Source - Privacy and Data Security Alert | December 2019

SDNY Rejects Standing under “Increased Risk” Theory Where Data Not Targeted or Stolen

The Southern District of New York rejected a settlement that would have resolved a class action based on the unauthorized (and accidental) emailing of personal information of one group of employees to another group of employees. Because plaintiffs admitted the breach did not lead to the theft of any class members’ identity, the company filed a motion to dismiss the suit for multiple reasons including lack of Article III standing. The parties ultimately opted to settle before the court ruled on the motion.  When the plaintiffs filed a motion to enforce the settlement, the court determined that the plaintiffs’ “increased risk” theory was too speculative. It distinguished other cases that found standing based on that theory because the employees’ data was neither intentionally targeted nor stolen.


Defendants in breach cases in federal court should always test standing as a potential way to terminate the case early.

Read more in the full December issue of the Privacy and Data Security Client Alert.