• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Eleventh Circuit Holds Risk of Future Harm Does Not Establish Article III Standing

February 26, 2021 By Donald Houser and Adrielle Conner

As part of a growing trend, the Eleventh Circuit recently held that an alleged risk of future identity theft does not establish standing where the plaintiff does not allege any information has actually been misused.  Tsao v. Captiva MVP Rest. Partners, LLC, No. 18-14959, 2021 U.S. App. LEXIS 3055 (11th Cir. Feb. 4, 2021).  The decision is a blow to the data breach plaintiffs’ bar, which routinely attempts to rely on third-party reports and other generic allegations concerning a risk of future harm to attempt to establish Article III standing.

The case arose after hackers allegedly gained access to PDQ’s point of sale system in May of 2017.  Cardholder names, credit card numbers, card expiration dates, and CVVs may have been accessed as a result of the alleged breach.  The plaintiff, whose information may have been accessed by the hackers, filed a class action against PDQ alleging claims of breach of implied contract, negligence, unjust enrichment, and violation of the Florida Unfair and Deceptive Trade Practices Act.  The District Court dismissed the complaint for lack of standing.

On appeal, the Eleventh Circuit affirmed.  It rejected the plaintiff’s reliance on third-party reports—a common allegation in data breach complaints—concerning the risk of identity theft, finding that those reports cut against the plaintiff because they established that the risk of identity theft is very low.  Likewise, the Court also found any purported risk to the plaintiff to be low. The Eleventh Circuit seized on the fact that the plaintiff had immediately cancelled his credit cards, which extinguished any risk of fraudulent charges. Also, the absence of specific evidence that any putative class member’s information had been misused cut against finding a substantial risk of future identity theft. Based on the factors above, as well as the plaintiff’s reliance on “vague, conclusory allegations,” the Eleventh Circuit held “some risk … still exists, but that risk is not substantial and is, at best, speculative.”  Id. at *25, 26.

Filed Under: Data Breach Litigation Tagged With: article III standing

About Donald Houser

Donald Houser is a partner in Alston & Bird’s Litigation & Trial Practice Group and represents clients in a variety of industries in complex litigation matters, with a particular focus on privacy and antitrust litigation.

[Read Bio]

About Adrielle Conner

Adrielle Conner is an associate in Alston & Bird’s Litigation & Trial Practice Group. Before joining the firm, Adrielle served as an extern at the Nashville Public Defender’s office for the Education Rights Project.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • NYDFS Announces Cybersecurity Settlement, Addresses Multi-Factor Authentication Rules
  • The GDPR Reaches the US Supreme Court in Cert Petition
  • Another Court Dismisses Data Breach Class Action Lawsuit for Lack of Standing
  • NYDFS Reports Major Cybersecurity Settlement
  • Virginia Becomes First State with Comprehensive Privacy Law after CCPA
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.