Yesterday, in a 26-page opinion, the 11th U.S. Circuit Court of Appeals has weighed in on two important questions in the world of privacy and data breach litigation. First, does a plaintiff have standing where he was exposed to a substantial risk of future identity theft, even though there was no misuse of his information. The court’s answer is no. Second, what efforts to mitigate this risk does a plaintiff need to undertake to meet the standing requirement. Here, the court held that the plaintiff essentially manufactured his own injuries (wasted time, lost use of his preferred card, and lost credit card benefits) by voluntarily canceling his credit card, which is not enough to confer standing.
The case, Tsao v. Captiva MVP Restaurant Partners, arose from a data breach involving a restaurant chain’s point-of-sale system, which allowed access to the plaintiff’s credit card information. Upon receiving notice of the breach, plaintiff immediately canceled both credit cards used at the restaurant chain, though neither card had experienced fraudulent charges. Next, he filed a class-action lawsuit in the Middle District of Florida claiming that class members suffered a theft of his personal information, unauthorized charges on his payment cards, a loss of credit card reward points or cash back, and a temporary inability accrue points/benefits on his preferred credit cards. He also alleged that the time he had to take to mitigate the impact of the breach was an injury. His legal theories included breach of implied contract, negligence and per se negligence based on an alleged violation of the “unfair” prong of Section 5 of the FTC Act, unjust enrichment, and a violation of Florida’s unfair and deceptive trade practices law. The complaint also sought declaratory relief in the form of implementation of a variety of security measures. The District Court dismissed the complaint for lack of standing.
On appeal, plaintiff argued that: (1) he could suffer future injury from misuse of the credit card information; and (2) the lost time, lost rewards points, and loss of access to his preferred credit cards should be sufficient to confer standing. The 11th Circuit disagreed with both arguments.
The court began its analysis by observing that lost time and a lost “fraction of a vote” can be considered concrete injuries, but such injuries must also be “certainly impending” to confer Article III standing, which was not the case here. The court cited to the principle often relied upon by defendants in privacy litigation – you cannot manufacture standing by inflicting harm on yourself. For an injury to be “certainly impending” there must be a “substantial risk” that it will occur.
This is the 11th Circuit’s second significant post-Clapper decision on the standing issue. In an earlier decision, Muransky v. Godiva Chocolatier, the court held that merely printing too many digits on credit card receipts (creating an elevated risk of identity theft) did not confer standing on the plaintiffs, even if plaintiffs had spent time destroying or safeguarding receipts to mitigate the elevated risk.
Diving Into The Circuit Split
This opinion observed that circuit courts around the country are divided on the issue of whether a substantial risk of identity theft, fraud, or other harm in the future because of a breach is sufficient to confer standing. The court cited Sixth, Seventh, Ninth, and DC circuit court opinions holding that it does, but the court also cited Second, Third, Fourth, and Eighth circuit court opinions holding that it doesn’t. The court cited First Circuit opinions demonstrating that it had gone both ways on the issue. The court observed, however, that almost all of the cases that conferred standing included some allegations of actual misuse of actual access to personal data, and the case law generally has treated unauthorized access of credit card information as less likely to confer standing than other types of information.
Readers interested in learning more about the nature of this split should read this opinion, as the court dives deeply into it. The court does an effective job of shining a light on the split and effectively making the case for the U.S. Supreme Court’s review of the issue. Readers will also appreciate the court’s analysis of the GAO Report on page 22 that has become commonplace in plaintiffs’ lawyers’ privacy and data security class action complaints these days.
The Court’s Holding
Ultimately, the court held that an increased risk of identity theft, at least as described by the plaintiff in this case, is not enough to confer standing.
The court also held that the conclusory allegation of “unauthorized charges” experienced by the class is not sufficient to confer standing. The plaintiff needed to show “specific evidence of some misuse of class members’ data.”
Finally, the court held that the plaintiff’s immediate cancellation of his credit cards effectively eliminated the risk of credit card fraud in the future. While the court conceded that there was still some risk of identity theft where an unauthorized actor could use the plaintiff’s name, that risk was speculative, not substantial. The court relied on another often-used line by defendants in data breach litigation — “evidence of a mere data breach does not, standing alone, satisfy the requirements of Article III standing.”
Regarding the plaintiff’s actual/present injuries (lost rewards, identity theft protection costs, and restricted access to his cards), the court held that they did not confer standing because they “are inextricably tied to [the plaintiff’s] perception of the actual risk of identity theft” and the injuries were a result of plaintiff’s own voluntary decision to cancel his cards.
The Concurring Opinion
Judge Jordan (one of Florida’s most respected jurists) wrote a concurring opinion given the court’s reliance on Muransky, a case in which Judge Jordan had dissented. He expressed concern that the analysis of whether a substantial risk occurred should not take place at the motion-to-dismiss stage, though he conceded that Muransky sanctioned such an analytical approach.
This procedural question, too, could be an issue upon with the U.S. Supreme Court weighs in if it were to address the broader divide between circuit courts on the standing issue. Indeed, the last line of Judge Jordan’s opinion states, “[h]opefully the Supreme Court will soon grant certiorari in a case presenting the question of Article III standing in a data breach case.”