September 25, 2021

Volume XI, Number 268

Advertisement

September 24, 2021

Subscribe to Latest Legal News and Analysis

September 23, 2021

Subscribe to Latest Legal News and Analysis

September 22, 2021

Subscribe to Latest Legal News and Analysis

Second Circuit Ruling Indicates Certain Plaintiffs May Continue to Bring Claims for Disclosure of Personal Information, But Language in Privacy Policy Inadequate for Breach of Contract Claim

As CPW reported earlier this year, the Second Circuit recently issued a monumental decision concerning Article III standing in a data breach.  In that case, McMorris v. Carlos Lopez & Assocs., 2021 U.S. App. LEXIS 12328 (2d Cir. Apr. 27, 2021), the court weaved through multiple rulings and created a multi-factor standing analysis.  Shortly thereafter, the Second Circuit issued a follow up decision that indicates the courthouse doors in that jurisdiction remain open to (certain) plaintiffs in data event litigations.  Read on to learn more.

In Pena, 2021 U.S. App. LEXIS 16529 (2d Cir. 2021), the plaintiff alleged that, in September 2018, the defendant announced it had suffered a data breach.  Information compromised through the breach included its customers’ names, billing and email addresses, and credit card numbers and expiry dates.  During the period of the alleged breach, the plaintiff allegedly used a credit card on the defendant’s website to purchase an airline ticket.  The plaintiff alleged that, shortly after that purchase, his card was used in $1,000 of unauthorized transactions, including several Uber rides.  The plaintiff alleged that these charges required him to call his bank from abroad to cancel the card and dispute the charges, which took him “between 10-20 minutes” and cost him “$0.20 a minute for the call.”

The district court granted a motion to dismiss, finding the plaintiff had neither adequately alleged a concrete injury to support Article III standing nor a breach of contract claim under Rule 12(b)(6).  Regarding the plaintiff’s alleged actions taken in response to his compromised credit cards, the court stated the “lost time and expenses” incurred were “not sufficient to confer standing . . . particularly where, as here, Plaintiff canceled the compromised credit cards.”  Pena, No. 18-cv-6278, 2020 U.S. Dist. LEXIS 60361 (E.D.N.Y. Mar. 30, 2020).

The Second Circuit, however, disagreed.  Applying the test that it developed in McMorris, the Second Circuit stated the plaintiff alleged a concrete and particularized injury when his personal information was disclosed due to “a targeted attempt to obtain” it (emphasis added).  Specifically, the court identified the following allegations in support of its conclusion:  two of the plaintiff’s credit cards were stolen as part of the data breach and the credit cards were subsequently misused for unauthorized transactions.

The Second Circuit, however, agreed with the lower court and found the plaintiff did not state a claim for breach of contract.   The plaintiff argued the defendant breached its own privacy policy, which stated “[a]ny personal information You supply to Us when You use this website will be used in accordance with Our Privacy Policy.”  The court disagreed with the notion that the privacy policy may serve as the underlying document because the policy itself expressly stated it was “not contractual.”

While the ruling on standing may be a boon for plaintiffs in data event litigations seeking to bring their claims in federal court, the real win here was for defendants.  The enforcement of the plain language in the defendant’s privacy policy as not forming a binding contract means that other plaintiffs will be similarly precluded from asserting comparable legal theories going forward. 

© Copyright 2021 Squire Patton Boggs (US) LLPNational Law Review, Volume XI, Number 180
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

216-479-8070
Aaron Garavaglia Insurance Litigation Attorney Squire Patton Boggs Washington DC
Associate

Aaron Garavaglia focuses his practice on litigation, including insurance-related matters. As a litigator, he has worked with and addressed employment practices liability insurance policies, mass tort claims, insolvent insurers, captives and complex commercial litigation matters.

While in law school, Aaron interned at the US Department of Justice, US House of Representatives and US Court of Appeals for the Federal Circuit. Additionally, he was Senior Federal Circuit Editor for the American University Law Review.

Prior to law school, Aaron was a paralegal for an...

202-457-6436
Advertisement
Advertisement
Advertisement