In Tsao v. Captiva MVP Rest. Partners, LLC, No. 18-14959, 2021 WL 381948 (11th Cir. Feb. 4, 2021), Tsao brought a putative class action against PDQ—a restaurant chain that he purportedly patronized—following a data breach. Over the course of roughly one year, a hacker stole PDQ customer personal financial information, including cardholder names, credit card numbers, card expiration dates, CVVs, and PIN data for debit cards. Id. at *1. 

Focusing on the injury prong of Article III standing, Tsao argued that he satisfied this element for two reasons: (1) he could suffer a future injury from misuse of the disclosed personal information, and (2) that he has, in fact, already suffered mitigation injuries like “lost time, lost rewards points, and loss of access to accounts” by canceling his credit cards. Id. at *3.

The court rejected these theories of injury, affirming the district court. Although the Sixth, Seventh, Ninth, and D.C. Circuits have all found injury-in-fact for the increased risk of future harm, the court sided with the Second, Third, Fourth, and Eighth Circuits, which have declined to find injury on those grounds. Id. at *5. The court explained that, as a general rule, “a plaintiff alleging a threat of harm does not have Article III standing unless the hypothetical harm alleged is either ‘certainly impending’ or there is a ‘substantial risk’ of such harm.” Id. at *5 (citations omitted).

Here, Tsao did not meet either the certainly impending or substantial risk standards for a number of reasons. First, Tsao only alleged that the hackers may have accessed his personal financial information. Id. at *8. Second, other personal information like social security numbers or driver’s license numbers were not stolen, making it very unlikely that future unauthorized accounts could be opened. Id. And the potentially affected cards were canceled, which effectively eliminates the future risk of credit card fraud. Id. at *8-9. The court also explained that “conclusory allegations of an elevated risk of identity theft” are insufficient “to confer standing,” especially when plaintiffs only outline the general risks of identity theft and not the risks specific to the case. Id. at *8. And finally, “vague, conclusory allegations” of misuse, like “‘unauthorized charges’…are not enough to confer standing.” Id. at *8 (citation omitted). 

Regarding the alleged, extant mitigation injuries, the court explained that, as a general rule, “if the hypothetical harm alleged is not ‘certainly impending,’ or if there is not a substantial risk of the harm, a plaintiff cannot conjure standing by inflicting some direct harm on itself to mitigate a perceived risk.” Id. at *5 (citations omitted). Accordingly, here, the court explained that the negative consequences of Tsao’s voluntary efforts to mitigate the risks of future injury (i.e., canceling his credit cards) do not constitute a sufficient injury. Id. at *9. Regardless of his own perception of the risks, Tsao cannot manufacture standing only when there is “an insubstantial, non-imminent risk of identity theft.” Id.

Judge Jordan concurred in the judgment to express his hope that “the Supreme Court will soon grant certiorari in a case presenting the question of Article III standing in a data breach case.”  Id. at *10.

[View source.]