To embed, copy and paste the code into your website or blog:
Is there standing to bring a lawsuit when an employee’s personal information is mistakenly circulated to all employees at the company? A recent decision addressed exactly this question. In
McMorris v. Carlos Lopez & Assocs.,
LLC, No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021), the Second Circuit affirmed the district court in finding that the harm plaintiffs alleged (an increased risk of identity theft) was too speculative and remote to satisfy the injury-in-fact requirement of Article III standing. However, the court did not completely shut the door on this theory of harm, holding that an “increased risk” of identity theft could, under certain circumstances, qualify as an injury-in-fact for purposes of Article III standing. In doing so, the Second Circuit aligned with a number of its sister circuits which had previously recognized the potential validity of this approach.
To embed, copy and paste the code into your website or blog:
Do you want a simple way to keep current on important privacy changes? Avoid sleepless nights wondering whether you missed a privacy speed bump or pothole between annual updates? Worry no longer. Troutman Pepper is pleased to offer
More Privacy, Please a monthly newsletter recapping significant industry and legal developments, as well as trends in the areas of cybersecurity, information governance, and privacy.
U.S. LAWS AND REGULATION
Federal
FTC Publishes AI Best Practices. Building upon its April 2020 guidance on Using Artificial Intelligence and Algorithms, on April 19, the FTC published new guidance focused on how businesses can promote truth, fairness, and equity in their use of AI. While recognizing the potential benefits of AI, the guidance stresses the need to avoid inadvertently introducing bias or other unfair outcomes. As a basis for its best practices and lessons learned for using AI, the guidance cites
On April 26, 2021, the Second Circuit Court of Appeals decided the case of
McMorris v. Carlos Lopez & Assocs., No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021) and addressed one of the most critical issues in private data breach class actions – whether victims of a data breach can establish Article III standing by alleging they are at an increased risk of identity theft or fraud, even if their personal data has not yet been misused.
Although the district court’s ruling that plaintiffs did not establish standing was upheld, the Second Circuit found that victims of a data breach can establish standing based on a risk of future identity theft or fraud. The court also put forward a three-factor test to determine if standing exists when misuse of plaintiffs’ data has not yet occurred.
To embed, copy and paste the code into your website or blog:
Earlier this week, the United States Court of Appeals for the Second Circuit held that where personal information is disclosed without authorization, impacted individuals may have standing to sue if they can show an “increased risk” of identity theft or fraud, even if this hasn’t yet happened. The court, which had not before decided if plaintiffs could establish standing based on the risk of
future identity theft or fraud resulting from the unauthorized disclosure of their data, articulated a non-exhaustive three-factor test: (1) whether the data was compromised as part of a targeted attack intended to obtain the plaintiff’s data; (2) whether at least some part of the compromised data set was misused (even if the plaintiff’s data was not); and (3) whether the type of data at issue is likely to cause a risk of perpetual identity theft or fraud.
The Second Circuit just affirmed the dismissal of a data breach class action predicated on an alleged increased risk of identity theft on Article III standing grounds. McMorris v. Carlos Lopez & Assocs., LLC