As CPW reported earlier this year, the Second Circuit recently issued a monumental decision concerning Article III standing in a data breach. In that case, McMorris v. Carlos Lopez & Assocs., 2021 U.S. App. LEXIS 12328 (2d Cir. Apr. 27, 2021), the court weaved through multiple rulings and created a multi-factor standing analysis. Shortly thereafter, the Second Circuit issued a follow up decision that indicates the courthouse doors in that jurisdiction remain open to (certain) plaintiffs in data event litigations. Read on to learn more.
In Pena, 2021 U.S. App. LEXIS 16529 (2d Cir. 2021), the plaintiff alleged that, in September 2018, the defendant announced it had suffered a data breach. Information compromised through the breach included its customers’ names, billing and email addresses, and credit card numbers and expiry dates. During the period of the alleged breach, the plaintiff allegedly used a credit card on the defendant’s website to purchase an airline ticket. The plaintiff alleged that, shortly after that purchase, his card was used in $1,000 of unauthorized transactions, including several Uber rides. The plaintiff alleged that these charges required him to call his bank from abroad to cancel the card and dispute the charges, which took him “between 10-20 minutes” and cost him “$0.20 a minute for the call.”
The district court granted a motion to dismiss, finding the plaintiff had neither adequately alleged a concrete injury to support Article III standing nor a breach of contract claim under Rule 12(b)(6). Regarding the plaintiff’s alleged actions taken in response to his compromised credit cards, the court stated the “lost time and expenses” incurred were “not sufficient to confer standing . . . particularly where, as here, Plaintiff canceled the compromised credit cards.” Pena, No. 18-cv-6278, 2020 U.S. Dist. LEXIS 60361 (E.D.N.Y. Mar. 30, 2020).
The Second Circuit, however, disagreed. Applying the test that it developed in McMorris, the Second Circuit stated the plaintiff alleged a concrete and particularized injury when his personal information was disclosed due to “a targeted attempt to obtain” it (emphasis added). Specifically, the court identified the following allegations in support of its conclusion: two of the plaintiff’s credit cards were stolen as part of the data breach and the credit cards were subsequently misused for unauthorized transactions.