Last month, the Eleventh Circuit Court of Appeals dismissed claims brought in a putative class action seeking damages for disclosure of credit card information in a data breach resulting from a cyberattack. In I Tan Tsao v. Captiva MVP Restaurant Partners, LLC., the court held that the named plaintiff could not establish standing to sue based on allegations that the data breach created a “continuing increased risk of harm from identity theft and identity fraud” or that the plaintiff took affirmative steps to mitigate such potential harm. [1] This decision follows the reasoning set forth in the court’s recent en banc decision in Muransky v. Godiva Chocolatier, Inc, in which similar allegations were rejected as insufficient to support standing in a case seeking statutory damages from technical violations of the Fair and Accurate Credit Transactions Act, and adds to the circuit split on the issue.[2]
Background
I Tan Tsao commenced a class action litigation suit against the defendant, a fast food restaurant group that does business under the name PDQ, within weeks of PDQ’s disclosure of a prolonged data breach that occurred from May 2017 through April 2018. The company disclosed that a cyberattack had targeted its point of sale system and enabled hackers to potentially access an unverifiable number of customers’ credit and debit card information, including cardholder names, credit card numbers, card expiration dates, and CVVs.
Tsao alleged various state law claims against PDQ. Standing was predicated on allegations that he and putative class members were at an increased risk of identity theft or fraud in the future and he had suffered harm from having to take steps to mitigate the risk, such as cancelling credit cards. The district court dismissed the complaint for lack of standing because the complaint failed to allege any “single specific, concrete injury in fact that [plaintiff] or anyone else [] suffered as a result of any misuse of customer credit card information.”
The 11th Circuit’s Decision
The Eleventh Circuit agreed, affirming dismissal of the complaint.
Referencing Clapper vs Amnesty Int’l USA[3] and the recent Muransky decision, the court outlined two key principles for establishing standing. Threats of harm only rise to the level of Article III standing where the alleged harm is “either ‘certainly impending’ or there is a ‘substantial risk’ of such harm.” If both are lacking, then a plaintiff cannot “conjure standing by inflicting some direct harm on itself to mitigate a perceived risk.”
Translating those principles to the data breach context, the court held that “[e]vidence of a mere data breach does not, standing alone, satisfy the requirements of Article III standing.” The increased risk of identity theft flowing from a data breach involving credit card data alone did not rise to the level of a “substantial risk” and could not be characterized as “certainly impending,” absent allegations of actual misuse of the stolen data, access to personal data that would enable a hacker to open unauthorized new accounts, or other facts showing a substantial non-speculative injury.
Since there was no significant threat of identity theft alleged, the court found that Tsao could not rely on his actions taken to mitigate the data breach (cancelling his credit cards) and attendant harms (a loss of cashback rewards and access to his preferred card accounts) to generate standing.
Implications
The Eleventh Circuit’s ruling widens a growing gulf between circuits that confer standing on plaintiffs merely on allegations of an increased risk of identity theft due to a data breach (the Sixth, Seventh, Ninth, and D.C. Circuits) and those that require additional facts showing that the risk is not hypothetical (the Second, Third, Fourth, Eighth, and now Eleventh Circuits). More generally, the string of recent data breach decisions all grapple with the same underlying issue of standing in the cyber context, namely that there is no bright line to clearly mark when allegations of future harm are no longer too speculative to constitute an injury. Rather, it is a fact-based inquiry that may depend on the nature of the information at issue, whether actual misuse or fraud occurred as a result of the breach, and other factors.
[1] No. 18-14959 (11th Cir. Feb 4., 2021).
[2] See Muransky v. Godiva Chocolatier, Inc, 979 F.3d 917 (11th Cir. 2020) (en banc).
[3] Clapper v. Amnesty Int’l USA, 568 U.S. 398, 414 n.5 (2013).