Courts across the United States continue to struggle with whether individuals impacted by a company’s data breach have suffered harm that is concrete enough to support their claims in court.
After they are notified of a data breach involving their personal data, impacted individuals often join together to bring class action claims against the business for its alleged failure to safeguard their data, breach of privacy promises regarding that data, and under applicable state consumer laws.
Data Breach Class Actions & Standing Requirements
One area that courts have shown a willingness to scrutinize is the question of whether these individuals have alleged, or can show they have experienced, actual harm from the data incident, to satisfy the Constitutional Article III requirement known as standing.
Plaintiffs continue to present novel theories of why access to their data by an unauthorized third party harmed them in a way that a court may remedy, especially in instances where no facts exist to show that their data has actually been misused. Plaintiffs will often allege that they lost some value associated with their data, or associated with the use of their data. By far the most prominent theory submitted by data breach plaintiffs is that these individuals are now at a higher risk of future identity theft and that future relief, such as credit monitoring, should be offered to them to prevent against this risk.
But how great is this risk of future identity theft, really? According to a recent Eleventh Circuit decision, not substantial enough to support Article III standing.
The I Tan Tsao Decision
In affirming the dismissal of a customer's proposed class action against Florida-based fast-food chain, PDQ, over a data breach that allegedly exposed plaintiffs’ credit and debit card information, the Eleventh Circuit held that the plaintiff I Tan Tsao did not present a sufficient injury claim as a basis for bringing the suit. There, Mr. Tsao alleged that he and members of his class were at an elevated risk of future identity theft due to the restaurant chain’s breach, and that he had to take certain mitigative steps to reduce this risk, such as cancelling his credit cards. Plaintiff Tsao relied primarily on a 2007 GAO Report on Data Breaches in support of his theory.
The Eleventh Circuit did not find Mr. Tsao’s hypothetical future risk of identity theft compelling enough for Article III standing purposes.
"We hold that Tsao lacks Article III standing because he cannot demonstrate that there is a substantial risk of future identity theft — or that identity theft is certainly impending — and because he cannot manufacture standing by incurring costs in anticipation of non-imminent harm," the three-judge panel said.
In relying on the U.S. Supreme Court's decision in Clapper v. Amnesty International USA, the Eleventh Circuit concluded that a plaintiff alleging a hypothetical harm does not have standing unless that harm is either "certainly impending" or represents a "substantial risk" of harm. And if the alleged risk does not rise to those levels, a plaintiff cannot "conjure standing by inflicting some direct harm on itself to mitigate a perceived risk."
The Eleventh Circuit also rejected Mr. Tsao’s use of the GAO Report, holding that the Report’s findings actually supported that the limited data potentially exposed here – credit and debit card numbers – alone, did not lead to a higher incidence of future identity theft.
Nor could Mr. Tsao’s mitigative steps – to cancel his credit card, which he alleged led to a period of restricted access to his account and lost reward points - manufacture a harm for standing purposes. “It is well established that plaintiffs cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending” the Circuit court held, citing to Clapper.
The Court’s decision in I Tan Tsao v. Capitva MVP Restaurant Partners LLC aligns it with the Second, Third, Fourth and Eighth Circuit Courts of Appeal who have rejected the theory, while the Sixth, Seventh, Ninth and D.C. circuits have accepted it.
The Supreme Court has yet to hear an Article III standing case in the data breach context, leading legal spectators to wonder if the I Tan Tsao decision now presents the high Court with an opportunity to provide such guidance.
Octillo is monitoring developments in this case and other data breach class actions that may provide guidance for future litigation. Our Litigation team has worked on some of the largest data breach and privacy class actions in the country and can help your business develop a litigation strategy that will result in a successful outcome and minimal disruption to your everyday work.
*Attorney advertising. Prior results do not guarantee future outcomes.