Readers of CPW are likely already aware of a long-running Court of Appeals split regarding what injuries in the data breach context suffice for purposes of Article III standing. Well, in a decision out just last week the Eleventh Circuit decided to weigh in, coming out decisively on the side of defendants in data breach litigations. Tsao v. Captiva MVP Rest. Partners, LLC, 2021 U.S. App. LEXIS 3055 (11th Cir. Feb. 4, 2021). Read on below.
Some context for the uninitiated: in data breach litigations, plaintiffs will often allege that they have been harmed by the mere disclosure of their personal information (“PI”). This is so even when plaintiffs have not had fraudulent charges placed on their account, been victims of identity theft, or suffered any other concrete harm. This is because, plaintiffs (and their lawyers) say, they are at an increased risk of future harm as a result of their PI being disclosed in a data breach.
Many courts have viewed such claims of speculative future harm with justifiable skepticism, including the Second, Third, Fourth and Eighth Circuit Courts of Appeals (with the Eleventh Circuit just joining as well). They have held, consistent with the Supreme Court’s rulings in Lujan and Clapper, that plaintiffs bringing such claims lack Article III standing, an essential prerequisite to litigating in federal court. [Note: To have Article III standing, a plaintiff must show (1) she has suffered an “injury in fact” that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.]
As just one example, the Third Circuit has held that a plaintiff-employees’ increased risk of identity theft theory was too hypothetical and speculative to establish “certainly impending” injury-in-fact to support Article III standing after an unknown hacker penetrated payroll system firewall. This was because, the court explained, it was “not known whether the hacker read, copied, or understood” the system’s information and no evidence suggested past or future misuse of employee data or that the “intrusion was intentional or malicious.”
This approach, however, is far from uniform. When confronted with the question of whether a plaintiff may establish an Article III injury-in-fact based on an increased risk of future identity theft, the Sixth, Seventh, and Ninth Circuits have all recognized, at the pleading stage, that plaintiffs can establish an injury-in-fact based on this threatened injury.
Which brings us back to Tsao. The Eleventh Circuit addressed the fallout from a data breach at a restaurant the plaintiff frequented. In 2017, a hacker gained access to the restaurant’s point of sale system, and obtained certain customer data. When the restaurant became aware of the breach, it alerted its customers as to the nature of the breach, the information obtained, and the dates the breach occurred.
Less than two weeks after the restaurant announced the breach, the plaintiff filed a class action complaint in the Middle District of Florida, alleging (much as other plaintiffs have in similar situations) that he and the class experienced harm from the theft of their personal information, as well as the increased risk of harm from the theft. Interestingly, he also alleged that he experienced an injury when he canceled his credit cards in fear of possible identity theft, forfeiting a $450 annual fee and accumulated rewards points. The restaurant successfully moved to dismiss the complaint for lack of standing in the district court, and the plaintiff appealed.
The Eleventh Circuit, following Spokeo, Inc. v. Robins, determined that the plaintiff had failed to allege a concrete and particularized injury that was actual or imminent. As the Court noted, “[g]enerally speaking, the cases conferring standing after a data breach based on an increased risk of theft or misuse included at least some allegations of actual misuse or actual access to personal data.” Agreeing with the other Circuits referenced above, the Court affirmed the dismissal and found that the plaintiff’s speculative fears of hypothetical future identity theft were insufficient to confer standing. Additionally, the plaintiff could not create an injury for himself by voluntarily canceling credit cards in light of those speculative fears.
Ultimately, this decision doesn’t resolve the circuit split, but it does provide additional protection for defendants in the Eleventh Circuit who take responsible action to notify their customers of data breaches.