Judge Beth Robinson, nominated by President Biden to the US Court of Appeals for the Second Circuit, wrote a unanimous opinion that reversed a district court and ruled that a class action could be brought against a large corporation for failing to safeguard personally identifying information, even though specific identity theft or similar harms had not yet occurred. The decision in Bohnak v Marsh & McLennan Cos. Inc. was issued in August, 2023
What is this Case About?
Marsh & McLennan Cos. Inc. (MM) is one of the “world’s leading” companies in insurance, risk management, and related fields. MM keeps and stores personally identifying information (PII), including social security numbers, on some 7000 current and former employees, clients and many others. In spring of 2021, an unauthorized hacker “leveraged a vulnerability” and obtained access to many of these individuals’ PII. They included Nancy Bohnak, a former MM employee.
MM notified Bohnak and others of the data breach some two months after it occurred. On behalf of herself and others whose PII was hacked, Bohnak filed a nationwide class action against MM, seeking damages and injunctive relief. Her complaint explained that although she is “very careful” about her PII, which MM required her to submit, MM “did not secure the data from potential unauthorized actors through encryption” or equivalent means, and it remains insecure. Although she was not yet aware of specific instances of harm through identity theft, Bohnak maintained that MM’s failure to adequately protect the PII has already caused damage to her and class members, including “diminished value” of PII, out-of-pocket expenses to help prevent harm from identity theft, and the continued risk of additional breaches.
A federal district court dismissed Bohnak’s case without discovery or trial. The judge stated that Bohnak “could only speculate” about future identity theft or other harm, and “had not plausibly alleged cognizable damages” from the improper capture of her PII. She appealed to the Second Circuit.
How did Judge Robinson and the Second Circuit Rule and Why is it Important?
Judge Robinson’s opinion for the Second Circuit reversed the lower court and sent the case back so it could go forward. Although no previous ruling was directly on point, Judge Robinson explained that based on the complaint, the “alleged harm is sufficiently concrete to support” the “claims for damages” and injunctive relief. In part, she wrote, this was because courts have long recognized that “disclosure of private information” is “an intangible harm” that provides “a basis for lawsuits in American courts.” In addition, Judge Robinson continued, Bohnak’s claims concerning out-of-pocket costs and related harm from “attempting to mitigate” the consequences of the breach constitute a sufficient “concrete injury” in light of the alleged “imminent” and “substantial risk” of identity theft. Injunctive relief requiring MM to better safeguard the PII also warranted the case going forward.
In addition to giving Nancy Bohnak and others their day in court against MM, Judge Robinson’s decision is important for broader reasons. By making clear that a corporation like MM can be held liable for failing to safeguard PII, even when specific harm from identity theft has not yet occurred, the court has clearly sent a message to large companies like MM, particularly in the Second Circuit states of New York, Vermont, and Connecticut. This will hopefully lead such corporations to better protect the identifying information of countless employees, customers, and others that they retain. In addition, the ruling serves as another reminder of the importance of promptly confirming fair-minded Biden nominees like Judge Robinson to our federal courts.