New 2nd Circuit Court of Appeals decision further opens the door for class action data breach lawsuits to proceed without the need for showing tangible harm
A recent decision by the 2nd U.S. Circuit Court of Appeals in New York might mean big consequences for companies experiencing data breaches. In their August 24, 2023, decision, the court held in favor of former employees of insurer Marsh & McLennan Cos. Inc. attempting to bring a class action against the insurer. A major takeaway was the court’s statement that “[Nancy] Bohnak’s alleged injuries arising from the risk of future harm are concrete.”
In other words, it may be sufficient to allege mere risk of future injury from a data breach, as well as costs relating to minimizing the risk, in order to bring an actionable claim to court.
The breach and its aftermath
Marsh & MacLennon Companies, Inc and Marsh & McLennan Agency, LLC (collectively, “Marsh & McLennan”) suffered a data breach in April 2021, including Social Security numbers and other information belonging to current and former employees. Marsh & McLennan mailed notifications on June 30, 2021, which included information on credit monitoring, identity theft services, and other support typically provided in the wake of a breach. In July of 2021, Nancy Bohnak and Janet Lea Smith, former employees of Marsh & McLennan, brought a putative nationwide class action complaint alleging “state-law claims for (1) negligence, (2) breach of implied contract, and (3) breach of confidence.”[1]
After the district court found for Marsh & McLennan, Bohnak appealed and the Court of Appeals found in her favor. Specifically, the 2nd Circuit wrote “[t]he core of the injury Bohnak alleges here is that she has been harmed by the exposure of her private information — including her SSN and other PII — to an unauthorized malevolent actor. This falls squarely within the scope of an intangible harm the Supreme Court has recognized as ‘concrete.’”[2]
Read another way, plaintiffs may have standing to sue solely on the basis of their data being accessed in a breach and then received or acquired by a third party.
A trend favoring plaintiffs
The court’s decision in this matter comes after several recent rulings that have enabled or enhanced the ability of plaintiffs to sue after a data breach. In 2015, the 7th Circuit found that the occurrence of a data breach is enough to show a substantial risk of harm. In 2019, the Illinois Supreme Court reversed an appeals court decision, holding that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the [Illinois Biometric Information Privacy Act], in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages”. More recently, in 2021 the U.S. Supreme Court found that concrete injury can include intangible harm, which the 2nd Circuit cited in finding for Bohnak.
What does this mean for companies that experience a data breach?
The bar has been seemingly lowered, for the moment, for plaintiffs to sue in the wake of a data breach. Companies that experience an incident or breach should expect more attention and be prepared to engage counsel. While it is difficult to prevent litigation, companies can limit their liability, as well as be good corporate citizens, by being responsible caretakers of sensitive data and their own cybersecurity. Some steps include:
- Be vigilant, and help your employees recognize the risks. Threat actors are always on the lookout for their next targets. Traditional methods, including phishing emails and social engineering, are popular with threat actors because they work with little effort or expense. Train your employees to be attentive, question things when they receive an unexpected communication, and, when in doubt, ask IT to look at something.
- Use smart security procedures. It is important to keep your security programs up to date. Change passwords regularly and, when in doubt, report an incident as soon as possible. MFA (multi-factor authentication) adds mere seconds to an employee’s routine but adds another step for any threat actor to overcome.
- Protect data. Having a consistent data intake and organization process is key to making sure the data you get goes where it should. Once data is on your company environment, security measures like encryption/redaction, restricted access or secure storage add an extra layer of protection against any threat actor that may gain access.
- Do not collect data you do not use. Minimize the data collected and stored only to that which is necessary and required by contract or law. Data costs money to acquire, analyze and store. If your company has data it does not use, not only is that costing you costs for upkeep, it is a liability in the event of a data breach. Avoid adding insult to injury if you are breached and then have to disclose that you are not even sure why you had some of the data in the first place.
If you have questions about your company’s vulnerability to a ransomware attack or other breach, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins’ national cybersecurity and data privacy team.
[1] Bohnak v. Marsh & McLennan Cos., 580 F. Supp. 3d 21, 24 (S.D.N.Y. 2022)
[2] Bohnak v. Marsh & McLennan Companies, Inc., 22-319 (2d Cir. 2023).