Earlier this month, the Eleventh Circuit, in Tsao v. Captiva MVP Restaurant Partners, LLC, No. 18-14959, 2021 WL 381948 (11th Cir. Feb. 4, 2021), affirmed the dismissal of a class-action lawsuit brought on behalf of patrons of a restaurant chain, holding that data breach victims must show more than a heightened risk of future injury or costs incurred to mitigate potential harm in order to establish Article III standing.
The plaintiff in Tsao alleged that a data breach targeted at a restaurant chain’s point-of-sale system revealed class members’ credit and debit card information, exposing class members to identity theft and fraud.
Relying on the Supreme Court’s decision in Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013) and the Eleventh Circuit’s ruling in Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917 (11th Cir. 2020), the court held that a plaintiff alleging a threat of future harm “does not have Article III standing unless the hypothetical harm alleged is either ‘certainly impending’ or there is a ‘substantial risk’ of such a harm.” Moreover, the court held, a plaintiff cannot “conjure standing” by inflicting harm on itself to mitigate the alleged risk, such as by spending time and resources canceling credit cards, resulting in temporary loss of use of the canceled cards and lost cash back or reward points. Applying this standard, the court found that plaintiff had failed to establish that the threat of future harm was “certainly impending” or that there was a “substantial risk” of such harm, and that he could not “manufacture standing” by incurring costs to mitigate a “non-imminent harm.”
In so holding, the Eleventh Circuit sided with the Second, Third, Fourth, and Eighth Circuits–all of which have declined to find standing based on an increased risk of identity theft and the cost of measures taken to protect against it. While the Tsao decision doesn’t resolve the circuit split, it provides additional protection to companies in the Eleventh Circuit that take steps to promptly alert their customers of data breaches. The Tsao decision is also likely to factor into the Equifax appeal, brought on behalf of a handful of objectors to the class settlement arising out of the 2017 data breach at Equifax–one of the largest ever, which is currently scheduled for oral argument before the Eleventh Circuit on April 20.