Data Breach Plaintiff Doesn’t Have Standing in the Absence of Fraud or Identity Theft–Tsao v. Captiva
This is a data breach lawsuit. Plaintiff was a patron of a restaurant (PDQ) that suffered a breach that compromised credit card payment information. The breach occurred because a hacker gained access to customer data through “an outside vendor’s remote connection tool.”
Plaintiff made purchases at PDQ using two different cards (a Wells Fargo Home Rebate card and a Chase Sapphire Reserve card). Both cards offered types of rewards and one of the two also charged a fee. Upon learning of the breach, plaintiff cancelled both cards.
He filed suit on behalf of a putative class, arguing that class members were damaged by (1) suffering a risk of identity theft and (2) having to spend their time to mitigate the impact of the breach. The district court dismissed the complaint (without prejudice) for lack of standing. On appeal, the Eleventh Circuit affirms.
Legal Background: The court first provides a framework for evaluating standing. It mentions Spokeo of course. As to the question of when future harm is imminent, it says Clapper v. Amnesty International is instructive. The court also mentions an Eleventh Circuit case (Muransky v. Godiva Chocolatier) addressing standing under FACTA, a statute that requires receipts to omit certain information from a consumer’s credit card. Muransky was an en banc ruling (a 143 page behemoth) where the Eleventh Circuit, relying on Clapper, reversed a district court’s approval of a FACTA settlement. The plaintiff had claimed that although he was not a victim of any identity theft, he was injured because he had to “destroy or safeguard” his receipts. The court rejected this as a source of Article III standing.
Standing based on Substantial Risk of Identity Theft or Fraud: The circuits are split on whether a risk of harm as a result of a data breach confers standing. The court says the cases finding standing from increased risk of harm have involved some misuse of, or “actual access” to, personal data. One case (Pisciotta v. Old National Bancorp) finds standing absent some misuse, but the court says it’s an outlier that hasn’t been cited with approval even in the Seventh Circuit. The court brushes this case to the side. Other cases (including from the Second, Third, Fourth, and Eighth Circuits) have rejected standing based on increased risk of harm. An Eighth Circuit ruling rejected a GAO report (GAO-07-737) highlighting the harm that could flow from data breaches that the plaintiffs relied on in arguing standing.
The court says three considerations color its conclusion that there’s no standing:
- Plaintiff only made conclusory allegations of the increased risk—reports in the press or otherwise outlining “general risks” of identity theft are insufficient.
- Plaintiffs is not able to point to any allegations that members of the class have suffered any misuse of their data.
- Third, the plaintiff immediately cancelled his cards, “effectively eliminating the risk of credit card fraud in the future.”
Standing based on remedial efforts: The court also rejects plaintiff’s time and effort spent in canceling his cards as conferring standing. The court says this injury is self-inflected based on fears of hypothetical future harm:
The mitigation costs Tsao alleges are inextricably tied to his perception of the actual risk of identity theft following the PDQ data breach. Tsao, by his own admission, voluntarily cancelled his credit cards, and the three types of harm he has identified flowed from that cancellation. By cancelling his cards, he voluntarily forwent the opportunity to accrue cash back or rewards points on those cards. By cancelling his cards, he voluntarily restricted access to his preferred payment cards. And by cancelling his cards, he voluntarily spent time safeguarding his accounts. Tsao cannot conjure standing here by inflicting injuries on himself to avoid an insubstantial, non-imminent risk of identity theft. To hold otherwise would allow “an enterprising plaintiff . . . to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.” Clapper, 568 U.S. at 416, 133 S. Ct. at 1151. The law does not permit such a result.
A concurring judge says the court’s ruling is consistent with the Eleventh Circuit in Godiva (the FACTA case) where he dissented. But makes a plea to the Supreme Court:
Hopefully the Supreme Court will soon grant certiorari in a case presenting the question of Article III standing in a data breach case.
It’s good to get a recap of where things stand and how muddled they are post-Spokeo.
The Ninth Circuit recently found in a memorandum opinion that iPhone owners whose devices were vulnerable to hacking and were denigrated by Apple’s patches had standing. In re: Apple Processor Litigation, No. 19-16720 (9th Cir. Dec. 29, 2020) [pdf]. Judge Tashima dissented from this ruling, saying he would find no standing.
It’s also worth flagging an interesting phenomenon relating to standing. Federal court is seen as hostile to plaintiffs’ lawyers. So when lawyers on the defense side remove a case on CAFA grounds, plaintiffs are arguing that they lack Article III standing (and thus the court has no jurisdiction and has to remand) and defendants are arguing the opposite. Techdirt covers the Seventh Circuit’s ruling in the Clearview case where plaintiffs successfully persuaded the court to let them remain in state court based on a finding that plaintiffs lacked Article III standing.
Case citation: Tsao v. Captiva MVP Restaurant Partners, LLC, 18-14959 (11th Cir. Feb. 4, 2021)