In Steven v. Carlos Lopez & Assocs., No. 18-CV-6500 (JMF), 2019 U.S. Dist. LEXIS 203621 (S.D.N.Y. Nov. 22, 2019), Judge Furman declined to approve settlement of a data breach class due to the absence of Art. III standing.
In June 2018, an employee of Defendant Carlos Lopez & Associates, LLC (“CLA”), a provider of mental and behavioral health services to veterans and others, accidentally sent an email containing personal information about approximately 130 current and former CLA employees to a distribution list of current CLA employees (a group numbering about sixty five). ECF No. 18 (“Compl.”), ¶¶ 1, 19-20; see also Nov. 14, 2019 Tr. (“Tr.”) 10. Although there is no evidence that the personal information contained in the email was shared with anyone outside of CLA, let alone misused, several people whose information had been shared sued on behalf of a class of all those whose information had been shared, alleging negligence and violations of several states’ laws. Compl. ¶¶ 21-23, 64-101. Defendants CLA and Carlos Lopez moved to dismiss for, among other things, lack of Article III standing, see ECF Nos. 24-25, but before Plaintiffs filed any opposition to that motion, the parties reached a class-wide settlement, see ECF No. 33. Plaintiffs now move, pursuant to Rule 23(e) of the Federal Rules of Civil Procedure, for approval of the parties’ settlement and an award of attorney’s fees. Although unopposed, Plaintiffs’ motion is denied. . . the Court is not free to stick its head in the sand. Instead, it must confirm for itself that Plaintiffs have standing.1 The Court concludes that they do not. To establish Article III standing, a plaintiff must allege, among other things, “injury in fact.” Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2014). An injury-in-fact is “an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1548 (2016) (internal quotation marks omitted). “. . . Applying these principles, many courts have held that plaintiffs alleging the theft of personal identifying information in a “data breach” have standing to bring claims against the entity that had held their data based on an increased risk of future identity theft. See, e.g., In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig., 928 F.3d 42, 55-61 (D.C. Cir. 2019) (“OPM”); Attias v. Carefirst, Inc., 865 F.3d 620, 628-29 (D.C. Cir. 2017); Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 387-89 (6th Cir. Sept. 12, 2016) (unpublished); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 967-68 (7th Cir. 2016); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692, 694-95 (7th Cir. 2015); Fero v. Excellus Health Plan, Inc., 304 F. Supp. 3d 333, 338-40 (W.D.N.Y. 2018); Sackin v. TransPerfect Glob., Inc., 278 F. Supp. 3d 739, 746 (S.D.N.Y. 2017). . . .Indeed, if anything, the cases cited above demonstrate why their “increased risk” theory — upon which their claim of standing depends — is too speculative to survive scrutiny. [*6] In several of these cases, at least one named plaintiff alleged actual misuse of his or her personal information by the suspected data thief. See, e.g., OPM, 928 F.3d at 56 (noting that “several” plaintiffs “allege that unauthorized charges have appeared on their existing credit card and bank account statements since the breaches”); Lewert, 819 F.3d at 967 (noting that one plaintiff “asserts that he already has experienced fraudulent charges”); Remijas, 794 F.3d at 690 (noting that 9,200 of the 350,000 credit cards potentially exposed to malware “were known to have been used fraudulently”). And in all of them, the data was stolen by hackers or cyber criminals who had intentionally targeted the data. See OPM, 928 F.3d at 50; Attias, 865 F.3d at 623; Galaria, 663 F. App’x at 386; Lewert, 819 F.3d at 965; Remijas, 794 F.3d at 690; Fero, 304 F. Supp. 3d at 335; Sackin, 278 F. Supp. 3d at 744. Notably, when pressed on the point at oral argument, Plaintiffs’ counsel could not name a single case in which a court had found standing based on the risk of future identity theft that did not arise from such an intentional act. See Tr. 14-15. Thus, “these cases have a common denominator. In each of them, the plaintiffs’ data actually had been [targeted and taken] by one or more unauthorized third parties.” Katz v. Pershing, LLC, 672 F.3d 64, 80 (1st Cir. 2012). That intentional act of theft gave rise, in turn, to a plausible inference that the stolen data would be misused. As the Seventh [*7] Circuit put it in Remijas, where data is intentionally stolen by a hacker “it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the . . . data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” 794 F.3d at 693; see, e.g., Attias, 865 F.3d at 628-29 (holding that where an “unauthorized party” has accessed personally identifying data “it is plausible . . . to infer that this party has both the intent and the ability to use that data for ill. . . . No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm; a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.”); Lewert, 819 F.3d at 967 (“It is plausible to infer a substantial risk of harm from the data breach, because a primary incentive for hackers is sooner or later to make fraudulent charges or assume those consumers’ identities.” (internal quotation marks omitted)); Galaria, 663 F. App’x at 388 (“There is no need for speculation where Plaintiffs [*8] allege that their data has already been stolen and is now in the hands of ill-intentioned criminals. . . . Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for . . . fraudulent purposes . . . .”). By contrast, in the absence of an allegation or evidence that an unauthorized third party intentionally stole the data at issue, courts have concluded that the risk of identity theft is too speculative to support Article III standing. See, e.g., Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017); Katz, 672 F.3d at 79-80; Randolph v. ING Life Ins. & Annuity Co., 486 F. Supp. 2d 1, 7-8 (D.D.C. 2007); see also Reilly v. Ceridian Corp., 664 F.3d 38, 40, 44 (3d Cir. 2011) (holding that employees lacked standing to bring claims where an unknown hacker had penetrated their company’s payroll system firewall because it was “not known whether the hacker read, copied, or understood” the system’s information and no evidence suggested past or future misuse of employee data or that the “intrusion was intentional or malicious”). . . The present case falls comfortably on the Beck side of the line. Plaintiffs make no allegation that their data was actually viewed, downloaded, copied, or shared, let alone misused. In [*10] fact, they affirmatively concede that there is no evidence that “any class member’s identity” was “stolen as a result of the breach.” ECF No. 52, at 19. And, of course, they do not allege that their data was compromised as a result of a hack or some other criminal act. Instead, they allege only that their data was compromised by an errant email sent within CLA (a company, for what it is worth, whose employees obviously deal with sensitive information of all kinds).3 If anything, the case for standing in this case is considerably weaker than it was in Beck. In Beck, the data was (or might have been) compromised as the result of a criminal act, yet the court still found the risk of future injury too speculative because there was no indication that the thief had intentionally targeted the data itself. Here, by contrast, there is no allegation of any criminal act whatsoever; instead, Plaintiffs speculate that one of the CLA employees who received the email in error — all of whom owed duties and responsibilities to CLA and presumably knew that they could be fired if they did anything untoward with the email — could misuse their data or provide it to a third party who could, in turn, misuse [*11] it. As in Beck, “[t]hese allegations are insufficient to establish a ‘substantial risk’ of harm.” Beck, 848 F.3d at 275. Put differently, “the risk of harm that [Plaintiffs] envision[] is unanchored to any actual incident of data breach. This omission is fatal” to their claim of substantial risk: “because [they] do[] not identify any incident in which [their] data has ever been accessed by an unauthorized person, [they] cannot satisfy Article III’s requirement of actual or impending injury.” Katz, 672 F.3d at 80.4 In their Complaint, Plaintiffs do allege species of current injury, namely in the form of the time and money spent monitoring or changing their financial information and accounts. See Compl. ¶ 50. Conspicuously, however, Plaintiffs did not rely on that theory when pressed by the Court to explain how they have standing — either in their supplemental memorandum of law on standing, see Pls.’ Standing Mem. 1-2 (arguing only that Plaintiffs have suffered an injury in fact “because they face an increased risk of future identity theft” (capitalization altered)), or at oral argument, see Tr. 8-16 (same). That is for good reason: Plaintiffs “cannot manufacture standing merely by inflicting harm on [*12] themselves based on their fears of hypothetical future harm that is not certainly impending.” Clapper, 133 S. Ct. at 1151; see, e.g., In re SuperValu, Inc., 870 F.3d 763, 771 (8th Cir. 2017) (“Because plaintiffs have not alleged a substantial risk of future identity theft, the time they spent protecting themselves against this speculative threat cannot create an injury.”); Beck, 848 F.3d at 276-77 (rejecting the plaintiffs’ allegation that the cost of mitigating measures gave rise to standing on the ground that it was “merely ‘a repackaged version of [their] first failed theory of standing.’ Simply put, these self-imposed harms cannot confer standing.” (quoting Clapper, 133 S. Ct. at 1151)); Reilly, 664 F.3d at 46 (“[A]lleged time and money expenditures to monitor . . . financial information do not establish standing, because costs incurred to watch for a speculative chain of future events based on hypothetical future criminal acts are no more ‘actual’ injuries than the alleged ‘increased risk of injury’ . . . .”). In short, the Court is “powerless to approve” the parties’ proposed class settlement because “no named plaintiff has standing.”