22-319
Bohnak v. Marsh & McLennan Companies, Inc.
In the
United States Court of Appeals
For the Second Circuit
______________
August Term, 2022
(Submitted: October 24, 2022 Decided: August 24, 2023)
Docket No. 22-319
______________
NANCY BOHNAK, on behalf of themselves and all others similarly situated,
Plaintiff-Appellant,
JANET LEA SMITH, on behalf of themselves and all others similarly situated,
Plaintiff,
–v.–
MARSH & MCLENNAN COMPANIES, INC., A DELAWARE CORPORATION, MARSH &
MCLENNAN AGENCY, LLC, A DELAWARE LIMITED LIABILITY COMPANY,
Defendants-Appellees.
______________
Before: NEWMAN, NARDINI, and ROBINSON, Circuit Judges.
______________
Plaintiff-Appellant Nancy Bohnak appeals from an order of the
United States District Court for the Southern District of New York
(Hellerstein, J.) dismissing her claims against Defendants-Appellees Marsh
& McLennan Agency, LLC (“MMA”) and Marsh & McLennan Companies
(“MMC”) (together, “Defendants”) for failure to plausibly plead a “claim
upon which relief can be granted,” Fed. R. Civ. P. 12(b)(6). The Defendants
defend the order on the ground that the district court lacked subject matter
jurisdiction, Fed. R. Civ. P. 12(b)(1), because Bohnak lacked Article III
standing. Both claims turn on whether Bohnak has validly pled that she
suffered an Article III injury in fact. Bohnak filed this nationwide class
action on behalf of herself and others similarly situated after her personally
identifying information (“PII”), including her name and Social Security
number, which had been entrusted to Defendants, were exposed to an
unauthorized third party as a result of a targeted data hack.
This case requires us to consider the proper framework for evaluating
whether an individual whose PII is exposed to unauthorized actors, but has
not (yet) been used for injurious purposes such as identity theft, has suffered
an injury in fact for purposes of Article III standing to sue for damages. In
particular, we are called upon to determine how the Supreme Court’s
decision in TransUnion, LLC v. Ramirez, 141 S. Ct. 2190 (2021), impacts this
Court’s previous holding in McMorris v. Carlos Lopez & Associates, 995 F.3d
295, 303 (2d Cir. 2021).
We conclude that with respect to the question whether an injury
arising from risk of future harm is sufficiently “concrete” to constitute an
injury in fact, TransUnion controls; with respect to the question whether the
asserted injury is “actual or imminent,” the McMorris framework continues
to apply in data breach cases like this.
Applying the above framework, we conclude that Bohnak’s allegation
that an unauthorized third party accessed her name and Social Security
number through a targeted data breach gives her Article III standing to
bring this action against the defendants to whom she had entrusted her PII.
We further conclude that the district court erred in dismissing Bohnak’s
claims for failure to plausibly allege cognizable damages. We thus
REVERSE the district court’s order dismissing Bohnak’s claims for damages
and REMAND for further proceedings.
2
______________
John A. Yanchunis, Kenya Reddy, Morgan and
Morgan, Tampa, FL, for Plaintiff-Appellant.
Travis LeBlanc, Cooley LLP, Washington, D.C.,
Tiana Demas, Cooley LLP, New York, NY, for
Defendants-Appellees.
______________
ROBINSON, Circuit Judge:
This case requires us to consider the proper framework for evaluating
whether an individual whose personally identifying information (“PII”) is
exposed to unauthorized actors, but has not (yet) been used for injurious purposes
such as identity theft, has suffered an injury in fact for purposes of (1) Article III
standing to sue for damages and (2) pleading a “claim upon which relief can be
granted,” Fed. R. Civ. P. 12(b)(6). In particular, we are called upon to determine
how the Supreme Court’s decision in TransUnion, LLC v. Ramirez, 141 S. Ct. 2190
(2021), impacts this Court’s previous holding in McMorris v. Carlos Lopez &
Associates, 995 F.3d 295, 303 (2d Cir. 2021).
To establish Article III standing under the U.S. Constitution, a plaintiff must
show (1) an injury in fact (2) caused by the defendant, (3) that would likely be
redressable by the court. Thole v. U.S. Bank N.A., 140 S. Ct. 1615, 1618 (2020). At
issue here is the first element: injury in fact. “Injury in fact,” in turn, embodies
3
three components: it must be “concrete, particularized, and actual or
imminent.” Id. We conclude that with respect to the question whether an injury
arising from risk of future harm is sufficiently “concrete” to constitute an injury in
fact, TransUnion controls; with respect to the question whether the asserted injury
is “actual or imminent,” the McMorris framework continues to apply in data
breach cases like this.
Plaintiff-Appellant Nancy Bohnak appeals from an order 1 of the United
States District Court for the Southern District of New York (Hellerstein, J.)
dismissing her claims against Defendants-Appellees Marsh & McLennan Agency,
LLC (“MMA”) and Marsh & McLennan Companies (“MMC”) (together,
“Defendants”) for failure to state a claim. 2 Bohnak v. Marsh & McLennan Cos., Inc.,
580 F. Supp. 3d 21 (S.D.N.Y. 2022). Applying the above framework, we conclude
that Bohnak’s allegation that an unauthorized third party accessed her name and
Social Security number (“SSN”) through a targeted data breach gives her
1 The notice of appeal states that Bohnak appeals “from the Order and Opinion . . . entered . . . on
January 17, 2022.” (The order was in fact entered January 18, 2022, see Dist. Ct. Dkt. No. 32.) That
order is appealable because it was a “final decision,” 28 U.S.C. § 1291, that disposed of the entire
case, see Bankers Trust Co. v. Mallis, 435 U.S. 382, 387 (1978) (“[T]he District Court clearly
evidenced its intent that the opinion and order from which an appeal was taken would represent
the final decision in the case.”). However, when a judgment is entered, as it was in this case on
January 28, 2023 (Dist. Ct. Dkt. No. 33), the better practice is to appeal the judgment. That avoids
any dispute as to whether an earlier entered order qualifies as a final decision.
2 Janet Lee Smith was a plaintiff in the underlying action but is not a party to this appeal.
4
Article III standing to bring this action against the defendants to whom she had
entrusted her PII. We further conclude that the district court erred in dismissing
Bohnak’s claims for failure to plausibly allege cognizable damages because we
hold that by pleading a sufficient Article III injury in fact, Bohnak also satisfies the
damages element of a valid claim for relief.
For the reasons set forth below, we REVERSE the district court’s order
dismissing Bohnak’s claims for damages and REMAND for further proceedings.
BACKGROUND 3
MMC “is the world’s leading professional services firm in the areas of risk,
strategy and people,” App’x 9, ¶ 3; MMA is a wholly owned subsidiary of MMC
and serves “the risk prevention and insurance needs of middle market companies
in the United States,” id. ¶ 4. Defendants stored PII such as “Social Security or
other federal tax identification number[s], driver’s license or other government
issued identification, and passport information” of at least 7,000 individuals.
App’x 8-9, ¶ 2. The PII at issue relates to “(i) Defendants’ current and former
employees and spouses and dependents thereof; (ii) current and former employees
of Defendants’ clients, contractors, applicants and investors; and (iii) individuals
3 This account is drawn from the allegations in Bohnak’s complaint, which we must accept as
true for purposes of evaluating Defendants’ motion to dismiss. Ashcroft v. Iqbal, 556 U.S. 662,
678 (2009).
5
whose information Defendants acquired through the purchase of or merger with
another business.” App’x 8, ¶ 1.
Bohnak is MMA’s former employee, and “[a]s a condition of [] Bohnak’s
employment, Defendants required that she entrust her PII, including but not
limited to her Social Security or other federal tax id number.” 4 App’x 21, ¶ 58.
In April 2021 an “unauthorized actor . . . leveraged a vulnerability in a third
party’s software” and accessed Bohnak’s PII, including her “name and . . . Social
Security or other federal tax id number.” App’x 14, ¶ 30.
PII is of “high value to criminals, as evidenced by the prices they will pay
through the dark web.” 5 App’x 17, ¶ 44. “[SSNs], for example, are among the
worst kind of personal information to have stolen because they may be put to a
variety of fraudulent uses and are difficult for an individual to change.” App’x 18,
¶ 45. Specifically, “[a]n individual cannot obtain a new [SSN] without significant
paperwork and evidence of actual misuse.” Id. ¶ 46.
4 The record is silent as to when Bohnak’s employment with MMA began, but it ended “[i]n or
around 2014.” App’x 21 ¶ 58.
5 “The Dark Web is a general term that describes hidden Internet sites that users cannot access
without using special software.” McMorris, 995 F.3d at 302 n.4 (quoting Kristin Finklea, Cong.
Rsch. Serv., 7-5700, Dark Web 2 (2017)). “Not surprisingly, criminals and other malicious actors . . .
use the [D]ark [W]eb to carry out technology-driven crimes, such as computer hacking, identity
theft, credit card fraud, and intellectual property theft.” Id. (quoting Ahmed Ghappour, Searching
Places Unknown: Law Enforcement Jurisdiction on the Dark Web, 69 Stan. L. Rev. 1075, 1090 (2017)).
6
Despite the sensitivity of the data in Defendants’ possession, they did not
secure the data from potential unauthorized actors through encryption, and the
data continues to be unencrypted.
In contrast, Bohnak has been “very careful about sharing her PII. She has
never knowingly transmitted her unencrypted sensitive PII over the internet or
any other unsecured source.” App’x 21, ¶ 61. She “stores any documents
containing her PII in a safe and secure location or destroys the documents,” and
“she diligently chooses unique usernames and passwords for her various online
accounts.” App’x 21–22, ¶ 62.
After Defendants notified Bohnak of the data breach (two months after
Defendants learned of the incident), Bohnak filed this nationwide class action on
behalf of herself and others similarly situated. She alleges that Defendants failed
to: “(i) adequately protect the PII of [Bohnak] and Class Members; (ii) warn
[Bohnak] and Class Members of Defendants’ inadequate information security
practices; and (iii) effectively secure hardware containing protected PII using
reasonable and effective security procedures free of vulnerabilities and
incidents.” App’x 11, ¶ 14.
7
Asserting state law claims of negligence, breach of implied contract, and
breach of confidence, Bohnak alleges that she and Class Members suffered the
following injuries:
(i) lost or diminished value of PII; (ii) out-of-pocket expenses
associated with the prevention, detection, and recovery from identity
theft, tax fraud, and/or unauthorized use of their PII; (iii) lost
opportunity costs associated with attempting to mitigate the actual
consequences of the Data Breach, including but not limited to lost
time, and (iv) the continued and certainly increased risk to their PII,
which: (a) remains unencrypted and available for unauthorized third
parties to access and abuse; and (b) may remain backed up in
Defendants’ possession and is subject to further unauthorized
disclosures so long as Defendants fail[] to undertake appropriate and
adequate measures to protect the PII.
App’x 11, ¶ 15.
Defendants moved to dismiss Bohnak’s complaint under Federal Rule of
Civil Procedure 12(b)(1) for lack of subject matter jurisdiction, arguing that Bohnak
lacks Article III standing. In the alternative, Defendants moved to dismiss the
complaint under Rule 12(b)(6) because Bohnak fails to allege any cognizable
damages.
The district court rejected Defendants’ argument that Bohnak lacked Article
III standing, reasoning that, although the future, indefinite risk of identity theft
involving her compromised PII by itself was insufficient to establish an injury in
fact under TransUnion, Bohnak plausibly alleged a separate concrete injury,
8
analogous to that associated with the common-law tort of public disclosure of
private information, that could support Article III standing.
However, the district court accepted Defendants’ argument that Bohnak
had failed to state a claim for which relief can be granted, reasoning that she had
not plausibly alleged cognizable damages arising from the disclosure of her PII.
In particular, the district court concluded that Bohnak could only speculate about
the extent of any future harm, and that the damages arising from any risk of future
harm are not “capable of proof with reasonable certainty.” Bohnak, 580 F. Supp.
3d at 31. The court concluded that Bohnak’s alleged loss of time and money
responding to the increased risk of harm is not “cognizable” because it was not
proximately caused by the harm of disclosure which, the court emphasized, was
“the only harm for which [the court] found Plaintiffs have Article III standing.” Id.
Moreover, the court reasoned that Bohnak’s prayer for injunctive relief is
based on the same harms as her claims for monetary relief, indicating the harms
are compensable through money damages. In the court’s view, a permanent
injunction is thus unavailable. Because the court concluded that Bohnak does not
plausibly allege a claim for damages or injunctive relief, it dismissed Bohnak’s
claims pursuant to Rule 12(b)(6). Bohnak appealed.
9
DISCUSSION
Bohnak challenges the district court’s conclusion that she cannot establish
standing merely by virtue of the risk of future misuse of her PII (such as identity
theft or fraud), and in so arguing implicitly challenges the reasoning underlying
the court’s dismissal of her claims for failure to state a cognizable claim for
damages. Defendants, on the other hand, contend that because her claims are
predicated on a risk of future harm, Bohnak lacks standing altogether.
We conclude that Bohnak has standing to pursue her claims for relief, and
that she has adequately alleged a cognizable claim for damages. 6
I. Standing
We first consider whether Bohnak has established Article III
standing. See Central States SE and SW Areas Health and Welfare Fund v. Merck–
Medco Managed Care, LLC, 433 F.3d 181, 198 (2d Cir. 2005) (“If plaintiffs lack Article
III standing, a court has no subject matter jurisdiction to hear their claim.”).
“Because standing is challenged on the basis of the pleadings, we accept as
true all material allegations of the complaint, and must construe the complaint in
6Bohnak has not challenged the district court’s determination that she failed to plausibly allege
a claim that would entitle her to injunctive relief, and her challenge to the district court’s
standing analysis does not directly undercut the court’s rationale for dismissing her claims for
injunctive relief. Accordingly, we deem any challenge to the district court’s dismissal of her
claim for injunctive relief waived, and do not address her claims for injunctive relief on appeal.
10
favor of the complaining party.” W.R. Huff Asset Mgmt. Co., LLC v. Deloitte &
Touche, LLP, 549 F.3d 100, 106 (2d Cir. 2008) (internal quotation marks omitted). In
this context, we determine whether a plaintiff has constitutional standing to sue
without deference to the district court. Id.
As noted above, to establish Article III standing, a plaintiff must show (1) an
injury in fact that is “concrete, particularized, and actual or imminent,” (2) that the
injury was caused by the defendant, and (3) that the injury would likely be
redressable by the court. Thole, 140 S. Ct. at 1618. At issue here is the first
element—an injury in fact that is “concrete, particularized, and actual or
imminent.”
Bohnak argues that the district court erred by concluding that the risk of
future harm arising from the disclosure of her PII is not a cognizable injury for
standing purposes. In particular, she argues that the district court erred in
concluding that the Supreme Court’s decision in TransUnion calls into question the
continuing vitality of this Court’s decision in McMorris. And she contends that
under the framework established in McMorris, she has standing to pursue her
claims.
Defendants contend that TransUnion forecloses any argument that Bohnak
has standing based on a risk of future harm, that Bohnak cannot establish standing
11
based on the factors set forth in McMorris, and that the district court erred in
concluding that Bohnak did have standing to pursue her claims based on the
injury from the exposure of her PII.
We conclude that TransUnion is the touchstone for determining whether
Bohnak has alleged a concrete injury, and that under TransUnion, Bohnak’s alleged
injuries arising from the risk of future harm are concrete. We further conclude that
McMorris is the touchstone for determining whether Bohnak has alleged an “actual
or imminent” injury, and that under McMorris, Bohnak’s alleged injuries are
“actual or imminent.” McMorris, 995 F.3d at 300. Given these conclusions, and
because the other elements of Article III standing are undisputedly met, we
conclude that Bohnak has Article III standing, and we have jurisdiction to review
this appeal.
A. TransUnion: Concreteness
i. The Court’s Holding
In TransUnion, in a distinct but somewhat analogous context, the Supreme
Court considered whether a risk of future injury alone is sufficiently concrete to
be an injury in fact for purposes of Article III standing. 141 S. Ct. at 2204 (“The
question in this case focuses on the Article III requirement that the plaintiff’s injury
in fact be ‘concrete,’—that is, ‘real, and not abstract.’”).
12
The conflict in TransUnion arose from a product designed to help businesses
avoid transacting with individuals on the United States Treasury Department’s
Office of Foreign Assets Control (“OFAC”) list of “specially designated nationals
who threaten America’s national security.” Id. at 2201-02 (internal quotation
marks omitted). When TransUnion (a “Big Three” credit reporting agency)
conducted a credit check for subscribers to their special service, it used third-party
software to compare the consumer’s name against the OFAC list. Id. at 2201. As
the Supreme Court explained,
If the consumer’s first and last name matched the first and last name
of an individual on OFAC’s list, then TransUnion would place an alert
on the credit report indicating that the consumer’s name was a
“potential match” to a name on the OFAC list. TransUnion did not
compare any data other than first and last names.
Id.
TransUnion’s system produced many false positives, as many law-abiding
Americans share names with individuals on OFAC’s list of specially designated
nationals. Id. Sergio Ramirez, the named plaintiff, was one such law-abiding
American. Id. He tried to purchase a car from a dealership, but the dealership
refused to sell it to him after receiving a report from TransUnion that he was on
OFAC’s list. Id. Ramirez filed a class action on behalf of himself and the rest of
the proposed 8,185 class members seeking statutory damages for TransUnion’s
13
violations of the Fair Credit Reporting Act (“FCRA” or the “Act”). Id. at 2200.
FCRA “imposes a host of requirements concerning the creation and use of
consumer reports.” Id. (internal quotation marks omitted). Ramirez alleged that
in connection with its new product, TransUnion “failed to follow reasonable
procedures to ensure the accuracy of information in his credit file.” Id. at 2202.
The proposed class of individuals all received notice from TransUnion that their
names were considered a potential match to names on the OFAC list. Id. During
the class period, TransUnion had distributed reports to potential creditors
concerning only 1,853 of the 8,185 class members. Id.
In evaluating whether all of the class members’ injuries arising from
TransUnion’s alleged statutory violations had suffered an injury in fact supporting
Article III standing, the Supreme Court focused its analysis on the issue of whether
the plaintiffs had shown a “concrete harm.” Id. at 2208–09.
In considering whether the plaintiffs’ alleged injuries were sufficiently
concrete to constitute an injury in fact for purposes of their claim for damages, the
Court considered whether their injuries bore a “‘close relationship’ to a harm
‘traditionally’ recognized as providing a basis for a lawsuit in American
courts.” Id. at 2204 (quoting Spokeo, Inc. v. Robins, 578 U.S. 330, 341 (2016)). The
Court recognized that “traditional tangible harms,” such as physical harms and
14
monetary harms, “readily qualify as concrete injuries under Article III.” Id. But it
went on to recognize that harms beyond those traditional tangible harms can also
support standing:
Various intangible harms can also be concrete. Chief among them are
injuries with a close relationship to harms traditionally recognized as
providing a basis for lawsuits in American courts. Those include, for
example, reputational harms, disclosure of private information, and
intrusion upon seclusion.
Id. (citation omitted).
Applying this framework, the Court had “no trouble” concluding that the
1,853 class members whose false OFAC designations were sent to third parties had
suffered a concrete injury. Id. at 2209. The Court reasoned that such an injury
“bears a ‘close relationship’ to a harm traditionally recognized as providing a basis
for a lawsuit in American courts—namely, the reputational harm associated with
the tort of defamation.” Id. (quoting Spokeo, 578 U.S. at 341). Therefore, the Court
concluded that the 1,853 class members whose reports were disseminated to third
parties suffered a concrete injury in fact under Article III. Id. Significantly, the
Court concluded that the publication of false information about these class
members to third parties was itself enough to establish a concrete injury; it did not
take further steps to evaluate whether those third parties used the information in
ways that harmed the class members. Id.
15
On the other hand, the Court concluded that the remaining 6,332 class
members whose credit reports were not shared with third parties had not suffered
a concrete injury, explaining that there is “no historical or common-law analog
where the mere existence of inaccurate information, absent dissemination,
amounts to concrete injury.” Id. (internal quotation marks omitted). The Court
distinguished between credit reports published to third parties and files that
consumer reporting agencies maintain internally. Id. at 2210. It analogized
misleading information merely sitting in a company database to a defamatory
letter stored in a desk drawer and never sent; the Court explained that in both
cases, legally speaking, nobody is harmed. Id.
The Court gave two answers of note in response to the arguments on behalf
of the 6,332 class members that the existence of misleading OFAC alerts in their
internal credit files exposed them to a material risk that the information would be
disseminated to third parties in the future and thereby caused them present harm.
First, it explained that, although mere risk of future harm does not provide
standing to seek retrospective damages where actual harm never materialized, “a
person exposed to a risk of future harm may pursue forward-looking, injunctive
relief to prevent the harm from occurring, at least so long as the risk of harm is
16
sufficiently imminent and substantial.” Id. (citing Clapper v. Amnesty Int’l USA, 568
U.S. 398, 414 n.5 (2013)).
Second, the Court noted that a risk of future harm could “itself cause[] a
separate concrete harm,” in which case the plaintiff would have standing to pursue
damages premised on that separate concrete harm. Id. at 2211 (emphasis in
original). For example, the Court suggested that evidence that the class members
suffered some other injury, such as emotional injury, from the risk that their
reports would be provided to third-party businesses could give them standing to
seek damages. Id.
These principles guide our assessment of whether Bohnak’s alleged harm is
sufficiently “concrete” to support Article III standing.
ii. Application to Bohnak’s Claims
Like the Supreme Court in TransUnion, we have no trouble concluding that
Bohnak’s alleged harm is sufficiently concrete to support her claims for damages.
Similar to the publication of misleading information about some of the plaintiffs
in TransUnion, the core injury here—exposure of Bohnak’s private PII to
unauthorized third parties—bears some relationship to a well-established
common-law analog: public disclosure of private facts. See Restatement (Second)
Torts § 652D (“One who gives publicity to a matter concerning the private life of
17
another is subject to liability to the other for invasion of . . . privacy, if the matter
publicized is of a kind that (a) would be highly offensive to a reasonable person,
and (b) is not of legitimate concern to the public.”). Bohnak’s position is thus
similar to that of the 1,853 class members who had standing in TransUnion based
on the publication of misleading information to third parties without regard to
whether the third parties used the information to cause additional harm.
We need not stretch to reach this conclusion. In TransUnion itself, the
Supreme Court specifically recognized that “disclosure of private information”
was an intangible harm “traditionally recognized as providing a basis for lawsuits
in American courts.” 141 S. Ct. at 2204 (citing Davis v. Federal Election Comm’n, 554
U.S. 724, 733 (2008)). It thus described an injury arising from such disclosure as
“concrete” for purposes of the Article III analysis. Id. The core of the injury
Bohnak alleges here is that she has been harmed by the exposure of her private
information—including her SSN and other PII—to an unauthorized malevolent
actor. This falls squarely within the scope of an intangible harm the Supreme
Court has recognized as “concrete.” Id.
We recognize that Bohnak does not in this case assert a common law claim
for public disclosure of private facts, and it matters not whether New York
common law recognizes a tort relating to publication of private facts. For the
18
purposes of the “concreteness” analysis under TransUnion, what matters is that
the intangible harm arising from disclosure of one’s PII bears a relationship to an
injury with a “close historical or common-law analogue.” Id. And that analog
need not be “an exact duplicate.” Id. at 2209.
In addition, Bohnak’s allegations establish a concrete injury for purposes of
her damages claim for a separate reason: she has suffered “separate concrete
harm[s]” as a result of the risk of future harm occasioned by the exposure of her
PII. Id. at 2211 (emphasis omitted). In particular, she has alleged among other
things that she incurred “out-of-pocket expenses associated with the prevention,
detection, and recovery from identity theft” and “lost time” and other
“opportunity costs” associated with attempting to mitigate the consequences of
the data breach. App’x 11, ¶ 15. These separate and concrete harms foreseeably
arising from the exposure of Bohnak’s PII to a malign outside actor, giving rise to
a material risk of future harm, independently support standing.
Our conclusion on this point is consistent with our analysis in McMorris, in
which we explained with reference to the injury-in-fact question more broadly that
“where plaintiffs have shown a substantial risk of future identity theft or fraud,
any expenses they have reasonably incurred to mitigate that risk likewise qualify
as injury in fact.” 995 F.3d at 303 (internal quotation marks omitted).
19
It also echoes the First Circuit’s conclusion in Webb v. Injured Workers
Pharmacy, LLC, 72 F.4th 365 (1st Cir. 2023). In that case, the First Circuit considered
the standing of a plaintiff whose PII had been exposed in a data breach by a home-
delivery pharmacy service. There was no allegation that the plaintiff’s PII had
actually been misused, although other PII in the same dataset had been. Applying
the lessons of TransUnion, the court concluded that the plaintiff had plausibly
alleged a “separate concrete, present harm” caused by exposure to the risk of
future harm. Webb, 72 F.4th at 376. In particular, the plaintiff had alleged that she
spent “considerable time and effort” monitoring her accounts to protect them. Id.
(internal quotation marks omitted). The First Circuit joined other circuits in
concluding that “time spent responding to a data breach can constitute a concrete
injury sufficient to confer standing, at least when that time would otherwise have
been put to profitable use.” Id. at 377. The court noted, “Because this alleged
injury was a response to a substantial and imminent risk of harm, this is not a case
where the plaintiffs seek to ‘manufacture standing by incurring costs in
anticipation of non-imminent harm.’” Id. (quoting Clapper, 568 U.S. at 422).
The Third Circuit reached a similar conclusion in Clemens v. ExecuPharm Inc.,
48 F.4th 146 (3d Cir. 2022)—another post-TransUnion data breach case. In Clemens,
the Third Circuit concluded:
20
Following TransUnion’s guidance, we hold that in the data breach
context, where the asserted theory of injury is a substantial risk of identity
theft or fraud, a plaintiff suing for damages can satisfy concreteness as long
as [the plaintiff] alleges that the exposure to that substantial risk caused
additional, currently felt concrete harms. For example, if the plaintiff’s
knowledge of the substantial risk of identity theft causes [the plaintiff] to
presently experience emotional distress or spend money on mitigation
measures like credit monitoring services, the plaintiff has alleged a concrete
injury.
Id. at 155–56; see also In re U.S. OPM Data Security Breach Litigation, 928 F.3d 42, 59
(D.C. Cir. 2019) (noting that the Supreme Court has recognized standing to sue
“on the basis of costs incurred to mitigate or avoid harm when a substantial risk
of harm actually exists” (quoting discussion of Clapper in Hutton v. Nat’l Bd. of
Examiners in Optometry, 892 F.3d 613, 622 (4th Cir. 2018))); Dieffenbach v. Barnes &
Noble, Inc., 887 F.3d 826, 829-30 (7th Cir. 2018) (monthly fees for credit monitoring
secured in response to a data breach are “real and measurable” actual damages).
For these reasons, given the close relationship between Bohnak’s data
exposure injury and the common law analog of public disclosure of private facts,
and, alternatively, based on her allegations that she suffered concrete present
harms due to the increased risk that she will in the future fall victim to identity
theft as a result of the data breach, we conclude that Bohnak has alleged an injury
that is sufficiently concrete to constitute an injury in fact for purposes of her
damages claim.
21
B. McMorris: Imminence
Our conclusion that Bohnak’s injury is concrete does not fully resolve the
standing question because it addresses only one component of injury in fact. The
“particularity” requirement for an injury in fact is not in dispute here, but whether
Bohnak’s injury is “actual or imminent” is. Our pre-TransUnion decision in
McMorris guides our analysis of this component.
i. The Court’s Holding
In McMorris, the plaintiffs brought a putative class action against their
employer asserting claims for negligence and violations of consumer protection
laws resulting from inadvertent dissemination of a company-wide email
containing their sensitive PII. 995 F.3d at 298. The plaintiffs alleged that because
their PII had been disclosed to all of the defendant’s then current employees,
plaintiffs were “at imminent risk of suffering identity theft and becoming the
victims of unknown but certainly impending future crimes.” Id. (internal
quotation marks omitted).
As in this case, the issue in McMorris was whether the plaintiffs had suffered
an injury in fact. 995 F.3d at 300. But, in McMorris we considered the question
holistically, without breaking the injury-in-fact analysis into its components. See
id. (“This case concerns . . . the first element of Article III standing: the existence of
22
an injury in fact.”). Because many of our insights in McMorris relate most closely
to the issue of whether the future harm is sufficiently “actual or imminent,”
TransUnion, which did not purport to address matters beyond “concreteness,”
does not fully supplant our analysis in McMorris.
In McMorris, we explained that “a future injury constitutes an Article III
injury in fact only ‘if the threatened injury is certainly impending, or there is a
substantial risk that the harm will occur.’” 995 F.3d at 300 (quoting Susan B.
Anthony List v. Driehaus, 573 U.S. 149, 158 (2014)). We then identified and endorsed
three non-exhaustive factors that courts have considered in determining whether
plaintiffs whose PII has been compromised but not yet misused face a substantial
risk of harm.
First, we said that the most important factor in determining whether a
plaintiff whose PII has been exposed has alleged an injury in fact is whether the
data was compromised as the result of a targeted attack intended to get
PII. McMorris, 995 F.3d at 301. Where a malicious third party has intentionally
targeted a defendant’s system and has stolen a plaintiff’s data stored on that
system, courts are more willing to find a likelihood of future identity theft or fraud
sufficient to confer standing. Id. We embraced the Seventh Circuit’s reasoning in
one such case: “Why else would hackers break into a store’s database and steal
23
consumers’ private information? Presumably, the purpose of the hack is, sooner
or later, to make fraudulent charges or assume those consumers’ identities.” Id.
(quoting Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015)).
Second, we observed that, “while not a necessary component of establishing
standing,” courts have been more likely to conclude that a plaintiff has established
a “substantial risk of future injury” where some part of the compromised dataset
has been misused—even if a plaintiff’s own data has not. Id. at 301. For example,
fraudulent charges to the credit cards of other customers impacted by the same
data breach, or evidence that a plaintiff’s PII is available for sale on the Dark Web,
can support a finding that a plaintiff is at a substantial risk of identity theft or
fraud. Id. at 301–02.
Third, we explained that courts may consider whether the exposed PII is of
the type “more or less likely to subject plaintiffs to a perpetual risk of identity theft
or fraud once it has been exposed.” Id. at 302. On one hand, we noted that “the
dissemination of high-risk information such as [SSNs] . . . especially when
accompanied by victims’ names—makes it more likely that those victims will be
subject to future identity theft or fraud.” Id. On the other hand, we reasoned that
the exposure of data that is publicly available, or that can be rendered useless (like
24
a credit card number unaccompanied by other PII), is less likely to subject plaintiffs
to a perpetual risk of identity theft. Id.
Insofar as these factors shed light on whether the future harm of identity
theft or fraud resulting from a data breach is sufficiently actual and imminent (as
opposed to concrete), we see nothing in TransUnion that overrides our analysis,
and McMorris remains a touchstone.
ii. Application to Bohnak’s Claims
Considering these three factors, we conclude that Bohnak has sufficiently
alleged that she faces an imminent risk of injury—that is, a “substantial risk that
the harm will occur.” Id. at 300 (internal quotation marks omitted).
First and foremost, Bohnak has alleged that her PII was exposed as a result
of a targeted attempt by a third party to access the data set. App’x 14, ¶ 30; see
McMorris, 995 F.3d at 301 (considering “whether the data at issue has been
compromised as the result of a targeted attack intended to obtain the plaintiffs’
data.”). In particular, she alleges, based on Defendants’ own report to her, that an
“unauthorized actor [i.e., a hacker] . . . leveraged a vulnerability in a third party’s
software” and gained access to her PII. App’x 14, ¶ 30. This was not an
inadvertent, intra-company disclosure; it was a targeted hack.
25
Second, Bohnak alleges that the PII taken by the hackers includes her name
and SSN. Id. This is exactly the kind of information that gives rise to a high risk
of identity theft. McMorris, 995 F.3d at 302. As Bohnak has alleged, SSNs “are
among the worst kind of personal information to have stolen because they may be
put to a variety of fraudulent uses and are difficult for an individual to change.”
App’x 18, ¶ 45. And one cannot get a new SSN without “evidence of actual
misuse,” making it difficult to take preventive action to guard against the misuse
of the compromised number. Id. ¶ 46.
We recognize that Bohnak has not pulled off a hat trick with respect to the
factors identified in McMorris; she has not alleged any known misuse of
information in the dataset accessed in the hack. But we emphasized in McMorris
that such an allegation is not necessary to establish that an injury is sufficiently
imminent to constitute an injury in fact. 995 F.3d at 301. We conclude that the
allegations of a targeted hack that exposed Bohnak’s name and SSN to an
unauthorized actor are sufficient to suggest a substantial likelihood of future
harm, satisfying the “actual or imminent harm” component of an injury in fact.
26
Because Bohnak has alleged a concrete and imminent injury, and because
her injury is undisputedly particular, she has pled an injury in fact. 7 And because
Bohnak has pled that Defendants caused her injury, and her injuries would be
redressed through money damages, we conclude that Bohnak has Article III
standing to pursue her damages claim. 8
II. Bohnak’s Damages Claim
Our discussion of standing all but disposes of the damages issue. 9 The
district court dismissed Bohnak’s claims on the basis that her damages are not
“capable of proof with reasonable certainty,” and her alleged loss of time and
money responding to the increased risk of harm was not “cognizable.” Bohnak,
580 F. Supp. 3d at 31.
For the reasons set forth above, Bohnak’s alleged injury arising from the
increased risk of harm is cognizable for standing purposes, and thus could support
7 No party has suggested that the “particularity” requirement for an injury in fact is an obstacle
to Bohnak’s claims. See Strubel v. Comenity Bank, 842 F.3d 181, 188 (2d Cir. 2016) (explaining that
“to satisfy the particularity requirement” an injury must be “distinct from the body politic”).
Here, Bohnak has specifically alleged that her PII was compromised during a data breach that
impacted a finite number of people, making her injury “distinct from the body politic.”
8 Defendants challenge Bohnak’s claims on the merits on the basis that she hasn’t plausibly
alleged cognizable damages. But in contesting her standing, Defendants have not argued that
Bohnak has failed to establish the causation and redressability elements of standing.
9 We reject Defendants’ contention that Bohnak waived her challenge to the district court’s
dismissal of her claim pursuant to Rule 12(b)(6). In this case, the district court’s conclusion that
Bohnak did not plausibly plead damages rested entirely on the court’s conclusion that she lacked
standing to seek damages based upon a risk of future harm. Bohnak’s challenge to that
conclusion was a challenge to the court’s analysis of her damages.
27
a claim for damages. As the Seventh Circuit explained in a similar case: “To say
that the plaintiffs have standing is to say that they have alleged injury in fact, and
if they have suffered an injury then damages are available.” Dieffenbach, 887 F.3d
at 828.
Moreover, Bohnak has pled additional injuries—the time and money spent
trying to mitigate the consequences of the data breach—with respect to which
damages are unquestionably capable of reasonable proof. See App’x 11 ¶ 15; see
E.J. Brooks Co. v. Cambridge Sec. Seals, 31 N.Y.3d 441, 448–49 (2018) (compensatory
damages “cannot be remote, contingent or speculative,” but the standard “is not
one of ‘mathematical certainty’ but only ‘reasonable certainty’” (quoting Steitz v.
Gifford, 280 N.Y. 15, 20 (1939))); Aqua Dredge, Inc. v. Stony Point Marina & Yacht
Club, Inc., 583 N.Y.S.2d 648, 650 (3d Dep’t 1992) (“In computing damages for
breach of contract, mathematical certainty is rarely attained or even expected.”).
CONCLUSION
In sum, we conclude that the Supreme Court’s decision in TransUnion
governs the analysis of whether a risk of future injury is sufficiently concrete to
constitute an injury in fact for purposes of a claim for damages and that our
analysis in McMorris continues to guide our assessment of the “imminence”
component of injury in fact for purposes of Article III standing. Applying these
28
cases, we hold that Bohnak has Article III standing to bring her claims for damages
and that the district court erred in dismissing her claims for failure to plead
cognizable damages with reasonable certainty.
For these reasons, we REVERSE the district court’s judgment dismissing
Bohnak’s claims for damages and REMAND for further proceedings consistent
with this opinion.
29