Standing in a Data Breach Case May Depend on Where a Plaintiff Stands

To sue in federal court, a plaintiff must allege an injury that the court can actually remedy, rather than just issuing an advisory opinion, and a connection between the defendant’s conduct and the actual injury. See First-Year Law School 101. This principle, known as standing, essentially means that a plaintiff has to have an actual and imminent, not theoretical, injury.

Does the fact that a data breach exposed someone’s personal identifiable information (“PII”), without proof that the exposed PII was misused confer standing to sue? It depends. Yes, lawyers love to say this, but in standing cases, it is true. Whether a plaintiff has standing to sue for exposure of his or her PII depends just as much on the jurisdiction in which the plaintiff files as on whether plaintiff alleges his or her data was misused.

The appellate circuit courts are split on whether just the future risk of identity theft resulting from a data breach, and the costs the plaintiff incurs to mitigate the threat of identity theft is a sufficient injury to satisfy standing requirements.

The Sixth, Seventh, Ninth and D.C. Circuits have each found that the future risk of identity theft, even without accompanying misuse of PII, confers standing on a plaintiff to sue the breached company. These courts have focused on the substantial likelihood that hackers who steal PII will use it to commit identity theft. In these courts, plaintiffs do not have to wait to suffer actual identity theft to file suit. It is enough for plaintiffs to have spent time or money to mitigate their risks after learning that their PII was exposed.

In contrast, the Third, Fourth and Eighth Circuits have all reached the opposite conclusion, finding that the time and money a plaintiff spends to protect him or herself against a theoretical or speculative threat of post-exposure identity theft does not create an actual injury for standing.

Last month, the Eleventh Circuit finally weighed in, and widened the circuit chasm by siding with the Third, Fourth and Eighth Circuits. In Tsao v. Captiva MVP Restaurant, Case No. 8:18-cv-01606-WFJ-SPF (February 4, 2021), a restaurant patron filed suit on behalf of a putative class of customers of a restaurant after a data breach exposed patrons’ credit card information. The restaurant’s data breach notice on its website advised customers who visited the restaurant during the relevant time period that the data breach “may have” exposed their personal information. When the plaintiff learned about the breach, he immediately canceled his credit cards. There was no evidence that anyone had stolen or misused his credit card number. Plaintiff sued the restaurant on behalf of a class of customers, alleging, among other claims, negligence and deceptive and unfair conduct under Florida’s Deceptive and Unfair Trade Practices Statute. He sought damages in the form of the loss of the use of his credit card, loss of his credit card rewards points associated with the canceled card, and the time and costs associated with canceling his card and protecting himself against future identity theft.

In its Order affirming the trial court’s dismissal of the lawsuit, the Eleventh Circuit noted that the plaintiff had only made conclusory allegations of the increased risk of data theft, that plaintiff could not identify any instances of misuse of his data, and that plaintiff’s immediate cancellation of his cards eliminated the risk of future credit card fraud. The court also rejected the plaintiff’s claim that his time and effort spent to cancel the credit card was sufficient to confer standing, finding that plaintiff had “inflict[ed] injuries on himself to avoid an insubstantial, non-imminent risk of identity theft.” (emphasis added).

The Tsao opinion may be limited to its own facts. The opinion was not unanimous. The Eleventh Circuit was bound by its precedent in its en banc 2020 opinion in Muransky v. Godiva Chocolatier, Inc., in which the court held that standing cannot be conferred with hypothetical harm that is not “impending.” In his concurring opinion in Tsao, Judge Adalberto Jordan, who wrote the dissenting opinion in Muransky, wrote that he joined the majority in Tsao because of the court’s decision in Muransky, but noted his hope that the United States Supreme Court will grant certiorari soon on a case presenting the question of standing in a data breach.

Even in jurisdictions in which standing for data breach plaintiffs appeared to have otherwise been settled, new issues have arisen. For example, just last week, in Clemens v. Execupharm, Inc., No. 20-cv-3383, the Eastern District of Pennsylvania suggested that not even the misuse of data might suffice to confer standing. Clemens arose out of a ransomware attack on a pharmaceutical company. The plaintiff filed suit after she received notice of the data breach informing from her former employer that she “may be” part of a group of former employees whose PII was stolen. In her filings on standing, the plaintiff argued that the harm to her was actual and imminent, because third parties had stolen her PII, held it for ransom and posted it on the dark web. In other words, plaintiff alleged that the hackers had misused her PII. The plaintiff also alleged that she had invested time, money and effort to protect her information. The court disagreed, finding that, despite her allegations that the hackers posted her information on the dark web, plaintiff would only have suffered actual harm if she could prove that someone had actually downloaded her information from the dark web. Thus, the court reasoned, because the harm was still speculative without that proof, the time, money and effort the plaintiff spent on mitigating her risk was insufficient because the harm was not imminent. Clemens will likely make its way to the Third Circuit, adding to the rapidly growing stack of data breach standing cases.

In the meantime, until the Supreme Court resolves this question with finality, whether a plaintiff can proceed on a data breach claim may continue to depend on where that plaintiff files his or her lawsuit. This makes the Supreme Court’s oral argument in TransUnion, LLC v. Ramirez at the end of this month all the more interesting.