Home Civil Law Data Breach Plaintiff Doesn’t Have Standing within the Absence of Fraud or...

Data Breach Plaintiff Doesn’t Have Standing within the Absence of Fraud or Identity Theft-Tsao v. Captiva – Technology & Marketing Law Blog


This is an information breach lawsuit. Plaintiff was a patron of a restaurant (PDQ) that suffered a breach that compromised bank card cost data. The breach occurred as a result of a hacker gained entry to purchaser information by means of “an outside vendor’s remote connection tool.”

Plaintiff made purchases at PDQ utilizing two completely different playing cards (a Wells Fargo Home Rebate card and a Chase Sapphire Reserve card). Both playing cards provided sorts of rewards and one of many two additionally charged a price. Upon studying of the breach, plaintiff cancelled each playing cards.

He filed go well with on behalf of a putative class, arguing that class members had been broken by (1) struggling a threat of identification theft and (2) having to spend their time to mitigate the impression of the breach. The district court docket dismissed the criticism (with out prejudice) for lack of standing. On appeal, the Eleventh Circuit affirms.

Legal Background: The court docket first offers a framework for evaluating standing. It mentions Spokeo after all. As to the query of when future hurt is imminent, it says Clapper v. Amnesty International is instructive. The court docket additionally mentions an Eleventh Circuit case (Muransky v. Godiva Chocolatier) addressing standing under FACTA, a statute that requires receipts to omit sure data from a shopper’s bank card. Muransky was an en banc ruling (a 143 page behemoth) what place the Eleventh Circuit, counting on Clapper, reversed a district court docket’s approval of a FACTA settlement. The plaintiff had claimed that though he was not a sufferer of any identification theft, he was injured as a result of he needed to “destroy or safeguard” his receipts. The court docket rejected this as a supply of Article III standing.

Standing based mostly on Substantial Risk of Identity Theft or Fraud: The circuits are break up on whether or not a threat of hurt on account of an information breach confers standing. The court docket says the circumstances discovering standing from became greater threat of hurt have intertwined some misuse of, or “actual access” to, private information. One case (Pisciotta v. Old National Bancorp) finds standing absent some misuse, however the court docket says it’s an outlier that hasn’t been cited with approval even within the Seventh Circuit. The court docket brushes this case to the aspect. Other circumstances (together with from the Second, Third, Fourth, and Eighth Circuits) have rejected standing based mostly on became greater threat of hurt. An Eighth Circuit ruling rejected a GAO report (GAO-07-737) highlighting the hurt that would move from information breaches that the plaintiffs relied on in arguing standing.

The court docket says three concerns shade its conclusion that there’s no standing:

  • Plaintiff solely made conclusory allegations of the became greater threat—reviews within the press or in any other case outlining “general risks” of identification theft are inadequate.
  • Plaintiffs isn’t capable of level to any allegations that members of the category have suffered any misuse of their information.
  • Third, the plaintiff instantly cancelled his playing cards, “effectively eliminating the risk of credit card fraud in the future.”

Standing based mostly on remedial efforts: The court docket additionally rejects plaintiff’s effort and time spent in canceling his playing cards as conferring standing. The court docket says this damage is self-inflected based mostly on fears of hypothetical future hurt:

The mitigation prices Tsao alleges are inextricably tied to his notion of the particular threat of identification theft following the PDQ information breach. Tsao, by his own admission, voluntarily cancelled his bank cards, and the three sorts of hurt he has recognized flowed from that cancellation. By cancelling his playing cards, he voluntarily forwent the chance to accrue money again or rewards points on these playing cards. By cancelling his playing cards, he voluntarily restricted entry to his most well-liked cost playing cards. And by cancelling his playing cards, he voluntarily frolicked safeguarding his accounts. Tsao can not conjure standing right here by inflicting accidents on himself to keep away from an insubstantial, non-imminent threat of identification theft. To maintain in any other case would permit “an enterprising plaintiff . . . to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.” Clapper, 568 U.S. at 416, 133 S. Ct. at 1151. The legislation doesn’t allow such a end result.

A concurring choose says the court docket’s ruling is in step with the Eleventh Circuit in Godiva (the FACTA case) what place he dissented. But makes a plea to the Supreme Court:

Hopefully the Supreme Court will quickly grant certiorari in a case presenting the query of Article III standing in an information breach case.


It’s good to get a recap of what place issues stand and the way muddled they’re post-Spokeo.

The Ninth Circuit not too long ago present in a memorandum opinion that iPhone house owners whose gadgets had been weak to hacking and had been denigrated by Apple’s patches had standing. In re: Apple Processor Litigation, No. 19-16720 (ninth Cir. Dec. 29, 2020) [pdf]. Judge Tashima dissented from this ruling, saying he would discover no standing.

It’s additionally price flagging an fascinating phenomenon referring to standing. Federal court docket is seen as hostile to plaintiffs’ legal professionals. So when legal professionals on the protection aspect take away a case on CAFA grounds, plaintiffs are arguing that they lack Article III standing (and thus the court docket has no jurisdiction and has to remand) and defendants are arguing the other. Techdirt covers the Seventh Circuit’s ruling within the Clearview case what place plaintiffs efficiently persuaded the court docket to allow them to stay in state court docket based mostly on a discovering that plaintiffs lacked Article III standing.

Case quotation: Tsao v. Captiva MVP Restaurant Partners, LLC, 18-14959 (11th Cir. Feb. 4, 2021)

Related posts:

9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap

The [Non]enforceability of Privacy Promises–Pinero v. Jackson Hewitt

Acxiom Not Liable for Security Breach

When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue

Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks

In Hannaford Data Breach Case, First Circuit Says Card Replacement and ID Theft Insurance are Reasonable Mitigation Damages and Compensable–Anderson v. Hannaford Bros

Facebook Defeats Lawsuit Over Tracking Logged-Out Users–In re Facebook Internet Tracking

On Remand, Ninth Circuit Says Robins Satisfied Article III Standing

“Manufactured” TCPA Suit Fails For Lack of Standing

Seventh Circuit: Data Breach Victims Have Standing Based on Future Harm

Android and Pandora Privacy Rulings Accept Low Hurdle for Standing

9th Circuit Says Plaintiff Had Standing to Sue Spokeo for Fair Credit Reporting Violations

Court Says Plaintiff Lacks Standing to Pursue Failure-to-Purge Claim Under the VPPA – Sterk v. Best Buy

First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing–Katz v Pershing

Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn


Please enter your comment!
Please enter your name here