Business as Usual – so Far – for Data Breach Cases After TransUnion LLC v. Ramirez

Privacy & Cybersecurity Newsletter
Fall 2021

The Supreme Court’s June 2021 decision in TransUnion LLC v. Ramirez led many to believe that data breach plaintiffs were going to have a difficult time establishing standing. After all, the Court suggested that exposure to the risk of future harm could only be used to pursue forward-looking, injunctive relief and not retrospective damages. This caused some to speculate that plaintiffs alleging the mere possibility of future harm due to the exposure of their personal information were in serious jeopardy of having their cases dismissed for lack of standing. So far, these predictions have been wrong.

The Future Harm Standing Analysis Before Ramirez

In McMorris v. Carlos Lopez & Associates, LLC, the Second Circuit determined in April 2021 that plaintiffs can establish injury in fact under an increased risk theory – provided the plaintiffs can sufficiently allege facts that meet the three-factor test:

(1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data;

(2) whether any portion of the [compromised] dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and

(3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.[1]

The Second Circuit applied the McMorris test again in Pena v. Brit. Airways, PLC, finding that the plaintiff adequately alleged a concrete and particularized injury because his personal information was exposed as part of a targeted attack by a third party and that information was subsequently misused.[2] Additionally, in Peiran Zheng v. Live Auctioneers LLC, the Southern District of New York found that the prima facie showing of standing was satisfied because the plaintiff alleged that data was taken by a malicious third party and sold on the internet.[3] The Eleventh Circuit also cited to the McMorris decision favorably when holding that “the allegations of some Plaintiffs that they have suffered injuries resulting from actual identify theft support the sufficiency of all Plaintiffs’ allegations that they face a risk of identity theft.”[4]

The Future Harm Standing Analysis After Ramirez

In Ramirez, the Supreme Court noted that “the mere risk of future harm, standing alone, cannot qualify as a concrete harm.”[5] However, the Court acknowledged that there could be standing if the “exposure to the risk of future harm itself causes a separate concrete harm.”[6] For instance, the Court conceded that a “risk of future physical, monetary, or reputational harm could cause its own emotional or psychological harm,”[7] similar to a claim for intentional infliction of emotional distress.

Unsurprisingly, lower courts began citing to Ramirez in recognition of the higher hurdle that the decision places on those future risk plaintiffs.[8] In most cases, the courts determined that the plaintiff failed to establish an injury-in-fact, and therefore dismissed the complaint for lack of standing.

But none of these cases involved a data breach. In data breach cases after Ramirez, courts have generally found procedural[9] or substantive ways of distinguishing Ramirez:

  • In re Blackbaud, Inc., Customer Data Breach Litig.[10] involves the disclosure of personal information after a ransomware attack. The defendants argued that the plaintiffs did not have standing because they did not allege that their injuries were traceable to the defendant’s conduct. Thus, the court did not reach the issue of an injury-in-fact. Notably, though, the court stated that if it had reached that issue, Ramirez would not have impacted its analysis due to the different procedural posture.[11]
  • In re GE/CBPS Data Breach Litigation[12] considered an unauthorized third party gaining access to employees’ personal information after the breach of an email account. While the defendants argued that Ramirez was relevant because the Supreme Court had “rejected the ‘risk of future harm’ theory proffered by the plaintiffs,”[13] the court essentially ignored the Supreme Court decision. Instead, the court applied the McMorris test and found that the plaintiffs had standing based on the risk of future harm.[14]
  • Cotter v. Checkers Drive-In Restaurants, Inc.[15] is a data breach class action brought after the defendant’s point-of-sale systems were compromised. Before the defendant filed an answer, the parties settled. When considering whether to approve the settlement, the district court found that Ramirez was inapplicable because it had involved a suit for statutory damages as opposed to compensatory damages and was decided at a different phase of litigation. Citing to McMorris, the court found that the plaintiffs had sufficiently demonstrated their standing based on a risk of future harm.

The Takeaway For Data Breach Litigants In A Post-Ramirez World

Courts are just beginning to grapple with the implication of Ramirez, and it is difficult to predict how a body of case law will develop immediately following such a consequential decision. Nonetheless, it is noteworthy that, thus far, the Article III standing analysis in data breach actions based on the risk of future harm has not changed in Ramirez’s aftermath. Rather, the McMorris test seems to fit neatly into the Ramirez framework, increasing the likelihood that the Second Circuit decision will continue to guide the issue for the conceivable future.

[1] 995 F.3d 295 (2d Cir. 2021).
[2] 849 F. App’x 13, 14 (2d Cir. 2021).
[3] Case No. 20-CV-9744 (JGK), 2021 WL 2043562, at *3 (S.D.N.Y. May 21, 2021).
[4] In re Equifax Inc. Customer Data Sec. Breach Litig., 999 F.3d 1247, 1263 (11th Cir. 2021) (underlining in original).
[5] TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2211, 210 L. Ed. 2d 568 (2021)
[6] Id.
[7] TransUnion, 141 S. Ct. at 2211.
[8] Lupia v. Medicredit, Inc., 8 F.4th 1184 (10th Cir. 2021) (“Even still, we recognize the difficulties in bringing a claim for damages based on a theory of future risk of harm.” (citing Ramirez, 141 S.Ct. at 2210-11)); In re FDCPA Mailing Vendor Cases, No. CV 21-2312, 2021 WL 3160794, at *6 (E.D.N.Y. July 23, 2021); Ward v. Nat’l Patient Acct. Servs. Sols., Inc., 9 F.4th 357 (6th Cir. 2021); Grauman v. Equifax Info. Servs., LLC, No. 20CV3152ENVAKT, 2021 WL 3239865, at *5 (E.D.N.Y. July 16, 2021); Beaudry v. TeleCheck Services, Inc., 854 Fed. Appx. 44 (6th Cir. July 27, 2021); Voss v. Quicken Loans LLC, No. 1:20-CV-756, 2021 WL 3810384, at *3 (S.D. Ohio Aug. 26, 2021); Davis v. Universal Prot. Servs., No. 20-CV-01758, 2021 WL 4037852 (E.D. Pa. Sept. 3, 2021); Kale v. Procollect, Inc., No. 2:20-CV-2776-SHM-TMP, 2021 WL 2784556, at *3 (W.D. Tenn. July 2, 2021); Iwaniw v. Early Warning Services, LLC, No. CV 20-5266, 2021 WL 3209856, at *3 (E.D. Pa. July 28, 2021).
[9] The facts in Ramirez had been adduced at trial, as opposed to in the pleadings stage.
[10] No. 3:20-mm-2972-JMC, 2021 WL 2718439 (D.S.C. July 1, 2021).
[11] Id. at *6 n.15.
[12] No. 1:20-cv-02903-KPF, 2021 WL 3406374 (S.D.N.Y., Aug. 4, 2021).
[13] In re GE/CBPS Data Breach Litigation, Case 1:20-cv-02903-KPF, ECF 69.
[14] In re GE/CBPS Data Breach Litigation, 2021 WL 3406374 at *7.
[15] No. 8:19-cv-1386-VMC-CPT, 2021 WL 3773414 (M.D. Fl. Aug. 25, 2021).