The Court of Appeals for the Second Circuit has overturned a lower court’s dismissal of a case in which it determined the plaintiff lacked standing to sue, ruling that the threat of potential future harm — at least in the context of a data breach and identity theft — is sufficient for the plaintiff to have standing to sue in federal court.
A copy of the ruling in the case of Bohnak v. Marsh & McLennan can be accessed by clicking here.
The plaintiff is a former employee of the defendant, whose personal information — which was not encrypted by the defendant — was compromised in a data breach. The plaintiff filed suit, accusing the defendant of not adequately protecting her personally identifiable information (PII) and not warning her of their inadequate security practices.
While the District Court judge ruled the future risk of having her identity stolen was not enough for the plaintiff to have standing to sue, the public disclosure of her private information was enough to for her to have standing. But, the judge ruled, the plaintiff did not state a claim for which relief could be granted because she did not plausibly allege damages arising from the disclosure of her PII.
In referencing the Supreme Court’s ruling in TransUnion v. Ramirez, the Second Circuit ruled that the alleged injuries from the risk of future harm are concrete.
“The core of the injury Bohnak alleges here is that she has been harmed by the exposure of her private information — including her SSN and other PII — to an unauthorized malevolent actor,” the Appeals Court wrote. “This falls squarely within the scope of an intangible harm the Supreme Court has recognized as ‘concrete.’ “