•  
  •  
 

Authors

Douglas H Meal

Abstract

This article examines the Second Circuit's decision in Bohnak v. Marsh & McLennan Cos., which represents a pivotal development in the interpretation of Article III standing in the context of cyberattack class actions. The court's principal ruling, which held that mere unauthorized access to personal information by reason of a cyberattack constitutes a concrete injury sufficient for standing, marks a significant departure from prior jurisprudence and misinterprets the Supreme Court's seminal Article III decision in TransUnion LLC v. Ramirez. So does the court's alternative holding that standing can be predicated on a plaintiff's risk of suffering identity theft by reason of a cyberattack at some point in the future, even where no showing is made that such identity theft has already occurred or is likely to befall the plaintiff any time soon. This article explores the implications of the Bohnak decision, including its misinterpretations of TransUnion and its potential to reshape the landscape of cyberattack class-action litigation. The article identifies fundamental legal fallacies in the Second Circuit's reasoning in assessing Article III standing in the cyberattack context, such as its misplaced reliance on the intangible injury doctrine and its application of a subjective "substantial risk" standard. If broadly adopted, these holdings would dramatically lower the threshold for Article III standing, making standing a foregone conclusion in most if not all cyberattack class actions. By exposing the flaws in the Bohnak decision, this article aims to provide litigants and courts with a roadmap to counter its jurisprudential impact and preserve the integrity of Article III standing requirements in cyberattack class actions.

Share

COinS