Bohnak v. Marsh & McLennan Companies, Inc., No. 22-319 (2d Cir. 2023)Annotate this Case
Plaintiff filed this nationwide class action on behalf of herself and others similarly situated after her personally identifying information (“PII”), including her name and Social Security number, which had been entrusted to Defendants, were exposed to an unauthorized third party as a result of a targeted data hack. At issue is the proper framework for evaluating whether an individual whose PII is exposed to unauthorized actors, but has not (yet) been used for injurious purposes such as identity theft, has suffered an injury in fact for purposes of Article III standing to sue for damages.
The Second Circuit reversed and remanded. The court concluded that with respect to the question of whether an injury arising from risk of future harm is sufficiently “concrete” to constitute an injury, in fact, TransUnion controls; with respect to the question whether the asserted injury is “actual or imminent,” the McMorris framework continues to apply in data breach cases like this. Thus, the court concluded that Plaintiff’s allegation that an unauthorized third party accessed her name and Social Security number through a targeted data breach gives her Article III standing to bring this action against Defendants to whom she had entrusted her PII.