In early November, we wrote about a new Eleventh Circuit decision on Article III standing law which directly held that it was not enough to allege a statutory violation and instead there must be a concrete injury to sustain an action in federal court. Muranksy v. Godiva Chocolatier, Inc., 979 F. 3d 917 (11th Cir. 2020). We noted the sharp divide in the Court and that it was an en banc decision. Now, the Eleventh Circuit has returned to the standing doctrine and applied it in a data breach case, further solidifying the requirement that a class action plaintiff must have a concrete injury to satisfy Article III standing.
On February 4, 2021, the Eleventh Circuit affirmed the trial court’s dismissal of a class action complaint alleging PDQ, a fast casual restaurant, exposed the plaintiff and other customers to a risk of future identity theft. In Tsao v. Captiva MVP Restaurant Partners, LLC, the plaintiff alleged in 2018 PDQ became aware that a hacker exploited PDQ’s point of sale system and gained access to customers’ personal data, including their credit and debit card information. PDQ notified its customers that all locations were affected by the attack and that PDQ customers’ personal data “may” have been accessed.
The plaintiff made two food purchases at PDQ during the data breach period. Following the notice by PDQ, the plaintiff contacted his banks to cancel his credit cards and filed a class action complaint in the Middle District of Florida. The plaintiff alleged he and class members suffered a variety of injuries including “theft of their personal information,” “unauthorized charges on their debit and credit card accounts” and “ascertainable losses in the form of the loss of cash back or other benefits.”
The Eleventh Circuit analyzed the trial court’s dismissal under the framework of Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1546-47 (2016) and Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013). The Court explained that these cases mean: (1) “a plaintiff alleging a threat of harm does not have Article III standing unless the hypothetical harm alleged is either ‘certainly impending’ or there is a ‘substantial risk’ of such harm”, and (2) “if the hypothetical harm alleged is not ‘certainly impending,’ or if there is not a substantial risk of the harm, a plaintiff cannot conjure standing by inflicting some direct harm on itself to on itself to mitigate a perceived risk.”
The Eleventh Circuit measured the risk by refereeing a 2007 GAO report on data breaches, holding that the report demonstrated why there was no “substantial risk” of identity theft, stating (1) the plaintiff had not alleged that social security numbers, birth dates, or driver’s license numbers were compromised in the data breach, and (2) the card information allegedly accessed by the PDQ hackers “generally cannot be used alone to open unauthorized new accounts.” Further, the court noted that the GAO Report suggests that most data breaches have not resulted in detected incidents of fraud on existing accounts.
The Court held that if it ignored the GAO Report, the plaintiff had not “met his burden to show that the there is a ‘substantial risk’ of harm, or that such harm is ‘certainly impending.’” The Court wrote:
First, we recently held in Muransky that conclusory allegations of an “elevated risk of identity theft”—or, as Tsao puts it, a “continuing increased risk” of identity theft—“[are] simply not enough” to confer standing. Muranksy, 979 F.3d at 933. Tsao’s allegations about the “increased risk” of identity theft are supported only by reports defining identity theft, outlining the general risks of identity theft, or stating that identity thieves have stolen $112 billion in the last six years. These reports do nothing to clarify the risks to the plaintiffs in this case, and Tsao’s threadbare allegations of “increased risk” are insufficient to confer standing.
Second, Tsao offers only vague, conclusory allegations that members of the class have suffered any actual misuse of their personal data—here, “unauthorized charges.” But again, conclusory allegations of injury are not enough to confer standing. See Iqbal, 556 U.S. at 678, 129 S. Ct. at 1949. Of course, as our sister Circuits have recognized, evidence of actual misuse is not necessary for a plaintiff to establish standing following a data breach. See, e.g., Beck, 848 F.3d at 275 (stating that district court did not impermissibly require plaintiffs to demonstrate actual misuse). However, without specific evidence of some misuse of class members’ data, a named plaintiff’s burden to plausibly plead factual allegations sufficient to show that the threatened harm of future identity theft was “certainly impending”—or that there was a “substantial risk” of such harm—will be difficult to meet. Cf. Resnick v. AvMed, Inc., 693 F.3d 1317, 1323 n.1 (11th Cir. 2012) (finding that plaintiffs who suffered “actual” identity theft had standing but noting that “speculative” identity theft may not be sufficient to confer standing). As the case law discussed above confirms, most plaintiffs that have failed to offer at least some evidence of actual misuse of class members’ data have fared poorly in disputes over standing. See Op. at 14–21.
Third, Tsao immediately cancelled his credit cards following disclosure of the PDQ breach, effectively eliminating the risk of credit card fraud in the future. Of course, even if Tsao’s cards are cancelled, some risk of future harm involving identity theft (for example, the use of Tsao’s name) still exists, but that risk is not substantial and is, at best, speculative.
Finally, the Court confronted the argument that the plaintiff’s mitigation efforts were a concrete injury. Plaintiff claimed he spent time and effort to cancel his credit card, that he lost the opportunity to accrue rewards points and that the cancellation restricted his access to his credit cards. The Eleventh Circuit directly rejected this argument, holding a plaintiff cannot “conjure standing  by inflicting injuries on himself to avoid an insubstantial, non-imminent risk of identity theft.”
In short, the Eleventh Circuit emphasized conclusory allegations that plaintiff and class members suffered an “elevated risk of identity theft” are “simply not enough” to confer standing. Without some evidence of specific misuse of the class members’ data, the plaintiff could not support the conclusory allegation of a threatened harm of future identity theft.
Tsao further gives teeth to the Article III standing requirement of a concrete injury in the Eleventh Circuit, especially in class actions alleging a generalized future risk of harm. However, because these issues have provoked circuit splits, there is a fair chance this issue could end up before the United States Supreme Court.