Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

The Eleventh Circuit Finds that Potential Future Misuse of Personal Information Does Not Confer Article III Standing in Data Breach Suits

Share

On February 4, 2021, the Eleventh Circuit Court of Appeals issued a critical opinion addressing Article III standing in private data breach actions, which has been the subject of a closely watched circuit split.

The case, Tsao v Captiva MVP Restaurant Partners LLC, originated in the District Court for the Middle District of Florida where the plaintiff filed a class action complaint against the restaurant chain PDQ in connection with a May 2017 data breach. Following the breach, PDQ posted a notice to customers regarding the breach, explaining that customers’ names, credit card numbers, card expiration dates and CVVs may have been exposed.

Subsequently, the plaintiff filed a class action complaint containing causes of action for breach of implied contract, negligence, negligence per se, unjust enrichment and violation of the Florida Unfair and Deceptive Trade Practices Act. Without alleging any specific instances of data theft, the named plaintiff alleged that the class was “injured” because they “have been placed at an imminent, immediate, and continuing increased risk of harm from identity theft and identity fraud, requiring them to take the time which they otherwise would have dedicated to other life demands such as work and effort to mitigate the actual and potential impact of the Data Breach on their lives.”

The district court dismissed the complaint for lack of standing, finding that although the plaintiff alleged that his data was “exposed” to criminals, he failed to allege any concrete injury – i.e. that his credit cards were used fraudulently or that his identity was stolen. Plaintiff appealed.

On appeal, the plaintiff argued that standing was established for two reasons. First, standing was proper because he could suffer future injury as a result of the data breach. Second, his lost time, reward points and access to preferred credit cards caused by the breach constituted an “injury.”

The Eleventh Circuit rejected both arguments, holding that “[e]vidence of a mere data breach does not, standing alone, satisfy the requirements of Article III standing.” The court went on to explain that “a plaintiff alleging a threat of harm does not have Article III standing unless the hypothetical harm alleged is either ‘certainly impending’ or there is a ‘substantial risk’ of such harm.” The court further explained that “if the hypothetical harm alleged is not ‘certainly impending,’ or if there is not a substantial risk of the harm, a plaintiff cannot conjure standing by inflicting some direct harm on itself to mitigate a perceived risk.”

In analyzing the plaintiff’s arguments, the court held that dismissal was proper because allegations of an increased risk of identity theft did not meet the standard of a “certainly impending” or “substantial risk” of harm. Likewise, vague, conclusory allegations that members of the class suffered misuse of data did not confer standing. The court warned that without a specific allegation of the misuse of class members’ data, evidence that an injury is certainly impending would be “difficult to meet.”

Finally, the court rejected the plaintiff’s argument that he was injured through his lost opportunity to accrue reward points, the cost and time associated with remedying the breach and restricted access to his preferred credit cards. It explained that it is well established that a plaintiff “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” Because the alleged harms were tied to the plaintiff’s voluntary cancellation of his credit cards, which were intertwined with his perception of the risk of identity theft, standing was not proper.

The Tsao decision is the latest circuit court decision to address the issue of whether a plaintiff can establish injury-in-fact at the pleading stage based on the increased risk of identity theft. The Sixth, Seventh, Ninth, and D.C. Circuits have recognized that such an increased risk can confer standing, while the Second, Third, Fourth, and Eighth Circuits have declined to find standing under such circumstances.

Given the split, this issue is ripe for Supreme Court review sometime in the near future.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

About the Author: Peter Baldwin

Peter Baldwin draws on his experience as a former federal prosecutor to counsel clients facing government investigations and cybersecurity issues. View Peter's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

March 2, 2021
Written by: Peter Baldwin
Category: Privacy
Tags: consumer injury, data breach, injury-in-fact

Post navigation

Previous Previous post: Non-Techies – Protect Your Digital Data by Securing Your Home and Business Wi-Fi
Next Next post: New York Department of Financial Services Announces $1.5 Million Settlement of Second Cybersecurity Enforcement Action

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT