Bohnak v. Marsh & McLennan Companies, Inc.
Citation79 F.4th 276
Date Filed2023-08-24
Docket22-319
Cited47 times
StatusPublished
Full Opinion (html_with_citations)
22-319
Bohnak v. Marsh & McLennan Companies, Inc.
In the
United States Court of Appeals
For the Second Circuit
______________
August Term, 2022
(Submitted: October 24, 2022 Decided: August 24, 2023)
Docket No. 22-319
______________
NANCY BOHNAK, on behalf of themselves and all others similarly situated,
Plaintiff-Appellant,
JANET LEA SMITH, on behalf of themselves and all others similarly situated,
Plaintiff,
âv.â
MARSH & MCLENNAN COMPANIES, INC., A DELAWARE CORPORATION, MARSH &
MCLENNAN AGENCY, LLC, A DELAWARE LIMITED LIABILITY COMPANY,
Defendants-Appellees.
______________
Before: NEWMAN, NARDINI, and ROBINSON, Circuit Judges.
______________
Plaintiff-Appellant Nancy Bohnak appeals from an order of the
United States District Court for the Southern District of New York
(Hellerstein, J.) dismissing her claims against Defendants-Appellees Marsh
& McLennan Agency, LLC (âMMAâ) and Marsh & McLennan Companies
(âMMCâ) (together, âDefendantsâ) for failure to plausibly plead a âclaim
upon which relief can be granted,â Fed. R. Civ. P. 12(b)(6). The Defendants
defend the order on the ground that the district court lacked subject matter
jurisdiction, Fed. R. Civ. P. 12(b)(1), because Bohnak lacked Article III
standing. Both claims turn on whether Bohnak has validly pled that she
suffered an Article III injury in fact. Bohnak filed this nationwide class
action on behalf of herself and others similarly situated after her personally
identifying information (âPIIâ), including her name and Social Security
number, which had been entrusted to Defendants, were exposed to an
unauthorized third party as a result of a targeted data hack.
This case requires us to consider the proper framework for evaluating
whether an individual whose PII is exposed to unauthorized actors, but has
not (yet) been used for injurious purposes such as identity theft, has suffered
an injury in fact for purposes of Article III standing to sue for damages. In
particular, we are called upon to determine how the Supreme Courtâs
decision in TransUnion, LLC v. Ramirez, 141 S. Ct. 2190(2021), impacts this Courtâs previous holding in McMorris v. Carlos Lopez & Associates,995 F.3d 295, 303
(2d Cir. 2021).
We conclude that with respect to the question whether an injury
arising from risk of future harm is sufficiently âconcreteâ to constitute an
injury in fact, TransUnion controls; with respect to the question whether the
asserted injury is âactual or imminent,â the McMorris framework continues
to apply in data breach cases like this.
Applying the above framework, we conclude that Bohnakâs allegation
that an unauthorized third party accessed her name and Social Security
number through a targeted data breach gives her Article III standing to
bring this action against the defendants to whom she had entrusted her PII.
We further conclude that the district court erred in dismissing Bohnakâs
claims for failure to plausibly allege cognizable damages. We thus
REVERSE the district courtâs order dismissing Bohnakâs claims for damages
and REMAND for further proceedings.
2
______________
John A. Yanchunis, Kenya Reddy, Morgan and
Morgan, Tampa, FL, for Plaintiff-Appellant.
Travis LeBlanc, Cooley LLP, Washington, D.C.,
Tiana Demas, Cooley LLP, New York, NY, for
Defendants-Appellees.
______________
ROBINSON, Circuit Judge:
This case requires us to consider the proper framework for evaluating
whether an individual whose personally identifying information (âPIIâ) is
exposed to unauthorized actors, but has not (yet) been used for injurious purposes
such as identity theft, has suffered an injury in fact for purposes of (1) Article III
standing to sue for damages and (2) pleading a âclaim upon which relief can be
granted,â Fed. R. Civ. P. 12(b)(6). In particular, we are called upon to determine
how the Supreme Courtâs decision in TransUnion, LLC v. Ramirez, 141 S. Ct. 2190(2021), impacts this Courtâs previous holding in McMorris v. Carlos Lopez & Associates,995 F.3d 295, 303
(2d Cir. 2021).
To establish Article III standing under the U.S. Constitution, a plaintiff must
show (1) an injury in fact (2) caused by the defendant, (3) that would likely be
redressable by the court. Thole v. U.S. Bank N.A., 140 S. Ct. 1615, 1618 (2020). At
issue here is the first element: injury in fact. âInjury in fact,â in turn, embodies
3
three components: it must be âconcrete, particularized, and actual or
imminent.â Id. We conclude that with respect to the question whether an injury
arising from risk of future harm is sufficiently âconcreteâ to constitute an injury in
fact, TransUnion controls; with respect to the question whether the asserted injury
is âactual or imminent,â the McMorris framework continues to apply in data
breach cases like this.
Plaintiff-Appellant Nancy Bohnak appeals from an order 1 of the United
States District Court for the Southern District of New York (Hellerstein, J.)
dismissing her claims against Defendants-Appellees Marsh & McLennan Agency,
LLC (âMMAâ) and Marsh & McLennan Companies (âMMCâ) (together,
âDefendantsâ) for failure to state a claim. 2 Bohnak v. Marsh & McLennan Cos., Inc.,
580 F. Supp. 3d 21(S.D.N.Y. 2022). Applying the above framework, we conclude that Bohnakâs allegation that an unauthorized third party accessed her name and Social Security number (âSSNâ) through a targeted data breach gives her 1 The notice of appeal states that Bohnak appeals âfrom the Order and Opinion . . . entered . . . on January 17, 2022.â (The order was in fact entered January 18, 2022, see Dist. Ct. Dkt. No. 32.) That order is appealable because it was a âfinal decision,â28 U.S.C. § 1291
, that disposed of the entire case, see Bankers Trust Co. v. Mallis,435 U.S. 382, 387
(1978) (â[T]he District Court clearly
evidenced its intent that the opinion and order from which an appeal was taken would represent
the final decision in the case.â). However, when a judgment is entered, as it was in this case on
January 28, 2023 (Dist. Ct. Dkt. No. 33), the better practice is to appeal the judgment. That avoids
any dispute as to whether an earlier entered order qualifies as a final decision.
2 Janet Lee Smith was a plaintiff in the underlying action but is not a party to this appeal.
4
Article III standing to bring this action against the defendants to whom she had
entrusted her PII. We further conclude that the district court erred in dismissing
Bohnakâs claims for failure to plausibly allege cognizable damages because we
hold that by pleading a sufficient Article III injury in fact, Bohnak also satisfies the
damages element of a valid claim for relief.
For the reasons set forth below, we REVERSE the district courtâs order
dismissing Bohnakâs claims for damages and REMAND for further proceedings.
BACKGROUND 3
MMC âis the worldâs leading professional services firm in the areas of risk,
strategy and people,â Appâx 9, ¶ 3; MMA is a wholly owned subsidiary of MMC
and serves âthe risk prevention and insurance needs of middle market companies
in the United States,â id. ¶ 4. Defendants stored PII such as âSocial Security or
other federal tax identification number[s], driverâs license or other government
issued identification, and passport informationâ of at least 7,000 individuals.
Appâx 8-9, ¶ 2. The PII at issue relates to â(i) Defendantsâ current and former
employees and spouses and dependents thereof; (ii) current and former employees
of Defendantsâ clients, contractors, applicants and investors; and (iii) individuals
3 This account is drawn from the allegations in Bohnakâs complaint, which we must accept as
true for purposes of evaluating Defendantsâ motion to dismiss. Ashcroft v. Iqbal, 556 U.S. 662,
678 (2009).
5
whose information Defendants acquired through the purchase of or merger with
another business.â Appâx 8, ¶ 1.
Bohnak is MMAâs former employee, and â[a]s a condition of [] Bohnakâs
employment, Defendants required that she entrust her PII, including but not
limited to her Social Security or other federal tax id number.â 4 Appâx 21, ¶ 58.
In April 2021 an âunauthorized actor . . . leveraged a vulnerability in a third
partyâs softwareâ and accessed Bohnakâs PII, including her âname and . . . Social
Security or other federal tax id number.â Appâx 14, ¶ 30.
PII is of âhigh value to criminals, as evidenced by the prices they will pay
through the dark web.â 5 Appâx 17, ¶ 44. â[SSNs], for example, are among the
worst kind of personal information to have stolen because they may be put to a
variety of fraudulent uses and are difficult for an individual to change.â Appâx 18,
¶ 45. Specifically, â[a]n individual cannot obtain a new [SSN] without significant
paperwork and evidence of actual misuse.â Id. ¶ 46.
4 The record is silent as to when Bohnakâs employment with MMA began, but it ended â[i]n or
around 2014.â Appâx 21 ¶ 58.
5 âThe Dark Web is a general term that describes hidden Internet sites that users cannot access
without using special software.â McMorris, 995 F.3d at 302n.4 (quoting Kristin Finklea, Cong. Rsch. Serv., 7-5700, Dark Web 2 (2017)). âNot surprisingly, criminals and other malicious actors . . . use the [D]ark [W]eb to carry out technology-driven crimes, such as computer hacking, identity theft, credit card fraud, and intellectual property theft.âId.
(quoting Ahmed Ghappour, Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web,69 Stan. L. Rev. 1075
, 1090 (2017)).
6
Despite the sensitivity of the data in Defendantsâ possession, they did not
secure the data from potential unauthorized actors through encryption, and the
data continues to be unencrypted.
In contrast, Bohnak has been âvery careful about sharing her PII. She has
never knowingly transmitted her unencrypted sensitive PII over the internet or
any other unsecured source.â Appâx 21, ¶ 61. She âstores any documents
containing her PII in a safe and secure location or destroys the documents,â and
âshe diligently chooses unique usernames and passwords for her various online
accounts.â Appâx 21â22, ¶ 62.
After Defendants notified Bohnak of the data breach (two months after
Defendants learned of the incident), Bohnak filed this nationwide class action on
behalf of herself and others similarly situated. She alleges that Defendants failed
to: â(i) adequately protect the PII of [Bohnak] and Class Members; (ii) warn
[Bohnak] and Class Members of Defendantsâ inadequate information security
practices; and (iii) effectively secure hardware containing protected PII using
reasonable and effective security procedures free of vulnerabilities and
incidents.â Appâx 11, ¶ 14.
7
Asserting state law claims of negligence, breach of implied contract, and
breach of confidence, Bohnak alleges that she and Class Members suffered the
following injuries:
(i) lost or diminished value of PII; (ii) out-of-pocket expenses
associated with the prevention, detection, and recovery from identity
theft, tax fraud, and/or unauthorized use of their PII; (iii) lost
opportunity costs associated with attempting to mitigate the actual
consequences of the Data Breach, including but not limited to lost
time, and (iv) the continued and certainly increased risk to their PII,
which: (a) remains unencrypted and available for unauthorized third
parties to access and abuse; and (b) may remain backed up in
Defendantsâ possession and is subject to further unauthorized
disclosures so long as Defendants fail[] to undertake appropriate and
adequate measures to protect the PII.
Appâx 11, ¶ 15.
Defendants moved to dismiss Bohnakâs complaint under Federal Rule of
Civil Procedure 12(b)(1) for lack of subject matter jurisdiction, arguing that Bohnak
lacks Article III standing. In the alternative, Defendants moved to dismiss the
complaint under Rule 12(b)(6) because Bohnak fails to allege any cognizable
damages.
The district court rejected Defendantsâ argument that Bohnak lacked Article
III standing, reasoning that, although the future, indefinite risk of identity theft
involving her compromised PII by itself was insufficient to establish an injury in
fact under TransUnion, Bohnak plausibly alleged a separate concrete injury,
8
analogous to that associated with the common-law tort of public disclosure of
private information, that could support Article III standing.
However, the district court accepted Defendantsâ argument that Bohnak
had failed to state a claim for which relief can be granted, reasoning that she had
not plausibly alleged cognizable damages arising from the disclosure of her PII.
In particular, the district court concluded that Bohnak could only speculate about
the extent of any future harm, and that the damages arising from any risk of future
harm are not âcapable of proof with reasonable certainty.â Bohnak, 580 F. Supp.
3d at 31. The court concluded that Bohnakâs alleged loss of time and money
responding to the increased risk of harm is not âcognizableâ because it was not
proximately caused by the harm of disclosure which, the court emphasized, was
âthe only harm for which [the court] found Plaintiffs have Article III standing.â Id.
Moreover, the court reasoned that Bohnakâs prayer for injunctive relief is
based on the same harms as her claims for monetary relief, indicating the harms
are compensable through money damages. In the courtâs view, a permanent
injunction is thus unavailable. Because the court concluded that Bohnak does not
plausibly allege a claim for damages or injunctive relief, it dismissed Bohnakâs
claims pursuant to Rule 12(b)(6). Bohnak appealed.
9
DISCUSSION
Bohnak challenges the district courtâs conclusion that she cannot establish
standing merely by virtue of the risk of future misuse of her PII (such as identity
theft or fraud), and in so arguing implicitly challenges the reasoning underlying
the courtâs dismissal of her claims for failure to state a cognizable claim for
damages. Defendants, on the other hand, contend that because her claims are
predicated on a risk of future harm, Bohnak lacks standing altogether.
We conclude that Bohnak has standing to pursue her claims for relief, and
that she has adequately alleged a cognizable claim for damages. 6
I. Standing
We first consider whether Bohnak has established Article III
standing. See Central States SE and SW Areas Health and Welfare Fund v. Merckâ
Medco Managed Care, LLC, 433 F.3d 181, 198 (2d Cir. 2005) (âIf plaintiffs lack Article
III standing, a court has no subject matter jurisdiction to hear their claim.â).
âBecause standing is challenged on the basis of the pleadings, we accept as
true all material allegations of the complaint, and must construe the complaint in
6Bohnak has not challenged the district courtâs determination that she failed to plausibly allege
a claim that would entitle her to injunctive relief, and her challenge to the district courtâs
standing analysis does not directly undercut the courtâs rationale for dismissing her claims for
injunctive relief. Accordingly, we deem any challenge to the district courtâs dismissal of her
claim for injunctive relief waived, and do not address her claims for injunctive relief on appeal.
10
favor of the complaining party.â W.R. Huff Asset Mgmt. Co., LLC v. Deloitte &
Touche, LLP, 549 F.3d 100, 106(2d Cir. 2008) (internal quotation marks omitted). In this context, we determine whether a plaintiff has constitutional standing to sue without deference to the district court.Id.
As noted above, to establish Article III standing, a plaintiff must show (1) an
injury in fact that is âconcrete, particularized, and actual or imminent,â (2) that the
injury was caused by the defendant, and (3) that the injury would likely be
redressable by the court. Thole, 140 S. Ct. at 1618. At issue here is the first
elementâan injury in fact that is âconcrete, particularized, and actual or
imminent.â
Bohnak argues that the district court erred by concluding that the risk of
future harm arising from the disclosure of her PII is not a cognizable injury for
standing purposes. In particular, she argues that the district court erred in
concluding that the Supreme Courtâs decision in TransUnion calls into question the
continuing vitality of this Courtâs decision in McMorris. And she contends that
under the framework established in McMorris, she has standing to pursue her
claims.
Defendants contend that TransUnion forecloses any argument that Bohnak
has standing based on a risk of future harm, that Bohnak cannot establish standing
11
based on the factors set forth in McMorris, and that the district court erred in
concluding that Bohnak did have standing to pursue her claims based on the
injury from the exposure of her PII.
We conclude that TransUnion is the touchstone for determining whether
Bohnak has alleged a concrete injury, and that under TransUnion, Bohnakâs alleged
injuries arising from the risk of future harm are concrete. We further conclude that
McMorris is the touchstone for determining whether Bohnak has alleged an âactual
or imminentâ injury, and that under McMorris, Bohnakâs alleged injuries are
âactual or imminent.â McMorris, 995 F.3d at 300. Given these conclusions, and
because the other elements of Article III standing are undisputedly met, we
conclude that Bohnak has Article III standing, and we have jurisdiction to review
this appeal.
A. TransUnion: Concreteness
i. The Courtâs Holding
In TransUnion, in a distinct but somewhat analogous context, the Supreme
Court considered whether a risk of future injury alone is sufficiently concrete to
be an injury in fact for purposes of Article III standing. 141 S. Ct. at 2204 (âThe
question in this case focuses on the Article III requirement that the plaintiffâs injury
in fact be âconcrete,ââthat is, âreal, and not abstract.ââ).
12
The conflict in TransUnion arose from a product designed to help businesses
avoid transacting with individuals on the United States Treasury Departmentâs
Office of Foreign Assets Control (âOFACâ) list of âspecially designated nationals
who threaten Americaâs national security.â Id. at 2201-02(internal quotation marks omitted). When TransUnion (a âBig Threeâ credit reporting agency) conducted a credit check for subscribers to their special service, it used third-party software to compare the consumerâs name against the OFAC list.Id. at 2201
. As
the Supreme Court explained,
If the consumerâs first and last name matched the first and last name
of an individual on OFACâs list, then TransUnion would place an alert
on the credit report indicating that the consumerâs name was a
âpotential matchâ to a name on the OFAC list. TransUnion did not
compare any data other than first and last names.
Id.
TransUnionâs system produced many false positives, as many law-abiding
Americans share names with individuals on OFACâs list of specially designated
nationals. Id.Sergio Ramirez, the named plaintiff, was one such law-abiding American.Id.
He tried to purchase a car from a dealership, but the dealership refused to sell it to him after receiving a report from TransUnion that he was on OFACâs list.Id.
Ramirez filed a class action on behalf of himself and the rest of
the proposed 8,185 class members seeking statutory damages for TransUnionâs
13
violations of the Fair Credit Reporting Act (âFCRAâ or the âActâ). Id. at 2200. FCRA âimposes a host of requirements concerning the creation and use of consumer reports.âId.
(internal quotation marks omitted). Ramirez alleged that in connection with its new product, TransUnion âfailed to follow reasonable procedures to ensure the accuracy of information in his credit file.âId. at 2202
. The proposed class of individuals all received notice from TransUnion that their names were considered a potential match to names on the OFAC list.Id.
During the class period, TransUnion had distributed reports to potential creditors concerning only 1,853 of the 8,185 class members.Id.
In evaluating whether all of the class membersâ injuries arising from
TransUnionâs alleged statutory violations had suffered an injury in fact supporting
Article III standing, the Supreme Court focused its analysis on the issue of whether
the plaintiffs had shown a âconcrete harm.â Id. at 2208â09.
In considering whether the plaintiffsâ alleged injuries were sufficiently
concrete to constitute an injury in fact for purposes of their claim for damages, the
Court considered whether their injuries bore a ââclose relationshipâ to a harm
âtraditionallyâ recognized as providing a basis for a lawsuit in American
courts.â Id.at 2204 (quoting Spokeo, Inc. v. Robins,578 U.S. 330, 341
(2016)). The
Court recognized that âtraditional tangible harms,â such as physical harms and
14
monetary harms, âreadily qualify as concrete injuries under Article III.â Id. But it
went on to recognize that harms beyond those traditional tangible harms can also
support standing:
Various intangible harms can also be concrete. Chief among them are
injuries with a close relationship to harms traditionally recognized as
providing a basis for lawsuits in American courts. Those include, for
example, reputational harms, disclosure of private information, and
intrusion upon seclusion.
Id. (citation omitted).
Applying this framework, the Court had âno troubleâ concluding that the
1,853 class members whose false OFAC designations were sent to third parties had
suffered a concrete injury. Id. at 2209. The Court reasoned that such an injury
âbears a âclose relationshipâ to a harm traditionally recognized as providing a basis
for a lawsuit in American courtsânamely, the reputational harm associated with
the tort of defamation.â Id. (quoting Spokeo, 578 U.S. at 341). Therefore, the Court concluded that the 1,853 class members whose reports were disseminated to third parties suffered a concrete injury in fact under Article III.Id.
Significantly, the Court concluded that the publication of false information about these class members to third parties was itself enough to establish a concrete injury; it did not take further steps to evaluate whether those third parties used the information in ways that harmed the class members.Id.
15
On the other hand, the Court concluded that the remaining 6,332 class
members whose credit reports were not shared with third parties had not suffered
a concrete injury, explaining that there is âno historical or common-law analog
where the mere existence of inaccurate information, absent dissemination,
amounts to concrete injury.â Id. (internal quotation marks omitted). The Court
distinguished between credit reports published to third parties and files that
consumer reporting agencies maintain internally. Id. at 2210. It analogized
misleading information merely sitting in a company database to a defamatory
letter stored in a desk drawer and never sent; the Court explained that in both
cases, legally speaking, nobody is harmed. Id.
The Court gave two answers of note in response to the arguments on behalf
of the 6,332 class members that the existence of misleading OFAC alerts in their
internal credit files exposed them to a material risk that the information would be
disseminated to third parties in the future and thereby caused them present harm.
First, it explained that, although mere risk of future harm does not provide
standing to seek retrospective damages where actual harm never materialized, âa
person exposed to a risk of future harm may pursue forward-looking, injunctive
relief to prevent the harm from occurring, at least so long as the risk of harm is
16
sufficiently imminent and substantial.â Id. (citing Clapper v. Amnesty Intâl USA, 568
U.S. 398, 414 n.5 (2013)).
Second, the Court noted that a risk of future harm could âitself cause[] a
separate concrete harm,â in which case the plaintiff would have standing to pursue
damages premised on that separate concrete harm. Id. at 2211 (emphasis in
original). For example, the Court suggested that evidence that the class members
suffered some other injury, such as emotional injury, from the risk that their
reports would be provided to third-party businesses could give them standing to
seek damages. Id.
These principles guide our assessment of whether Bohnakâs alleged harm is
sufficiently âconcreteâ to support Article III standing.
ii. Application to Bohnakâs Claims
Like the Supreme Court in TransUnion, we have no trouble concluding that
Bohnakâs alleged harm is sufficiently concrete to support her claims for damages.
Similar to the publication of misleading information about some of the plaintiffs
in TransUnion, the core injury hereâexposure of Bohnakâs private PII to
unauthorized third partiesâbears some relationship to a well-established
common-law analog: public disclosure of private facts. See Restatement (Second)
Torts § 652D (âOne who gives publicity to a matter concerning the private life of
17
another is subject to liability to the other for invasion of . . . privacy, if the matter
publicized is of a kind that (a) would be highly offensive to a reasonable person,
and (b) is not of legitimate concern to the public.â). Bohnakâs position is thus
similar to that of the 1,853 class members who had standing in TransUnion based
on the publication of misleading information to third parties without regard to
whether the third parties used the information to cause additional harm.
We need not stretch to reach this conclusion. In TransUnion itself, the
Supreme Court specifically recognized that âdisclosure of private informationâ
was an intangible harm âtraditionally recognized as providing a basis for lawsuits
in American courts.â 141 S. Ct. at 2204(citing Davis v. Federal Election Commân,554 U.S. 724, 733
(2008)). It thus described an injury arising from such disclosure as âconcreteâ for purposes of the Article III analysis.Id.
The core of the injury Bohnak alleges here is that she has been harmed by the exposure of her private informationâincluding her SSN and other PIIâto an unauthorized malevolent actor. This falls squarely within the scope of an intangible harm the Supreme Court has recognized as âconcrete.âId.
We recognize that Bohnak does not in this case assert a common law claim
for public disclosure of private facts, and it matters not whether New York
common law recognizes a tort relating to publication of private facts. For the
18
purposes of the âconcretenessâ analysis under TransUnion, what matters is that
the intangible harm arising from disclosure of oneâs PII bears a relationship to an
injury with a âclose historical or common-law analogue.â Id. And that analog
need not be âan exact duplicate.â Id. at 2209.
In addition, Bohnakâs allegations establish a concrete injury for purposes of
her damages claim for a separate reason: she has suffered âseparate concrete
harm[s]â as a result of the risk of future harm occasioned by the exposure of her
PII. Id. at 2211 (emphasis omitted). In particular, she has alleged among other
things that she incurred âout-of-pocket expenses associated with the prevention,
detection, and recovery from identity theftâ and âlost timeâ and other
âopportunity costsâ associated with attempting to mitigate the consequences of
the data breach. Appâx 11, ¶ 15. These separate and concrete harms foreseeably
arising from the exposure of Bohnakâs PII to a malign outside actor, giving rise to
a material risk of future harm, independently support standing.
Our conclusion on this point is consistent with our analysis in McMorris, in
which we explained with reference to the injury-in-fact question more broadly that
âwhere plaintiffs have shown a substantial risk of future identity theft or fraud,
any expenses they have reasonably incurred to mitigate that risk likewise qualify
as injury in fact.â 995 F.3d at 303 (internal quotation marks omitted).
19
It also echoes the First Circuitâs conclusion in Webb v. Injured Workers
Pharmacy, LLC, 72 F.4th 365(1st Cir. 2023). In that case, the First Circuit considered the standing of a plaintiff whose PII had been exposed in a data breach by a home- delivery pharmacy service. There was no allegation that the plaintiffâs PII had actually been misused, although other PII in the same dataset had been. Applying the lessons of TransUnion, the court concluded that the plaintiff had plausibly alleged a âseparate concrete, present harmâ caused by exposure to the risk of future harm. Webb,72 F.4th at 376
. In particular, the plaintiff had alleged that she spent âconsiderable time and effortâ monitoring her accounts to protect them.Id.
(internal quotation marks omitted). The First Circuit joined other circuits in concluding that âtime spent responding to a data breach can constitute a concrete injury sufficient to confer standing, at least when that time would otherwise have been put to profitable use.âId. at 377
. The court noted, âBecause this alleged injury was a response to a substantial and imminent risk of harm, this is not a case where the plaintiffs seek to âmanufacture standing by incurring costs in anticipation of non-imminent harm.ââId.
(quoting Clapper,568 U.S. at 422
).
The Third Circuit reached a similar conclusion in Clemens v. ExecuPharm Inc.,
48 F.4th 146 (3d Cir. 2022)âanother post-TransUnion data breach case. In Clemens,
the Third Circuit concluded:
20
Following TransUnionâs guidance, we hold that in the data breach
context, where the asserted theory of injury is a substantial risk of identity
theft or fraud, a plaintiff suing for damages can satisfy concreteness as long
as [the plaintiff] alleges that the exposure to that substantial risk caused
additional, currently felt concrete harms. For example, if the plaintiffâs
knowledge of the substantial risk of identity theft causes [the plaintiff] to
presently experience emotional distress or spend money on mitigation
measures like credit monitoring services, the plaintiff has alleged a concrete
injury.
Id.at 155â56; see also In re U.S. OPM Data Security Breach Litigation,928 F.3d 42, 59
(D.C. Cir. 2019) (noting that the Supreme Court has recognized standing to sue âon the basis of costs incurred to mitigate or avoid harm when a substantial risk of harm actually existsâ (quoting discussion of Clapper in Hutton v. Natâl Bd. of Examiners in Optometry,892 F.3d 613, 622
(4th Cir. 2018))); Dieffenbach v. Barnes & Noble, Inc.,887 F.3d 826, 829-30
(7th Cir. 2018) (monthly fees for credit monitoring
secured in response to a data breach are âreal and measurableâ actual damages).
For these reasons, given the close relationship between Bohnakâs data
exposure injury and the common law analog of public disclosure of private facts,
and, alternatively, based on her allegations that she suffered concrete present
harms due to the increased risk that she will in the future fall victim to identity
theft as a result of the data breach, we conclude that Bohnak has alleged an injury
that is sufficiently concrete to constitute an injury in fact for purposes of her
damages claim.
21
B. McMorris: Imminence
Our conclusion that Bohnakâs injury is concrete does not fully resolve the
standing question because it addresses only one component of injury in fact. The
âparticularityâ requirement for an injury in fact is not in dispute here, but whether
Bohnakâs injury is âactual or imminentâ is. Our pre-TransUnion decision in
McMorris guides our analysis of this component.
i. The Courtâs Holding
In McMorris, the plaintiffs brought a putative class action against their
employer asserting claims for negligence and violations of consumer protection
laws resulting from inadvertent dissemination of a company-wide email
containing their sensitive PII. 995 F.3d at 298. The plaintiffs alleged that because their PII had been disclosed to all of the defendantâs then current employees, plaintiffs were âat imminent risk of suffering identity theft and becoming the victims of unknown but certainly impending future crimes.âId.
(internal
quotation marks omitted).
As in this case, the issue in McMorris was whether the plaintiffs had suffered
an injury in fact. 995 F.3d at 300. But, in McMorris we considered the question holistically, without breaking the injury-in-fact analysis into its components. Seeid.
(âThis case concerns . . . the first element of Article III standing: the existence of
22
an injury in fact.â). Because many of our insights in McMorris relate most closely
to the issue of whether the future harm is sufficiently âactual or imminent,â
TransUnion, which did not purport to address matters beyond âconcreteness,â
does not fully supplant our analysis in McMorris.
In McMorris, we explained that âa future injury constitutes an Article III
injury in fact only âif the threatened injury is certainly impending, or there is a
substantial risk that the harm will occur.ââ 995 F.3d at 300(quoting Susan B. Anthony List v. Driehaus,573 U.S. 149
, 158 (2014)). We then identified and endorsed
three non-exhaustive factors that courts have considered in determining whether
plaintiffs whose PII has been compromised but not yet misused face a substantial
risk of harm.
First, we said that the most important factor in determining whether a
plaintiff whose PII has been exposed has alleged an injury in fact is whether the
data was compromised as the result of a targeted attack intended to get
PII. McMorris, 995 F.3d at 301. Where a malicious third party has intentionally targeted a defendantâs system and has stolen a plaintiffâs data stored on that system, courts are more willing to find a likelihood of future identity theft or fraud sufficient to confer standing.Id.
We embraced the Seventh Circuitâs reasoning in
one such case: âWhy else would hackers break into a storeâs database and steal
23
consumersâ private information? Presumably, the purpose of the hack is, sooner
or later, to make fraudulent charges or assume those consumersâ identities.â Id.(quoting Remijas v. Neiman Marcus Grp., LLC,794 F.3d 688, 693
(7th Cir. 2015)).
Second, we observed that, âwhile not a necessary component of establishing
standing,â courts have been more likely to conclude that a plaintiff has established
a âsubstantial risk of future injuryâ where some part of the compromised dataset
has been misusedâeven if a plaintiffâs own data has not. Id. at 301. For example,
fraudulent charges to the credit cards of other customers impacted by the same
data breach, or evidence that a plaintiffâs PII is available for sale on the Dark Web,
can support a finding that a plaintiff is at a substantial risk of identity theft or
fraud. Id. at 301â02.
Third, we explained that courts may consider whether the exposed PII is of
the type âmore or less likely to subject plaintiffs to a perpetual risk of identity theft
or fraud once it has been exposed.â Id. at 302. On one hand, we noted that âthe
dissemination of high-risk information such as [SSNs] . . . especially when
accompanied by victimsâ namesâmakes it more likely that those victims will be
subject to future identity theft or fraud.â Id. On the other hand, we reasoned that
the exposure of data that is publicly available, or that can be rendered useless (like
24
a credit card number unaccompanied by other PII), is less likely to subject plaintiffs
to a perpetual risk of identity theft. Id.
Insofar as these factors shed light on whether the future harm of identity
theft or fraud resulting from a data breach is sufficiently actual and imminent (as
opposed to concrete), we see nothing in TransUnion that overrides our analysis,
and McMorris remains a touchstone.
ii. Application to Bohnakâs Claims
Considering these three factors, we conclude that Bohnak has sufficiently
alleged that she faces an imminent risk of injuryâthat is, a âsubstantial risk that
the harm will occur.â Id. at 300 (internal quotation marks omitted).
First and foremost, Bohnak has alleged that her PII was exposed as a result
of a targeted attempt by a third party to access the data set. Appâx 14, ¶ 30; see
McMorris, 995 F.3d at 301 (considering âwhether the data at issue has been
compromised as the result of a targeted attack intended to obtain the plaintiffsâ
data.â). In particular, she alleges, based on Defendantsâ own report to her, that an
âunauthorized actor [i.e., a hacker] . . . leveraged a vulnerability in a third partyâs
softwareâ and gained access to her PII. Appâx 14, ¶ 30. This was not an
inadvertent, intra-company disclosure; it was a targeted hack.
25
Second, Bohnak alleges that the PII taken by the hackers includes her name
and SSN. Id.This is exactly the kind of information that gives rise to a high risk of identity theft. McMorris,995 F.3d at 302
. As Bohnak has alleged, SSNs âare
among the worst kind of personal information to have stolen because they may be
put to a variety of fraudulent uses and are difficult for an individual to change.â
Appâx 18, ¶ 45. And one cannot get a new SSN without âevidence of actual
misuse,â making it difficult to take preventive action to guard against the misuse
of the compromised number. Id. ¶ 46.
We recognize that Bohnak has not pulled off a hat trick with respect to the
factors identified in McMorris; she has not alleged any known misuse of
information in the dataset accessed in the hack. But we emphasized in McMorris
that such an allegation is not necessary to establish that an injury is sufficiently
imminent to constitute an injury in fact. 995 F.3d at 301. We conclude that the
allegations of a targeted hack that exposed Bohnakâs name and SSN to an
unauthorized actor are sufficient to suggest a substantial likelihood of future
harm, satisfying the âactual or imminent harmâ component of an injury in fact.
26
Because Bohnak has alleged a concrete and imminent injury, and because
her injury is undisputedly particular, she has pled an injury in fact. 7 And because
Bohnak has pled that Defendants caused her injury, and her injuries would be
redressed through money damages, we conclude that Bohnak has Article III
standing to pursue her damages claim. 8
II. Bohnakâs Damages Claim
Our discussion of standing all but disposes of the damages issue. 9 The
district court dismissed Bohnakâs claims on the basis that her damages are not
âcapable of proof with reasonable certainty,â and her alleged loss of time and
money responding to the increased risk of harm was not âcognizable.â Bohnak,
580 F. Supp. 3d at 31.
For the reasons set forth above, Bohnakâs alleged injury arising from the
increased risk of harm is cognizable for standing purposes, and thus could support
7 No party has suggested that the âparticularityâ requirement for an injury in fact is an obstacle
to Bohnakâs claims. See Strubel v. Comenity Bank, 842 F.3d 181, 188 (2d Cir. 2016) (explaining that
âto satisfy the particularity requirementâ an injury must be âdistinct from the body politicâ).
Here, Bohnak has specifically alleged that her PII was compromised during a data breach that
impacted a finite number of people, making her injury âdistinct from the body politic.â
8 Defendants challenge Bohnakâs claims on the merits on the basis that she hasnât plausibly
alleged cognizable damages. But in contesting her standing, Defendants have not argued that
Bohnak has failed to establish the causation and redressability elements of standing.
9 We reject Defendantsâ contention that Bohnak waived her challenge to the district courtâs
dismissal of her claim pursuant to Rule 12(b)(6). In this case, the district courtâs conclusion that
Bohnak did not plausibly plead damages rested entirely on the courtâs conclusion that she lacked
standing to seek damages based upon a risk of future harm. Bohnakâs challenge to that
conclusion was a challenge to the courtâs analysis of her damages.
27
a claim for damages. As the Seventh Circuit explained in a similar case: âTo say
that the plaintiffs have standing is to say that they have alleged injury in fact, and
if they have suffered an injury then damages are available.â Dieffenbach, 887 F.3d
at 828.
Moreover, Bohnak has pled additional injuriesâthe time and money spent
trying to mitigate the consequences of the data breachâwith respect to which
damages are unquestionably capable of reasonable proof. See Appâx 11 ¶ 15; see
E.J. Brooks Co. v. Cambridge Sec. Seals, 31 N.Y.3d 441, 448â49 (2018) (compensatory damages âcannot be remote, contingent or speculative,â but the standard âis not one of âmathematical certaintyâ but only âreasonable certaintyââ (quoting Steitz v. Gifford,280 N.Y. 15, 20
(1939))); Aqua Dredge, Inc. v. Stony Point Marina & Yacht Club, Inc.,583 N.Y.S.2d 648, 650
(3d Depât 1992) (âIn computing damages for
breach of contract, mathematical certainty is rarely attained or even expected.â).
CONCLUSION
In sum, we conclude that the Supreme Courtâs decision in TransUnion
governs the analysis of whether a risk of future injury is sufficiently concrete to
constitute an injury in fact for purposes of a claim for damages and that our
analysis in McMorris continues to guide our assessment of the âimminenceâ
component of injury in fact for purposes of Article III standing. Applying these
28
cases, we hold that Bohnak has Article III standing to bring her claims for damages
and that the district court erred in dismissing her claims for failure to plead
cognizable damages with reasonable certainty.
For these reasons, we REVERSE the district courtâs judgment dismissing
Bohnakâs claims for damages and REMAND for further proceedings consistent
with this opinion.
29