Brooklyn Journal of Corporate, Financial & Commercial Law


Andrew Ridge

First Page



For some time, circuit courts have been ostensibly divided over the power of plaintiffs to maintain claims for injuries sustained from data breaches based merely on an increased risk of injury. However, in McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295 (2d Cir. 2021), the Second Circuit denied the existence of the circuit split, instead contending that its three-factor balancing test for determining standing for risk of future injury in data breach cases could be reconciled with the positions of both clusters of circuits. The three factors are “(1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.” The Second Circuit frames the circuit split in terms of whether future injury in these cases can ever furnish a plaintiff with standing, when in reality, it appears that the reluctance of the circuits that have yet to furnish standing for future injury lies more so in their emphasis on the second factor—whether the data has been misused. Although McMorris has not been appealed, the Supreme Court should clarify this ambiguity at the next opportunity. The most equitable solution would be to uphold the Second Circuit’s three-factor test, and while allowing the second factor to hold special importance over the other two factors, not require its presence in all these types of cases for constitutional standing.