McMorris v. Carlos Lopez & Assocs., LLC

995 F.3d 295

Devonne MCMORRIS, Plaintiff-Appellant,

Robin Steven, Sean Mungin, on behalf of themselves, all others similarly situated, and the general public, Plaintiffs,

v.CARLOS LOPEZ & ASSOCIATES, LLC, Carlos Lopez, Defendants-Appellees.

No. 19-4310

August Term 2020

United States Court of Appeals, Second Circuit.

Submitted: November 25, 2020

Decided: April 26, 2021

Abraham Z. Melamed, Derek Smith Law Group, PLLC, New York, NY, for Plaintiff-Appellant Devonne McMorris.

Joseph R. Palmore, Morrison & Foerster LLP, Washington, DC (Michael B. Miller, Lena H. Hughes, Janie Buckley, Morrison & Foerster LLP, New York, NY, on the brief), for Defendants-Appellees Carlos Lopez & Associates, LLC and Carlos Lopez.

Before: Calabresi, Katzmann, and Sullivan, Circuit Judges.

Richard J. Sullivan, Circuit Judge:

Plaintiff-Appellant Devonne McMorris appeals from an order of the United States District Court for the Southern District of New York (Furman, J. ) dismissing her claims against Defendants-Appellees Carlos Lopez & Associates, LLP and Carlos Lopez for lack of subject-matter jurisdiction because McMorris and her co-plaintiffs failed to allege an injury in fact sufficient to confer Article III standing. For the reasons set forth below, we affirm.

I. Background

This case involves the intersection of two phenomena that have become increasingly common in our digitized world: data breaches and inadvertent mass emails.

Carlos Lopez & Associates, LLP ("CLA") provides mental and behavioral health services to veterans, service members, and their families and communities.¹ In June 2018, a CLA employee accidentally sent an email to all of the approximately 65 employees at the company. Attached to the email was a spreadsheet containing sensitive personally identifiable information ("PII") – including Social Security numbers, home addresses, dates of birth, telephone numbers, educational degrees, and dates of hire – of approximately 130 then-current and former CLA employees. Two weeks later, CLA emailed its then-current employees to address the accidental email, but it did not contact any former employees regarding the disclosure or take any other corrective action.

After the PII spreadsheet was circulated, three individuals whose information had been shared – Robin Steven, Sean Mungin, and Devonne McMorris ("Plaintiffs") – filed a class-action complaint against CLA and its principal, Carlos Lopez. In their operative complaint, Plaintiffs asserted state-law claims for negligence, negligence per se, and statutory consumer protection violations on behalf of classes in California, Florida, Texas, Maine, New Jersey, and New York. They alleged that CLA "breached its duty to protect and safeguard [their] personal information and to take reasonable steps to contain the damage caused where such information was compromised." App'x 2. Although Plaintiffs did not allege that they had been the victims of fraud or identity theft as a result of the errant email, they claimed that, because their PII had been disclosed to all of CLA's then-current employees, they were "at imminent risk of suffering identity theft" and becoming the victims of "unknown but certainly impending future crimes." Id. at 6, 9. Moreover, while they did not allege that the PII in the spreadsheet was ever shared with anyone outside of CLA or taken or misused by any third parties, Plaintiffs claimed that they cancelled credit cards, purchased credit monitoring and identity theft protection services, and spent time assessing whether they should apply for new Social Security numbers after the email incident.

CLA moved to dismiss Plaintiffs’ claims for, among other things, lack of Article III standing. But before the deadline for Plaintiffs’ response to the motion to dismiss, the parties reached a class settlement, which they asked the district court to approve. In advance of the scheduled class settlement fairness hearing, the district court sua sponte ordered further briefing on whether Plaintiffs possessed Article III standing.

At the fairness hearing held on November 14, 2019, the court informed the parties of its preliminary conclusion that Plaintiffs lacked Article III standing because they failed to allege "an injury that is concrete and particularized and certainly impending." App'x 67. The district court emphasized that "the parties concede that there is no evidence that any class members’ identity was actually stolen ..., let alone misused," and that the sharing of Plaintiffs’ PII "was not the result of any intentional act by third parties," such as "hacking or some sort of criminal conduct from which it could be inferred that those [who] retained data intended to and were likely to misuse it." Id. at 69. Rather, "the gravamen of the claim in this case is that defendants essentially acted with insufficient care by sharing [PII] of class members with employees within the company." Id.

On November 22, 2019, the district court issued a written opinion formally denying the outstanding motion for approval of the class settlement and dismissing the case for lack of subject-matter jurisdiction. See Steven v. Carlos Lopez & Assocs., LLC , 422 F. Supp. 3d 801, 807 (S.D.N.Y. 2019). In that opinion, the district court noted that, unlike several other circuits, the Second Circuit has not yet addressed whether plaintiffs alleging the theft or inadvertent disclosure of their data may establish standing to bring claims against the entity that held their data based on an increased risk of future identity theft or fraud. See id. at 804. The district court explained, however, that even if the Second Circuit were to recognize such a theory, "it would be of no help to Plaintiffs in this case" because they failed to allege facts indicating that they faced "certainly impending" identity theft or fraud, or even a "substantial risk" of such harm. Id. (internal quotation marks omitted). The district court recognized that, unlike the cases in which other circuits have held that data breach victims have established standing based on a risk of future identity theft, Plaintiffs here did not allege that their data had been misused in any way or compromised as the result of an intentionally targeted data theft. See id. at 804–05. Indeed, the district court observed that "it is arguably a misnomer to even call this case a ‘data breach’ case," since, "[a]t best, the data was ‘misplaced’ " by an internal CLA employee rather than taken by a third party. Id. at 806 n.3 (internal citations omitted).

The district court also held that Plaintiffs could not establish an Article III injury in fact based on "the time and money spent monitoring or changing their financial information and accounts." Id. at 807. The court explained that, since Plaintiffs failed to allege a substantial risk of identity theft or that such harm was certainly impending, they could not establish standing by, in essence, inflicting harm on themselves based on a speculative fear of future identity theft. See id.

After concluding that Plaintiffs lacked Article III standing, the district court held that it was "powerless to approve the parties’ proposed class settlement" and dismissed the case for lack of subject-matter jurisdiction. Id. (internal quotation marks omitted). Following the district court's decision, McMorris (without the other named Plaintiffs) appealed.

II. Discussion

"The existence of standing is a question of law that we review de novo ." Shain v. Ellison , 356 F.3d 211, 214 (2d Cir. 2004). Because federal courts are courts of limited jurisdiction, if a "court determines at any time that it lacks subject-matter jurisdiction, the court must dismiss the action." Fed. R. Civ. P. 12(h)(3). That is so even when a court is asked only to approve a class-action settlement, since "[a] court is powerless to approve a proposed class settlement if it lacks jurisdiction over the dispute." Frank v. Gaos , ––– U.S. ––––, 139 S. Ct. 1041, 1046, 203 L.Ed.2d 404 (2019). In a class action, "federal courts lack jurisdiction if no named plaintiff has standing." Id.

"To establish standing under Article III of the Constitution, a plaintiff must demonstrate (1) that he or she suffered an injury in fact that is concrete, particularized, and actual or imminent, (2) that the injury was caused by the defendant, and (3) that the injury would likely be redressed by the requested judicial relief." Thole v. U.S. Bank N.A. , ––– U.S. ––––, 140 S. Ct. 1615, 1618, 207 L.Ed.2d 85 (2020). "The party invoking federal jurisdiction bears the burden of establishing" each element of standing, which "must be supported in the same way as any other matter on which the plaintiff bears the burden of proof, i.e. , with the manner and degree of evidence required at successive stages of litigation." Lujan v. Defs. of Wildlife , 504 U.S. 555, 561, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992). This case concerns only the first element of Article III standing: the existence of an injury in fact.

With respect to that element, the Supreme Court has made clear that "allegations of possible future injury" or even an "objectively reasonable likelihood" of future injury are insufficient to confer standing. Clapper v. Amnesty Int'l USA , 568 U.S. 398, 409–10, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013) (internal quotation marks, alterations, and emphasis omitted). Rather, a future injury constitutes an Article III injury in fact only "if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur." Susan B. Anthony List v. Driehaus , 573 U.S. 149, 158, 134 S.Ct. 2334, 189 L.Ed.2d 246 (2014) (internal quotation marks omitted).

This Court has not yet addressed whether a plaintiff may establish standing based on a risk of future identity theft or fraud stemming from the unauthorized disclosure of that plaintiff's data. Some courts have suggested that there is a circuit split on the issue. See, e.g. , Tsao v. Captiva MVP Rest. Partners, LLC , 986 F.3d 1332, 1340 (...