On April 26, 2021, the U.S. Court of Appeals for the Second Circuit rejected a split decision in the data breach litigation matter of McMorris v. Carlos Lopez & Assocs., in which the Second Circuit decided against a “suggested” circuit split decision concerning the issue of “whether a plaintiff may establish standing based on a risk of future identity theft or fraud stemming from the unauthorized disclosure of that plaintiff’s data.”
The dispute began in June 2018 when a Carlos Lopez & Associates employee unintentionally sent an email containing sensitive personally identifiable information (PII) such as social security numbers, addresses, birth dates, phone numbers, and educational record of approximately 130 former and current Carlos Lopez and Associates employees to 65 current staff members. The Second Circuit concluded that “the Plaintiffs have failed to show that they are at a substantial risk of future identity theft or fraud sufficient to establish Article III standing.”