How Much Legal Risk Does Accidentally Exposing Personal Information Put Your CU In?

May 6, 2021 at 9:49 am Leave a comment

The Court of Appeals for the Second Circuit, which has jurisdiction over credit unions in New York State, recently provided guidance to businesses that face potential data breaches which of course is every credit union employing someone reading this blog. It also took the opportunity to explain how much legal risk the office luddite (you know the person who continually responds to emails instructing her to buy gift certificates with company money) is putting your credit union in.

As my hardcore faithful readers know, a key concept to understand in evaluating your credit union’s legal risk is standing. The very basic idea is that one of the things that someone is seeking to sue you in federal court has to show is that they have been injured enough to justify being compensated by a court for the harm allegedly caused by your actions. While this issue is easy enough to figure out, in the case of a car accident or property damage, it is much more difficult to determine how much harm there has been in the context of data breaches.

In McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310 (2d Cir. 2021) the court heard an appeal from employees of a company who are part of a group of individuals whose personally identifiable information was exposed when a spreadsheet was sent to 65 fellow employees. They wanted to bring a class action lawsuit against their employer based on this negligent mishap. They couldn’t point to specific instances of the exposed information being misused, but they feared that it might be and wanted the company to pay for detection services.

The Second Circuit used these facts to address when potential future harm caused by a data breach triggers legal liability. It held that courts should consider the following factors in evaluating harm. Remember that these are the same factors your insurance company will be considering when pricing your data breach policies and that you should be discussing with your outside counsel the next time one of your employees mistakenly exposes personally identifiable information to third-parties;

(1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.

In the context of this case the court determined that our would-be class action plaintiffs could not establish standing. The personally identifiable information was exposed because of a mistake as opposed to the intentional acts of a hacker; there was no evidence that the compromised data had been misused and some but not all of the information was not particularly sensitive. It included, for example, phone numbers and dates-of-hire.

As for the fact that some of the victims felt the need to pay for services to monitor their accounts, the court held that self-inflicted harm cannot provide the basis for standing in federal courts.

On that note, grab another cup of coffee and continue going through your email secure in the knowledge that honest mistakes won’t necessarily result in a successful lawsuit against your credit union.

Entry filed under: Legal Watch, New York State, technology. Tags: , .

NY Extends and Increases Foreclosure Moratorium Gov Approves HERO’s Act

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 755 other followers


%d bloggers like this: