Increased Risk of Identity Theft Cannot Establish Article III Standing in Data Breach Cases

The Eleventh Circuit has now taken a stand on whether a substantial risk of identity theft, fraud, and other future harm constitutes Article III standing in data breach cases.  Tsao v. Captiva MVP Rest. Partners, LLC, 2021 WL 381948 (11th Cir. Feb. 4, 2021).  In an opinion authored by Senior Judge Tjoflat, the Eleventh Circuit affirmed the lower court’s decision, holding that plaintiff Tsao lacked Article III standing because he could not demonstrate a substantial risk of identity theft and because he cannot manufacture standing.  The court dismissed the case without prejudice.

The facts of this case are straightforward.  Defendant PDQ restaurant experienced a data breach on May 19, 2017, when a hacker exploited defendant’s point of sale system and gained access to customers’ personal data, including credit and debit card information.  Defendant posted a notice to customers that it was the target of a cyber-attack, and that customers who patroned any PDQ location between May 19, 2017 and April 20, 2018 might be affected.  The notice provided that the customers’ personal information that “may have been accessed” included cardholder names, credit card numbers, card expiration dates, and CVVs.  Plaintiff patroned defendant’s restaurants at least two times in October 2017 using two different credit cards.  When plaintiff learned of the possible breach in 2018, he cancelled his cards.

Less than two weeks after defendant’s announcement of the cyber-attack, plaintiff filed a class action complaint listing various injuries that PDQ customers allegedly suffered as a result of the breach, including “theft of their personal financial information,” “unauthorized charges on their debit and credit card accounts,” and “ascertainable losses in the form of the loss of cash back or other benefits.”  Plaintiff further asserted that he and the class members were “placed at an imminent, immediate, and continuing increased risk of harm from identity theft and identity fraud, requiring them to take the time which they otherwise would have dedicated to other life demands such as work and effort to mitigate the actual and potential impact of the Data Breach on their lives.”

In response to defendant’s motion to dismiss, plaintiff focused on three types of injuries he allegedly suffered to mitigate a perceived risk of future identity theft: lost cash back or reward points, lost time he spent addressing the problems caused by the breach, and restricted card access resulting from cancelling his credit cards.  Plaintiff argued that he possessed standing for two distinct reasons: (1) he and the class were at an increased risk of identity theft, or, alternatively, (2) because he proactively took steps to mitigate this risk.  The district court dismissed plaintiff’s complaint without prejudice for lack of standing, reasoning that plaintiff never once alleged that his credit cards were used by a thief or that his identity was stolen, or that he or anyone else ever actually suffered from the alleged misuse of customer credit card information.  The district court held that such conclusory allegations of harm were speculative at best, and insufficient to satisfy Article III standing.

The Eleventh Circuit began its analysis with an overview of standing case law.  Quoting Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), the court observed that for a plaintiff to have Article III standing, it must have “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.”  To establish injury-in-fact, the court noted that a plaintiff must set forth allegations that “plausibly and clearly allege a concrete injury.”

The court distilled two legal principles relevant to plaintiff’s claims.  “First, a plaintiff alleging a threat of harm does not have Article III standing unless the hypothetical harm alleged is either certainly impending or there is a substantial risk of such harm.  Second, if the hypothetical harm alleged is not certainly impending, or if there is not a substantial risk of the harm, a plaintiff cannot conjure standing by inflicting some direct harm on itself to mitigate a perceived risk.”

The court acknowledged a circuit split regarding whether a plaintiff may establish injury-in-fact based solely on the increased risk of identity theft.  As the court noted, the Sixth, Seventh, Ninth, and D.C. Circuits have recognized that, at the pleading stage, a plaintiff can establish injury-in-fact based on the increased risk of identity theft.  The Second, Third, Fourth, and Eighth Circuits have declined to find standing on that basis.  The Eleventh Circuit ultimately sided with the Eighth Circuit’s holding in In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017), which found no standing based on an “increased risk of future identity theft” theory, even where the plaintiff alleges actual misuse of personal information.  The SuperValu court was influenced by a June 2007 United States Government Accountability Office (GAO) report, which pointed out that compromised credit or debit card information, without personal identifying  information, “generally cannot be used alone to open unauthorized new accounts.”

The Eleventh Circuit reasoned that, like the plaintiffs in SuperValu, plaintiff Tsao alleged that hackers may have accessed and stolen credit card data.  And although plaintiff Tsao also cited the June 2007 GAO report, the court agreed with the Eighth Circuit that the report actually shows that there was no substantial risk of identity theft.  Plaintiff Tsao did not allege that social security numbers, birth dates, or driver’s license numbers were compromised in the cyber-attack on PDQ.  The card information allegedly accessed by the PDQ hackers, therefore, could not be used alone to open a new account.  Plaintiff’s conclusory allegations of increased identity-theft risk were not enough to confer standing, especially here, where plaintiff effectively eliminated the risk of potential future fraud by immediately cancelling his cards.

Finally, the court concluded that plaintiff’s claims of actual, present injuries in his efforts to mitigate any risk of identity theft were insufficient to establish standing.  Plaintiff alleged that the cyber-attack required him to mitigate, which resulted in three separate injuries: (1) lost opportunity to accrue cash back or rewards points on his cancelled cards; (2) costs associated with detection and prevention of identity theft and the lost time associated with cancelling his cards; and (3) restricted account access to preferred cards.  But the court concluded that these mitigation costs were voluntary and “inextricably tied to his perception of the actual risk of identity theft.”  Because a plaintiff cannot manufacture standing by inflicting harm on himself in the face of hypothetical fear, the court again affirmed the district court’s conclusion that plaintiff failed to establish standing.

Posted by Laura Smithman.

Back to top