharm Inc.8
A 2023 decision by the Seventh Circuit, by contrast, indicated that, after TransUnion, the risk of future data misuse can only support standing to seek injunctive relief, and never a suit for damages.9
The Eleventh Circuit also weighed in. While the Eleventh Circuit reasoned that after TransUnion, “a mere risk of future harm, without more, does not give rise to Article III standing for recovery of damages,” the panel held that the publication of plaintiffs’ data on the dark web constituted a present, concrete injury.10
The rest of this article provides additional details on these cases, focusing on the “concreteness” and “imminence” prongs of the standing test that these decisions focused on.
1.Concreteness
The First and Second Circuits—as well as district courts across the country—advanced several different theories for how plaintiffs can demonstrate a present, concrete harm based on a future risk of identity theft or fraud.
- Mitigation Costs. The most widely accepted theory—embraced by both the First and Second Circuits—is that plaintiffs suffer a concrete harm when they spend time and money mitigating the risk of identity theft and fraud.11 Notably, one district judge used a defendant’s offer to pay for credit monitoring services as evidence that a plaintiff’s decision to take additional mitigation actions was reasonable.
- Emotional Distress. Courts disagreed on whether emotional distress caused by the risk of identity theft can constitute a concrete harm. In Whitfield v. ATC Healthcare Services, LLC, a district court in Brooklyn held that the plaintiff established standing based on the anxiety, sleep disruption, and fear she experienced because of her “financial security concerns.”13 But in Florence v. Order Express, Inc., a district court in Chicago—which otherwise held that the plaintiffs had standing—concluded that emotional distress based on fear of future harm is too abstract to confer standing.14
- Public Disclosure of Private Facts. In TransUnion, the Supreme Court analyzed whether plaintiffs alleged a concrete injury by considering whether their harms bore a “‘close relationship’ to a harm ‘traditionally’ recognized as providing a basis for a lawsuit in American courts.”15 The TransUnion Court specifically found that plaintiffs whose inaccurate credit reports were shared with third parties had established a concrete injury, because those plaintiffs “suffered a harm with a ‘close relationship’ to the harm associated with the tort of defamation.”16 Pointing to TransUnion, some courts, including the Second Circuit, reasoned that the “exposure” of personal information “to unauthorized third parties” constitutes a present, concrete harm because it bears a relationship to the common-law tort of public disclosure of private facts.17
2. Imminence
Before plaintiffs can establish a separate, concrete harm based on the imminent risk of identity theft or fraud, they must show that the risk is in fact imminent. In evaluating imminence in the data-breach context in 2023, federal courts have continued to apply the three factors first summarized by the Second Circuit in McMorris v. Carlos Lopez & Associates: (1) whether the data was intentionally hacked, (2) whether the data is especially sensitive, and (3) whether some portion of the dataset has already been misused.18
- Whether the data was intentionally hacked. Where hackers target a database to steal personal information, courts are “more willing to find a likelihood of future identity theft or fraud.”19 Where, by contrast, a thief steals a laptop, its not as obvious that the thief’s purpose is to misuse personal data stored on the computer—the thief may simply want the laptop.20
- Whether the data is especially sensitive. Courts have reasoned that when breached data is highly sensitive and difficult to change (e.g., a Social Security number), plaintiffs are more vulnerable to identity theft, and therefore the risk is more imminent.21 The lack of sensitive data can defeat standing, as one 2023 district court decision shows. In Perkins v. CommonSpirit Health, a district court in Chicago dismissed a putative class action in part because the breached data “consisted only of non-sensitive demographic information,” and not the kind of “sensitive information, such as social security numbers and credit card information that would make future losses not only possible but imminent.”22
- Whether some portion of the dataset has already been misused. Courts have differed significantly in the weight they assign this factor. In Bohnak v. Marsh, the Second Circuit found an imminent risk even where plaintiffs failed to show that any breached data had actually been misused or even published on the Dark Web.23 A district court in Kansas, by contrast, treated the lack of any misuse as dispositive, holding that “[w]ithout any misuse to date, … the risk of future injury [is] too attenuated to establish standing.”24 And one district court decision in Puerto Rico suggested a middle ground: while actual misuse of some of the dataset is not required, the court held, the plaintiff had still failed to show imminence because “she does not allege that the information has actually been put for sale or otherwise published.”25
1594 U.S. 413, 436 (2021).
2Clemens v. ExecuPharm Inc., 48 F.4th 146 (3d Cir. 2022).
3 Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365 (1st Cir. 2023); Bohnak v. Marsh & McLennan Cos., 79 F.4th 276 (2d Cir. 2023).
4Webb, 72 F.4th at 376; Bohnak, 79 F.4th at 286; Clemens, 48 F.4th at 155-56.
5TransUnion, 594 U.S. at 435-36.
6Id. at 436.
7Webb, 72 F.4th at 376; Bohnak, 79 F.4th at 286.
8See Clemens, 48 F.4th at 155-56.
9Dinerstein v. Google, 73 F.4th 502, 515 (7th Cir. 2023).
10Green-Cooper v. Brinker International, Inc. (11th Cir. 2023).
11Webb, 72 F.4th at 376; Bohnak, 79 F.4th at 286; see also Whitfield v. ATC Healthcare Services, LLC, 2023 WL 5417330 *4 (E.D.N.Y. Aug. 22, 2023); Florence v. Order Express, Inc., 2023 WL 3602248 *6 (N.D. Ill. May 23, 2023).
12Florence, 2023 WL 3602248 at *6.
13Whitfield, 2023 WL 5417330 at *4.
14Florence, 2023 WL 3602248 at *6.
15 TransUnion, 594 U.S. at 424.
16 Id. at 432.
17 Bohnak, 79 F.4th at 285-86; Florence, 2023 WL 3602248 at *5 (“Since disclosure of private information is a sufficiently close common-law analogue for Plaintiff’s alleged harm, the injury is concrete.”); Miller v. Syracuse University, 2023 WL 2572937 *8-9 (N.D.N.Y. Mar. 20, 2023).
18 995 F.3d 295, 301-03 (2d Cir. 2021).
19 Bohnak, 79 F.4th at 288.
20 Farley v. Eye Care Leaders Holdings, LLC, 2023 WL 1353558 *3 (M.D.N.C. Jan. 31, 2023).
21 Webb, 72 F.4th at 376.
22 2023 WL 6520264 *2 (N.D. Ill. Oct. 5, 2023).
23 Bohnak, 79 F.4th at 289 (“We recognize that Bohnak … has not alleged any known misuse of information in the dataset accessed in the hack. But … such an allegation is not necessary to establish that an injury is sufficiently imminent to constitute an injury in fact.”); see also Clemens, 48 F.4th at 154 (“[M]iuse is not necessarily required.”).
24 Masterson v. Ima Financial Group, Inc., 2023 WL 8647157 *8 (D. Kan. Dec. 14, 2023); see also McCombs v. Delta Group Electronics, Inc., 2023 WL 3934666 *5 (D.N.M. June 9, 2023) (dismissing for lack of standing where “over a year has passed since the data breach and McCombs fails to allege that any of the compromised PII—whether hers or that of the proposed class—has been misused”)
25 Rivera-Marrero v. Banco Popular de Puerto Rico, 2023 WL 2744683 * 12 (D.P.R. Mar. 31, 2023).
