Posts tagged ‘McMorris v Carlos Lopez & Assocs LLC’

How Much Legal Risk Does Accidentally Exposing Personal Information Put Your CU In?

The Court of Appeals for the Second Circuit, which has jurisdiction over credit unions in New York State, recently provided guidance to businesses that face potential data breaches which of course is every credit union employing someone reading this blog. It also took the opportunity to explain how much legal risk the office luddite (you know the person who continually responds to emails instructing her to buy gift certificates with company money) is putting your credit union in.

As my hardcore faithful readers know, a key concept to understand in evaluating your credit union’s legal risk is standing. The very basic idea is that one of the things that someone is seeking to sue you in federal court has to show is that they have been injured enough to justify being compensated by a court for the harm allegedly caused by your actions. While this issue is easy enough to figure out, in the case of a car accident or property damage, it is much more difficult to determine how much harm there has been in the context of data breaches.

In McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310 (2d Cir. 2021) the court heard an appeal from employees of a company who are part of a group of individuals whose personally identifiable information was exposed when a spreadsheet was sent to 65 fellow employees. They wanted to bring a class action lawsuit against their employer based on this negligent mishap. They couldn’t point to specific instances of the exposed information being misused, but they feared that it might be and wanted the company to pay for detection services.

The Second Circuit used these facts to address when potential future harm caused by a data breach triggers legal liability. It held that courts should consider the following factors in evaluating harm. Remember that these are the same factors your insurance company will be considering when pricing your data breach policies and that you should be discussing with your outside counsel the next time one of your employees mistakenly exposes personally identifiable information to third-parties;

(1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.

In the context of this case the court determined that our would-be class action plaintiffs could not establish standing. The personally identifiable information was exposed because of a mistake as opposed to the intentional acts of a hacker; there was no evidence that the compromised data had been misused and some but not all of the information was not particularly sensitive. It included, for example, phone numbers and dates-of-hire.

As for the fact that some of the victims felt the need to pay for services to monitor their accounts, the court held that self-inflicted harm cannot provide the basis for standing in federal courts.

On that note, grab another cup of coffee and continue going through your email secure in the knowledge that honest mistakes won’t necessarily result in a successful lawsuit against your credit union.

May 6, 2021 at 9:49 am Leave a comment

CFBP Extends QM Compliance Deadline

The increasingly drawn out fate of regulations creating a new definition of what qualifies as a Qualified Mortgage took another turn this week when the CFPB announced that it was extending the deadline for compliance from July 1,, 2021 until October 1, 2022.  This is good news especially for those of you intending to sell mortgages to the secondary market.  As I explained in a recent blog, the GSE recently put its partners on notice that without a change to the deadline it would not accept for purchase mortgages which qualify under the existing QM patch with its higher debt-to-income parameters. 

The preamble to this announcement includes this graph demonstrating just how dependent the housing market remains on access to the GSEs even as private label securitization continues to recover.

Second Circuit Examines Standing In Data Breach Cases

I will be delving into this more extensively next week but I did not want this week to end without informing my faithful readers that the U.S. Court of Appeals for the Second Circuit has decided an important case in which it explains the circumstances under which individuals whose data has been exposed to theft by unauthorized third parties can bring lawsuits in New York federal courts.  The case is McMorris v. Carlos Lopez & Assocs., LLC .

On that note, enjoy your weekend.  Yours truly will be paying for his first haircut and shave in about 16 months.

April 30, 2021 at 9:58 am Leave a comment

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 757 other followers