Last week, in a 26-page opinion, the 11th U.S. Circuit Court of Appeals weighed in on two questions crucial to the viability of privacy and data breach litigation in federal court—and perhaps even in general. First, does a plaintiff who claims to have been exposed to a substantial risk of future identity theft resulting from a data breach have standing under Article III to pursue his claims in federal court where the complaint alleges no actual misuse of his information? Second, do a plaintiff’s self-help efforts to mitigate this risk (e.g., canceling credit cards and losing benefits, and spending time and money monitoring one’s bank statements and credit score) suffice to demonstrate “actual harm” and thereby satisfy the standing requirement? The court answered both questions in the negative.
The case, Tsao v. Captiva MVP Restaurant Partners, arose from a data breach involving a restaurant chain’s point-of-sale system, which allowed access to the plaintiff’s credit card information. Upon receiving notice of the breach, the plaintiff immediately canceled both credit cards used at the restaurant chain, though neither card had experienced fraudulent charges. The plaintiff then filed a class action in the Middle District of Florida claiming that he and absent class members had suffered a theft of personal information, unauthorized charges on payment cards, a loss of credit card reward points or cash back, and a temporary inability to accrue points/benefits on preferred credit cards. He also alleged that the time and money he had spent mitigating the impact of the breach was an injury. His legal theories included breach of implied contract, negligence and per se negligence based on an alleged violation of the “unfair” prong of Section 5 of the FTC Act, unjust enrichment and a violation of Florida’s unfair and deceptive trade practices law. The complaint also sought declaratory relief in the form of implementation of a variety of security measures.
The defendant moved to dismiss the complaint under Rule 12(b)(1) for lack of standing, 12(b)(6) for failure to state a claim and 12(b)(7) for failure to join indispensable parties. Finding that mere evidence of a data breach, without allegations of actual harm or an imminent risk of harm, was “insufficient to satisfy injury in fact under Article III standing,” the district court dismissed the complaint for lack of standing without reaching the defendant’s 12(b)(6) and 12(b)(7) arguments.
On appeal, the plaintiff argued that: (1) he could suffer future injury from misuse of the credit card information; and (2) the lost time, lost rewards points and loss of access to his preferred credit cards should be sufficient to confer standing. The 11th Circuit disagreed with both arguments.
The 11th Circuit began its analysis by observing that lost time and a lost “fraction of a vote” can be considered concrete injuries, but such injuries must also be “certainly impending” to confer Article III standing, and allegations of “possible future injury” are not sufficient. In affirming the district court’s dismissal for lack of standing, the court found two legal principles relevant: first, a plaintiff alleging a threat of harm does not have Article III standing unless the hypothetical harm alleged is either “certainly impending” or there is a “substantial risk” of such harm. Second, if the hypothetical harm alleged is not “certainly impending” or if there is not a "substantial risk" of the harm, a plaintiff cannot make up standing by inflicting some harm on himself to mitigate a perceived risk.
This is the 11th Circuit’s second significant post-Clapper decision on the standing issue. In an earlier decision, Muransky v. Godiva Chocolatier, the court held that merely printing too many digits on credit card receipts, despite creating an elevated risk of identity theft, did not confer standing on the plaintiffs, even if the plaintiffs had spent time destroying or safeguarding receipts to mitigate the elevated risk.
Diving Into The Circuit Split
This opinion observed that circuit courts around the country are divided on whether a substantial risk of identity theft, fraud or other harm in the future because of a security breach will confer standing. The court cited opinions from the Sixth, Seventh, Ninth and D.C. circuit courts holding that it can, but the court also noted opinions from the Second, Third, Fourth and Eighth circuit courts holding that it does not typically confer standing. Finally, the court discussed First Circuit opinions demonstrating that it had gone both ways on the issue. The court observed, however, that almost all of the cases that conferred standing included some allegations of actual misuse or actual access to personal data, thereby satisfying Article III's actual injury requirement.
Readers interested in learning more about the nature of this split should read the Tsao opinion, as the court dives deeply into it. The majority does an effective job of shining a light on the split, potentially teeing the case up for an appeal to the U.S. Supreme Court. Readers will also appreciate the court’s analysis of the GAO report on page 22 that has become a key feature in plaintiffs’ lawyers’ attempts to establish standing or cognizable injury in privacy and data security class action complaints. In its analysis, this court noted that the GAO report points out that compromised credit or debit card information, without additional personal identifying information, “generally cannot be used alone to open unauthorized new accounts.”
The Court’s Holding
Ultimately, the court held that an increased risk of identity theft, as described by the plaintiff in this case, was not enough to confer standing. The court found that there was no substantial risk of identity theft because Tsao had not alleged that any personal identifying information such as his social security number, birth date or driver’s license number was compromised in the breach. Citing the GAO report, the court found that “the card information allegedly accessed by the PDQ hackers ‘generally cannot be used alone to open unauthorized new accounts’” and “it is unlikely that the information allegedly stolen in the PDQ breach, standing alone, raised a substantial risk of identity theft.”
The court also held that the conclusory allegation of “unauthorized charges” experienced by the class was not sufficient to confer standing as the plaintiff needed to show “specific evidence of some misuse of class members’ data.”
Finally, the court held that—paradoxically—the plaintiff’s immediate cancellation of his credit cards effectively eliminated the risk of credit card fraud in the future. While the court conceded that there was still some risk of identity theft where an unauthorized actor could use the plaintiff’s name, that risk was speculative, not substantial. The court relied on another often-used line by defendants in data breach litigation—“evidence of a mere data breach does not, standing alone, satisfy the requirements of Article III standing.”
Regarding the plaintiff’s actual/present injuries (lost rewards, identity theft protection costs and restricted access to his cards), the court held that they did not confer standing because they “are inextricably tied to [the plaintiff’s] perception of the actual risk of identity theft” and the injuries were a result of the plaintiff’s own voluntary (and seemingly, in the court's eyes, premature) decision to cancel his cards.
The Concurring Opinion
Judge Jordan (one of Florida’s most respected jurists) wrote a one-paragraph concurring opinion that criticized the court’s assessment of “substantial risk at the motion-to-dismiss stage,” though he conceded that Muransky (in which he had dissented) sanctioned such an approach.
This procedural question, too, could be an issue upon which the U.S. Supreme Court weighs in, if it were to address the broader divide between circuit courts on the standing issue. For his part, Judge Jordan left clear that he hopes for such clarity.