There were 3,950 confirmed data breaches in 2020, according to tech industry sources. The largest included significant organizations like Microsoft, MGM Resorts, the California DMV, Ancestry.com and Spotify. These data breaches often attract plaintiff attorneys who claim damages resulting from the disclosure and possible misuse of personally identifiable information. However, does every individual whose personal data is involved in a data breach necessarily have standing to claim damages?

A recent decision by the U.S. Court of Appeals for the Second Circuit considered when victims of a data breach have standing to file a federal litigation. In McMorris v. Carlos Lopez & Associates, 2021 U.S. App. LEXIS 12328 (April 26, 2021) an employee of Carlos Lopez & Associates (CLA) inadvertently sent an email to all 65 employees of CLA in June 2018. Attached to the email was a spreadsheet containing personally identifiable information of the 65 current employees and 65 former employees. The information included Social Security numbers, dates of birth, home addresses, telephone numbers, educational degrees and dates of hire.