In February, the U.S. Court of Appeals for the Eleventh Circuit (Florida, Georgia, and Alabama) joined five other circuits to hold that the increased risk of identity theft – without alleging actual misuse of personally identifiable information (PII) – is not enough to establish standing in federal courts.
Tsao is the latest Circuit opinion on the data breach standing issue and deepens the existing circuit split. The Supreme Court passed on an opportunity to resolve the split in March 2019, declining to hear Zappos.com v. Stevens out of the Ninth Circuit.
Increased risk of identity theft is not a concrete injury
With Tsao v. Captiva MVP Restaurant Partners, issued on February 5, 2021, the Eleventh Circuit has weighed in on the widening circuit split regarding plaintiffs’ standing requirements in data breach class actions. Six circuits (the First, Second, Third, Fourth, Eighth, and Eleventh Circuits) have now issued opinions holding that the increased risk of identity theft that a consumer faces in the wake of a corporate data breach is not in and of itself a concrete injury. Without a concrete injury, plaintiffs cannot establish Article III standing, which is necessary to bring a case in federal court.
The deciding factor for the Eleventh Circuit was Tsao’s failure to allege that the data breach resulted in any actual misuse of his or the class members’ PII. Instead of misuse (for example, that his credit cards were used by the thief or his identity stolen), Tsao alleged he suffered three injuries: (1) lost opportunity to accrue cash back or rewards points on his credit cards, which he canceled immediately after receiving notice of the data breach; (2) costs associated with the detection and prevention of identity theft, including the time and effort it took for him to cancel and replace his credit cards; and (3) restricted access to his preferred credit cards.
The Eleventh Circuit did not find Tsao’s injuries to be concrete and relied on a recent U.S. Supreme Court holding that plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” As a result, the Eleventh Circuit affirmed the district court’s dismissal of the case without prejudice.
Standing based upon the increased risk of identity theft
Four circuits (the Sixth, Seventh, Ninth, and D.C. Circuits) have decided the opposite: that a plaintiff can indeed establish standing based upon the increased risk of identity theft.
Even in this line of cases, however, there was at least some allegation of actual misuse or actual access to data in all the cases conferring standing – and the Tsao opinion does an excellent job of pointing this out.
Unlike the lead plaintiff in Tsao, the plaintiffs in this line of cases alleged damage in the form of identity theft, missing tax returns, fraudulent charges, and unauthorized attempts to open new accounts in their names.
*According to the Eleventh Circuit in Tsao, the First Circuit has gone both ways on the issue. One opinion declined to question whether data breach victims had standing to sue (Anderson v. Hannaford Bros., 659 F.3d 151 (1st Cir. 2011)), but a second one drew a distinction between instances where confidential data has actually been accessed and when it might be accessed (Katz v. Pershing, LLC, 672 F.3d 64, 80 (1st Cir. 2012)).
What does the Eleventh Circuit’s holding mean?
The Eleventh Circuit’s holding is helpful because it helps narrow the circumstances in which a company can be held liable by consumers in the wake of a data breach, particularly in a class-action context. The Court’s holding does not allow consumers to sue a company that suffered a data breach merely because the consumers are at a hypothetical risk that their identity could be stolen.The benefit of the holding is tempered, however, because it is clear that an enterprising plaintiff or class need only allege misuse of personal information as a result of the data breach to survive a motion to dismiss focused on standing.Indeed, the Eleventh Circuit reiterates this point near the end of the Tsao opinion and notes: “However, without specific evidence of some misuse of class members’ data, a named plaintiff’s burden to plausibly plead factual allegations sufficient to show that the threatened harm of future identity theft was ‘certainly impending’ – or that there was a ‘substantial risk’ of such harm’ – will be difficult to meet.”
Adams and Reese’s Privacy, Cybersecurity and Data Management team will continue to monitor developments in this arena.