As CPW reported earlier this year, the Second Circuit recently issued a monumental decision concerning Article III standing in a data breach.  In that case, McMorris v. Carlos Lopez & Assocs., 2021 U.S. App. LEXIS 12328 (2d Cir. Apr. 27, 2021), the court weaved through multiple rulings and created a multi-factor standing analysis.  Shortly thereafter, the Second Circuit issued a follow up decision that indicates the courthouse doors in that jurisdiction remain open to (certain) plaintiffs in data event litigations.  Read on to learn more

In Pena, 2021 U.S. App. LEXIS 16529 (2d Cir. 2021), the plaintiff alleged that, in September 2018, the defendant announced it had suffered a data breach.  Information compromised through the breach included its customers’ names, billing and email addresses, and credit card numbers and expiry dates.  During the period of the alleged breach, the plaintiff allegedly used a credit card on the defendant’s website to purchase an airline ticket.  The plaintiff alleged that, shortly after that purchase, his card was used in $1,000 of unauthorized transactions, including several Uber rides.  The plaintiff alleged that these charges required him to call his bank from abroad to cancel the card and dispute the charges, which took him “between 10-20 minutes” and cost him “$0.20 a minute for the call.”

The district court granted a motion to dismiss, finding the plaintiff had neither adequately alleged a concrete injury to support Article III standing nor a breach of contract claim under Rule 12(b)(6).  Regarding the plaintiff’s alleged actions taken in response to his compromised credit cards, the court stated the “lost time and expenses” incurred were “not sufficient to confer standing . . . particularly where, as here, Plaintiff canceled the compromised credit cards.”  Pena, No. 18-cv-6278, 2020 U.S. Dist. LEXIS 60361 (E.D.N.Y. Mar. 30, 2020).

The Second Circuit, however, disagreed.  Applying the test that it developed in McMorris, the Second Circuit stated the plaintiff alleged a concrete and particularized injury when his personal information was disclosed due to “a targeted attempt to obtain” it (emphasis added).  Specifically, the court identified the following allegations in support of its conclusion:  two of the plaintiff’s credit cards were stolen as part of the data breach and the credit cards were subsequently misused for unauthorized transactions.

The Second Circuit, however, agreed with the lower court and found the plaintiff did not state a claim for breach of contract.   The plaintiff argued the defendant breached its own privacy policy, which stated “[a]ny personal information You supply to Us when You use this website will be used in accordance with Our Privacy Policy.”  The court disagreed with the notion that the privacy policy may serve as the underlying document because the policy itself expressly stated it was “not contractual.”

While the ruling on standing may be a boon for plaintiffs in data event litigations seeking to bring their claims in federal court, the real win here was for defendants.  The enforcement of the plain language in the defendant’s privacy policy as not forming a binding contract means that other plaintiffs will be similarly precluded from asserting comparable legal theories going forward.  For more on this, stay tuned.  CPW will be there to keep you in the loop.