Absence of “Injury in Fact” Dooms Data Breach Settlement
An employee accidentally sent an email containing personal information on current and former employees of the company to a distribution list of approximately 65 current employees. The cybersecurity breach victims filed a class action and negotiated a settlement of $60,000 including attorneys’ fees. On an unopposed motion to approve the settlement, the court refused on the basis that there were no allegations of “injury in fact.” While many jurisdictions have held that plaintiffs alleging the theft of personal identifying information in a data breach have standing to bring claims against the entity that had held their data based on an increased risk of future identity theft, the Second Circuit is not one of them. Here the court makes a distinction based on intent, noting where the data was intentionally stolen by hackers or cyber criminals who had intentionally targeted the data there was no “injury in fact” requirement, however, this incident was accidental.