On February 4, 2021, the Eleventh Circuit became the latest federal court of appeals to weigh in on a question that has divided the circuits: whether a plaintiff has standing to sue in a data breach case based on an alleged threat of future identity theft. In Tsao v. Captiva MVP Restaurant Partners, LLC, the Eleventh Circuit joined the Second, Third, Fourth, and Eighth Circuits to hold that a plaintiff generally lacks standing to sue based on an alleged increased risk of future identity theft absent allegations that at least some putative class members’ data was misused as a result of a data breach.
- In 2017 and 2018, the restaurant chain PDQ suffered a data breach leading to the potential exposure of cardholder names, account numbers, expiration dates, card verification value codes, and PIN data for debit cards for all its customers during a specified time period. Just weeks after the breach was announced, Plaintiff I Tan Tsao, who had made two purchases at a Florida PDQ location during the time the company was affected by the breach, sued PDQ on behalf of a putative nationwide class.
- Tsao asserted that he was harmed by the breach because (1) the breach put him at an immediate, increased risk of future identity theft, (2) he lost time cancelling the cards he used at PDQ, and (3) he lost access to credit and the ability to accrue rewards points while he was waiting for replacement cards to arrive. He brought a variety of state law claims against PDQ to recover for these alleged injuries.
- PDQ moved to dismiss, arguing that Tsao lacked Article III standing to bring his claims. The district court agreed that Tsao lacked standing, concluding that despite Tsao’s claim of a risk of future harm, he did not sufficiently allege that anyone had actually misused any putative class member’s data. The district court also ruled that Tsao’s other injuries were trifles that the law did not recognize.
- The Eleventh Circuit affirmed. The court began its analysis by drawing on the Supreme Court’s decision in Clapper v. Amnesty International USA, 568 U.S. 398 (2013), and its own recent en banc decision in Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917 (11th Cir. 2020), to “distill two legal principles relevant to Tsao’s claims”: (1) a plaintiff only has standing based on the threat of future harm where such harm is “certainly impending” or there is a “substantial risk” that it will occur and (2) a plaintiff does not have standing based on steps taken to mitigate a potential future harm that itself cannot support standing. (Predominant Issues previously covered Muransky here.)
- The court then reviewed data breach standing decisions from other circuits and suggested that—despite a circuit split on the question whether a risk of future identity theft is enough to confer standing—Tsao’s case would likely be decided the same way in any circuit. Synthesizing the case law in this area, the court noted that even “the cases conferring standing . . . based on an increased risk of theft or misuse include[] at least some allegations of actual misuse or actual access to personal data,” whereas Tsao made only conclusory allegations of such misuse or access in his complaint.
- On this point, the court explained that “without specific evidence of some misuse of class members’ data, a named plaintiff’s burden to plausibly plead factual allegations sufficient to show that the threatened harm of future identity theft was ‘certainly impending’—or that there was a ‘substantial risk’ of such harm—will be difficult to meet.” The court further observed that “most plaintiffs that have failed to offer at least some evidence of actual misuse of class members’ data have fared poorly in disputes over standing.”
- The court, moreover, relied on a Government Accountability Office report that Tsao cited to conclude that Tsao faced no “certainly impending” risk of future identity theft, because the payment-card information allegedly taken by the hackers generally could not be used to open fraudulent accounts (unlike other forms of personal information, such as social security numbers, birth dates, or driver’s license numbers). The court noted further that since Tsao quickly cancelled the cards he used at PDQ, it was highly unlikely that any of his stolen data would be used for fraudulent purchases. Accordingly, the court held that Tsao’s allegations of an increased risk of future identity theft were insufficient to support standing. Nor could Tsao “manufacture standing” by incurring costs or spending time to mitigate such a “non-imminent harm.”
- Tsao is the latest federal appellate case to hold that an increased risk of future identity theft is insufficient to confer standing in a data breach action. Tsao’s discussion of case law from across the country suggests that, regardless of the federal jurisdiction where a data breach suit is filed, allegations of an increased risk of future identity theft generally fail to establish standing unless actual misuse of the stolen data is also alleged. And, though Tsao may be limited to cases where the plaintiff fails to make non-conclusory allegations of actual misuse, its heavy reliance on In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017), in which the Eighth Circuit found no standing even where the plaintiff had alleged actual misuse of personal information, suggests the court may go further and hold standing to be lacking even in certain cases alleging actual misuse.
- Read the Eleventh Circuit’s opinion here.