Takeaway: In Tsao v. Captiva MVP Restaurant Partners, LLC, 986 F.3d 1332, 1339 (11th Cir. 2021), the Eleventh Circuit held that evidence of a “mere data breach” is not sufficient to establish standing where the hackers accessed only credit card information (not personal information) and where the plaintiff did not allege that any class member suffered actual misuse of data. Because there was no substantial risk of harm, the Eleventh Circuit found the plaintiff could not “manufacture” standing through unnecessary efforts to mitigate an insubstantial risk. Tsao makes it clear that data breach plaintiffs in the Eleventh Circuit will have to clear a high bar to establish standing.
The Tsao case involved a data breach that impacted customers who made a purchase at PDQ – a fast-food casual chicken restaurant – between May 2017 and April 2018. 986 F.3d at 1335. PDQ notified customers of the breach in June 2018. Tsao made two purchases at PDQ in October 2017 on two different cards. Id. The data breach only exposed credit card information; it did not expose personal information like social security numbers, birth dates, or driver’s license information. Id.
Tsao’s class action complaint did not allege that he or any other class member suffered identity theft, fraudulent charges, or data misuse as a result of the data breach. Id. at 1336. When Tsao learned of the data breach, he quickly cancelled his cards. Id. The complaint focused on the losses he suffered as a result of that mitigation effort, including lost reward points, time spent addressing the problems, and restricted card access after cancellation. Id.
The Middle District of Florida dismissed Tsao’s Complaint for lack of standing, finding that “[e]vidence of a data breach, without more, is insufficient to satisfy injury in fact under Article III standing.” Id. at 1337.
The Eleventh Circuit affirmed, finding (1) allegations of a risk of future harm because of a data breach are, without more, insufficient to establish standing and (2) a plaintiff cannot manufacture standing by taking unnecessary mitigation efforts to address insubstantial, non-imminent harm.
The Eleventh Circuit first concluded that there was no real circuit split about whether a plaintiff can establish standing base on the increased risk of identity theft. 986 F.3d at 1340. In nearly every case that found standing based on an increased risk of future harm, there was at least some allegation of either (1) actual misuse of some class member’s data or (2) access to personal data (addresses, birth dates, social security numbers), not just credit card information.
Based on its review of the case law, the Eleventh Circuit derived three conclusions about standing in data breach cases:
- First, allegations that a plaintiff victim of a data breach merely faced an “elevated risk of identity theft” did not confer standing.
- Second, while “evidence of actual misuse is not necessary for a plaintiff to establish standing,” plaintiffs who cannot allege actual misuse of any putative class member’s data face an uphill battle.
- Third, data breaches involving only credit card information pose less risk of future harm than data breaches that expose personal data.
The Eleventh Circuit further found that Tsao’s efforts to mitigate harm it deemed insubstantial did not establish standing. Id. at 1344. The court found that “Tsao cannot conjure standing here by inflicting injuries on himself to avoid an insubstantial, non-imminent risk of identity theft.” Id. at 1345.
Conclusion: Especially given its recent decision in Muransky v. Godiva Chocolatier, Inc., 979 F. 3d 917 (11th Cir. 2020) (which we covered in a previous post), the Eleventh Circuit’s decision is hardly surprising. But while Muransky suggested that the Eleventh Circuit likely had a stringent view of data breach standing, Tsao brings that stringent view into focus. Unlike in Muransky, where the plaintiff made almost no effort to establish injury (instead arguing the defendant’s statutory violation of FACTA established standing), Tsao included specific allegations of injury, including a creative attempt to establish mitigation costs. The analysis centered on the allegations themselves rather than any inadequacies in pleading. Thus, Tsao makes explicit that, to establish standing in the Eleventh Circuit, data breach plaintiffs need to plead either actual misuse of data or theft of personal information, such as social security or driver’s license numbers.